by FloobieDoobie » Tue Dec 04, 2007 3:22 pm
No you really don't want this in the defualt domain policy. The reason being that it applies to all computers and users. You can tag it to users by using the gpo setting in the users section. This is normally where you would set this option as it's normally just to keep out certain users (read Non admins) and can be piggybacked on another basic user gpo.
This is one of those GPO settings that can be set in 2 places. Not only is it in the User Configuration it is also in the Computer configuration. This is really helpfull for when you're trying to lock down a group of lab or kiosk machines. Bad thing is that the order of GPO application is computer then user, so to truely lock a computer you need to enable 'loopback processing' this in effect applies the computer gpo settings again AFTER the user settings, thereby maintaining the per computer settings.
Long story short, make it a user setting either by placing it on your non-administrative user OU's or by filtering the policy to not include admins on the GPO. If you do it this way you can actually place it at the domain level (but not IN the default domain plolicy) and simply filter it for the groups you want.
WWFD?