Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
Y
Y
Yuri Yerusalimsky2022-02-09 08:25:45
Active Directory
Yuri Yerusalimsky, 2022-02-09 08:25:45

Policy override for an individual domain user?

Hello, please advise. In one OU, which is actually an association with a department in the organization, user accounts are collected, and a disk is connected to them in one of the GPOs. The problem is that an individual user needs to somehow override this mapped drive location. That is, for example, users Maxim, Oleg and Leonid are in the department of engineers, and Leonid is actually a developer, and he does not need a disk with Maxim and Oleg's drawings. Now Leonid is connected as a network drive to a folder with drawings, but it should be with software from another department.
What I have already tried:
1. Changed the priority of the GPO inside the OU, exposing the GPO created separately for Leonid with a higher priority. Did not help.
2. I put a cmd-script on Leonid's machine with a start delay by timeout - it did not help. I think this is generally a terrible crutch, and even if it worked, I would not consider it a solution.
3. I removed the group of engineers who passed authorization from the disk connection distribution lists and specifically indicated individual Maxim and Leonid, and for Leonid I created a separate GPO with connecting the desired disk - it didn’t work either and I also don’t like it as a solution.

So far I see filtering through WMI as a solution, but I don’t understand how to set it up. From what you can catch on with respect to users, this is a filter like Login is not Leonid. The car may be different, with which Leonid enters, so you should not focus on it.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

3 answer(s)
Report
A
Alexey Dmitriev, 2022-02-09
@SignFinder

In modern realities, network drives are connected via GPO Preferences. And in them, through Item-level targeting, you can set any flexible application conditions.
Accordingly, one policy should have 2 entries, one of which includes all but one user, and the second - vice versa.

Report
N
nApoBo3, 2022-02-09
@nApoBo3

GPO can configure filters https://docs.microsoft.com/ru-ru/windows/security/...

Report
V
Viktor, 2022-02-09
@MadLor

As I understand "drawings and software folders" are located on some file server? What then prevents you from enabling Access-based Enumeration on it (read HERE ) and not suffering? Then we simply connect the root folder of the balls to all users as a network drive and regulate the visibility / access of folders using NTFS permissions (i.e. create a group in the domain, assign rights to the folder to it and add users to this group already).

Similar questions
N
Nikname_non_name2019-09-14 10:36:46
How to change password policy in AD? 1Reply
N
Nicholas Secret2017-04-19 21:39:24
Whether it is possible to control interfaces which ad listens to? 2Reply
N
Nikname_non_name2019-09-20 20:10:56
How to switch from one Windows to another? 2Reply
A
axeax2015-05-05 12:31:22
What is the reason for the lack of backups? 3Reply
I
ituzsm2015-05-19 13:56:59
How to build a fault-tolerant domain network with 2 domain controllers? 4Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question