Differentiated GPO based on user/machine accessing server

[cb831]

Sorry if I picked the wrong forum - please redirect me!

As I understand GP offers all kinds of means to control how different machines should behave and the applied policy can be differentiated on the target machines group membership, OU, WMI, etc.
However how do you differentiate which policy should be used against a client/user accessing a machine ?

Example:
In my basement I run a Win2008 AD and recently I had to weaken the policy to allow my internet radios to access my music library also on the server. I had to:

Set Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Do not store LAN Manager hash value on next password change -> Disable
This will allow the radio to login as it sends LM Hash otherwise it will receive “Access denied” on SMB: Session setup andX Request

Set Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network server: Digitally sign communications (always) -> Disable
This will allow the radio to use SMB2 otherwise it will receive “Access denied” on FIND_FIRST2

What irritates me is that this policy applies to all incoming clients! What I would like is that these weakenings only applied to the devices needing them based on the logged in user or the machine name. Is that kind of differentiation possible ? If no - can it be done otherwise using firewall etc ?

What also irritates me is the name of the first setting – As I read it controls the storage of LM hashes. It sounded ok to me as I could disable it - set the password for the account and - enable it to avoid all other users to have the hash stored. However when I enable it also prevents the user logging in using the hash. Can that really be true ?

Thanks

[scottzaiss]

Your best bet would be to create a seperate OU in Active Directory and only put the computer accounts of the devices needing the settings inside it. Make sure the new settings are in a seperate GPO and link it to the newly created OU. This will apply the setting ONLY on those computers.

[cb831]

Your best bet would be to create a seperate OU in Active Directory and only put the computer accounts of the devices needing the settings inside it. Make sure the new settings are in a seperate GPO and link it to the newly created OU. This will apply the setting ONLY on those computers.

Thanks for the answer!

I already thought of that but will it do what i want to do ? As I understand it you can - in this way - apply different policies to the machines in the new OU but that means that these machines have a different policy applied.

What I want to do i to have one server using different policies based on the client/users accessing it.

For some machines I want the server to run using Digitally sign communications (always) Disabled, some other machines not.

For some users I want the server to run using Do not store LAN Manager hash value on next password change disables, other users not

Maybe I get it wrong - please educate me :-)

Thanks!

[cb831]

Any suggestions anyone ?