Answer the question
In order to leave comments, you need to log in
Policy override for an individual domain user?
Hello, please advise. In one OU, which is actually an association with a department in the organization, user accounts are collected, and a disk is connected to them in one of the GPOs. The problem is that an individual user needs to somehow override this mapped drive location. That is, for example, users Maxim, Oleg and Leonid are in the department of engineers, and Leonid is actually a developer, and he does not need a disk with Maxim and Oleg's drawings. Now Leonid is connected as a network drive to a folder with drawings, but it should be with software from another department.
What I have already tried:
1. Changed the priority of the GPO inside the OU, exposing the GPO created separately for Leonid with a higher priority. Did not help.
2. I put a cmd-script on Leonid's machine with a start delay by timeout - it did not help. I think this is generally a terrible crutch, and even if it worked, I would not consider it a solution.
3. I removed the group of engineers who passed authorization from the disk connection distribution lists and specifically indicated individual Maxim and Leonid, and for Leonid I created a separate GPO with connecting the desired disk - it didn’t work either and I also don’t like it as a solution.
So far I see filtering through WMI as a solution, but I don’t understand how to set it up. From what you can catch on with respect to users, this is a filter like Login is not Leonid. The car may be different, with which Leonid enters, so you should not focus on it.
Answer the question
In order to leave comments, you need to log in
In modern realities, network drives are connected via GPO Preferences. And in them, through Item-level targeting, you can set any flexible application conditions.
Accordingly, one policy should have 2 entries, one of which includes all but one user, and the second - vice versa.
GPO can configure filters https://docs.microsoft.com/ru-ru/windows/security/...
As I understand "drawings and software folders" are located on some file server? What then prevents you from enabling Access-based Enumeration on it (read HERE ) and not suffering? Then we simply connect the root folder of the balls to all users as a network drive and regulate the visibility / access of folders using NTFS permissions (i.e. create a group in the domain, assign rights to the folder to it and add users to this group already).
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question