How to restrict group of workstations

Similar Messages

• How to restrict Group Currency to Version

  Hi
  I am looking into multiple group currency consolidation, using different versions.
  My question, is it possible to restrict the Group Currency by version.
  E.g., I want version 100 to be restricted to group currency GBP, and version 999 to be restricted to group currency USD.
  Regards
  M

  Thanks Eugene
  I appreciate I can specify in the Parameters the relevant combinations.
  However what I want to do is restrict whats acceptable in the parameters, that is
  GBP & v.999 or USD & v.100 should not be allowed to be entered.
  Because you can have 2 group currencies in a single version, then I am not sure how this would be restricted.
  Thanks
  M

• How to restrict users working on Windows 7 clients from accessing Windows Explorer and other systems in the network through Group Policy with a domain controller running on Windows Server 2008 r2

  Dear All,
  We are having an infrastructure setup of around 500 client computers managed through group policy.
  Recently the domain controllers have been migrated from Windows Server 2003 to Server 2008 R2.
  Since this account requires extremely strict environment, we need to figure the solution for restricting the users from access anything locally.
  It would be great if you can assist me with the following query.
  How to restrict users logged on Windows 7 clients from accessing Windows Explorer and browsing other systems in the network through Group Policy with a domain controller running on Windows Server 2008 r2 ?
  Can we disable Network Tab on the left hand pane ?
  explorer.exe is blocked already, but users are able to enter the Windows Explorer by clicking on the name which is visible on the Start Menu.

  >   * explorer.exe is blocked already, but users are able to enter the
  >     Windows Explorer by clicking on the name which is visible on the
  >     Start Menu.
  You cannot block explorer.exe when you do not replace the shell - the
  desktop you see effectively IS explorer.exe...
  Your requirement sounds like you need a custom shell:
  http://gpsearch.azurewebsites.net/#2812
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))

• How to Restrict other Business Group DFF ....

  Hi,
  How to restrict the Other Business Group DFF Espically Additional Location Details, Add'l Org. Unit Details etc. If any one knows pls reply me ASAP ..
  with regards
  Surya

  You can try personalization, but why you need to hide the Oraganization and Location details from BG.
  If it is at employee level or job or position that will be fine,,is there any specific reason you are looking to hide the DFF in the Location and Organization level
  Message was edited by:
  Ramsys

• Group policy - restricted groups. How to specify a -local- user as member of the administrators group in group policy

  Hi
  With restricted groups I can specify the end user -domain- accounts that are members of the local administrators group on domain PCs. But - I need a particular LOCAL account on all the machines to keep its membership of the local administrators group for testing reasons. At the moment restricted groups is striping this local account of its admin access.
  Is it possible to specify a -local- computer account as admin on all the PCs via group policy or it can only be done with domain accounts?
  thanks

  You are asking for local accounts to be managed via "Restricted Groups".
  Yes, it is possible.
  Rajesh showed you one way with domain groups. In his version "Administrators" group will only contain those accounts
  that are specified in the GPO, no manually added accounts. This is not always desired.
  If you wish to have an account (group or user, local or domain) to be added to "Administrators" group while keeping all the other
  members, proceed like this:
  - create the local account on the client(s)
  - in the GPO select "Add Group" in "Restricted Groups".
  - type in the name of the local account, e.g. "TestID"
  - in the appearing dialogue choose "This group is a member of" => Add
  - type in "Administrators"
  Link the GPO and that's all.
  The original MS description for "Restricted Groups".is here:
  http://support.microsoft.com/kb/279301/en-us
  Another nice one here:
  http://www.frickelsoft.net/blog/?p=13
  Besides that, a great solution to manage local accouts is GP Preference Extension "Local Users and Groups".
  You can simply create a "Local Users and Groups" Item (computer or user based) and specify the needed options.
  http://technet.microsoft.com/en-us/library/cc731972.aspx
  Of course you need some prerequisites (at least one Vista or Winows 2008 for management and the GPP CSE on each target machine).
  If you are new to GPP, these links will help you to get into it:
  http://www.microsoft.com/DOWNLOADS/details.aspx?familyid=42E30E3F-6F01-4610-9D6E-F6E0FB7A0790&displaylang=en
  http://support.microsoft.com/kb/943729/en-us
  http://technet.microsoft.com/en-us/library/cc732027.aspx
  http://technet.microsoft.com/en-us/library/cc731892(WS.10).aspx
  Patrick

• How to add Restricted Groups in GPO programmatically?

  I have a requirement where i need to manage (crud) GPO on a server. I was able to create gpo and add some security filters but i could not find any way to add Local group in Restricted groups.
  I am using GPMC class library for C#. Any help will be appreciated.
  Thanks!

  > This works but i am still looking for the way to do it programmatically.
  As said - there is none. At least not from MSFT - they only provide APIs
  to set ADM Template values and GPP Registry.
  If you have a budget, check out
  https://sdmsoftware.com/group-policy-management-products/group-policy-automation-engine/
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))

• Restricted Group as like as domain admins

  I have configure Restricted Group in GPO in mydomains.com.
  So I added a group called 'ABC_Support' and on the second box (This is group is a member of) was Administrators.
  in ABC_Support group, there is one user called 'tech_admin'. 
  Result: GPO was successfully pushed into workstations, and ABC_Support is a member of local administrators and tech_admin can able to administer the workstations.
  Problem: The problem is that, in domain controller, you will see the ABC_Support is also a member of built-in   Administrators. The tech_admin is able to access domain controller remotely and can create users and really like domain admins. 
  Is there any solutions that prevent the problem?  and is this behaviour is normal? is restricted group designed like that? I know there is a GPO under user configuration "local users and group".

  Hi Ben,
  As others suggested, please make sure that the Restricted Groups setting was not applied to domain controllers. To do this, we can link the GPO to the OU where all workstations reside,  or we can use security filtering or WMI filter to filter out domain
  controllers if we link the GPO to the domain scope. 
  Besides, as you know, instead of Restricted Groups, we can also use Group Policy Preferences Local Users and Groups extension to make a domain user a local admin. In this way, we can use GPP item-level targeting to apply our settings to specific targets.
  Regarding this point, the following article can be referred to for more information.
  How to use Group Policy Preferences to Secure Local Administrator Groups
  http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/
  In addition, regarding security filtering, WMI filtering, and ILT, the following blog can be referred to for more information.
  Security Filtering, WMI Filtering, and Item-level Targeting in Group Policy Preferences
  http://blogs.technet.com/b/grouppolicy/archive/2009/07/30/security-filtering-wmi-filtering-and-item-level-targeting-in-group-policy-preferences.aspx
  Best regards,
  Frank Shen
  I have applied the GPO of ABC_support (restricted group) with WMI filtering and it is not applied to domain controller. On Domain controllers OU, I made another GPO to deny this group to remote desktop and login locally so that the group will not able to
  do unexpected activity.
  However, I found that that the "\\mydomaincontrollers\Anydrive$ such as \\c$" can be accessible from workstations ou. If I deny the terminal service in GPO on Domains abc.local, it will apply to all computers and shared folders '\\servers\example' cannot
  be accessible if I deny login through terminal services. why is that? suppose network and shared map folder use different ports and remote desktop/terminal service use different ports.
  there are lot of thousands workstations in computerOU with different child domains and parent domains as well I need to manage. so it's really hard for me to move to another ou.
  please advise

• How to restrict S_ALR_87003642 - Open and Close Posting Periods entry/updat

  How to restrict S_ALR_87003642 - Open and Close Posting Periods entry/update for certain group of users
  eg. for Subsidiaries to openr/close periods of their own company only.
  Refer to my screen, Company 1010 and 1060 is for Head Office while 1210 is for our Malaysia Company. How to restrict my Malaysia Company user to open and close only for 1210 and cannot perform any change to other Company.

  Hi,
  I guess you can use company code itself. Talk to your basis guy or else if you have some expertise & Authorization try out PFCG.
  Regards
  Santosh Hegde

• How to restrict the department to not user other departments' equipment?

  Dear SAPIENTS,
  How to restrict the department to not user other departments' equipment? If suppose any one creating order for equipment having different authorization group then system should not allow me to do this.
  Regards,
  Kaushal Rai

  Kaushal Rai,
  Use Authorization group for technical objects, create authorization gruops in IMG and assign the same to the Equipment master and block the other department with the same authorization group. For ristricting the authorization group to other departments after creating and assigning it to the equipment seek help from your BASIS team.
  goto the below path for cerating the Authorization group:
  IMG - PMCS - Master data in PMCS - Technical Objects - Define Authorization groups:
  Here you define the authorization groups, after completion of this step go to the Equipment master in General Data tab page there is a feild Authourization Group, mention the respective authorization group and provide this Authorization gruop value to the respective user in the user role with the help of BASIS Team.
  Regards,
  Praveen.

• How to restrict access in 2008?

  How to restrict access in 2008?
  So, I would like to do the 2 following things:
  1. Grant developers access to read all Active Form Comonents
  2. Create new Form Groups
  3. Not be able to change nS Resticted AFC
  and
  1. Grant developers rights to Create Ous
  2. Add/Rmeove Members to OUs
  3. Remove rights to add/remove to/from Site Admin OU
  Any suggestions on how to do that?
  So far I tried the out of the box Capabilities and Permissions, created custome ones, but still no luck in accomplishing all 3 items.

  Your request #1 is not possible. In paticular, you can't create new form groups and still not be able to change all form groups. Please submit an enhancement request, asking that newScale support your desired role configuration.
  Similar problem with #2.

• How to restrict material master by material type  t-code MM01

  Hi,
  how to restrict Materilal master by Material type in t-code MM01
  I do restrict by M_MATE_MAR authorization object . After i see there not restrict.
  Amit

  >
  sapvinithbasis wrote:
  > hi
  > plz help me out in solving this issue
  > regards vinith
  Vinith,
  I have explained in great detail exactly what you need to do at every stage.  The steps I have outlined are the same that I follow every time that I want to apply material type restrictions. 
  I strongly recommend that you contact your security admin to help with this, alternatively engage the services of a trained/experienced security admin who can come on site and go through this with you. 
  If you have done the following then it will work:
  1. Assign auth group to material type via OMS2
  2. Verified that check for M_MATE_MAR is active
  3. Ensured that M_MATE_MAR does not contain the auth group/s which you assigned via OMS2 (that includes *)
  This is the last comment I will make on this topic.
  Cheers
  Alex

• How to restrict update to a document in state release to the contribution g

  How to restrict update to a document in state release to the contribution group.
  Hi I’m working with UCM 10g and I want to know if it is possible to restrict the update over a document that is on state release for the group of users that made the check in of the document ?
  thanks

  Yes, it is, but IMHO in a rather complicated way:
  - you could change the security settings (security group, or more likely, accounts) during the life cycle, or
  - you could implement collaboration management, and change security settings via ACLs
  Alternatively, depending on what you mean by "updating" documents you could also:
  - check-out the document by a system account (if you want to prevent your users to check-in a new version)
  - modify the GUI so that Update (metadata) action is not available to users (in theory, they could still access it via a direct service call) by a custom component
  - introduce a Java event filter (enhancing the UPDATE service) where you will implement whatever logic you want
  I would probably opt for the last options as it seems to me to be the cleanest solution (but yes, it requires some coding).

• How to restrict MD04 and MIGO

  How to restrict MD04 to materials belonging to a particular specified  material group?
  How to restrict MIGO to a particular specified vendor no ?
  thanks,

  Hi,
  The material group (MAKTL) restriction cannot be imposed directly via authorization for tcode MD04. Similar is the case restricting MIGO by vendor no.
  The Tcode MD04 checks for auth onject M_MTDI_ORG
  which restricts for only for
  MRP Controller
  Plant
  Acctivity types in Materials
  Similarly MIGO checks for the foll fields only in the concerned auth objects
  Plant
  Movement Type
  Storage Location.
  So thsi cannot be restricted via authorization concept normally.
  However you may take the help of your basis /ABAPERs to explore the user exits /BADIs of the related programs.
  Or your ABAPERS may help you in this regard by developing some customized reports to restrict the same.
  Pl dont forget to award suitably.Regards

• How to restrict separate payment document for each line item in APP

  HI Experts
  PLs let me know how to restrict separate payment document for each line item in APP
  Thanks
  Sneha
  Edited by: Sneha R on Apr 14, 2009 4:18 PM

  Sneha,
  If your query was to group items for payment ,in FBZP  co code data for payment method there are 2 options 1.group payment for marked items 2.payment per due date.
  Also in the Vendor master there is a flag which will ensure that each item is paid individually,if this is what you were looking for  ( FK02 change vendor).
  In case you want to group items to be paid together Payment Grouping Key can be assigned in Vendor Master .
  Shony

• How to restrict the Copying/printing of the file from document

  Hi..
  Case:
  1. I have a document number it has three files in it.I want to locked the files from priniting and copying but not from opening/displaying.
  2. I am using content server for storing the DMS documents.How to restrict the number of attachments that can be uploaed in one document number?
  3.How to restrict the maximum size that can be uploaded against one document number?
  Sandip

  Hi Sandip,
  1. I have a document number it has three files in it.I want to locked the files from priniting and copying but not from opening/displaying.
  In DC30 transaction,in Workstation application for network,disable the print option.Will ensure users will not be able to print the originals.
  2. I am using content server for storing the DMS documents.How to restrict the number of attachments that can be uploaed in one document number?
  See if your ABAPer can use the BADI  'DOCUMENT_MAIN01' with method 'BEFORE_SAVE' to handle this check.
  3.How to restrict the maximum size that can be uploaded against one document number?
  Believe you are using kPro as a storage option.If this is the case,then there is no setting available to limit the file size for upload.See if your Basis guy can set an upper limit for file size in IIS setting for your content server.
  If you are using SAP DB as a storage option(not recommended though),then use the field File Size in DC10 transaction,Define Document Types to effect a file size limit.
  P.S. Would appreciate incase you could close the threads which have been answered satisfactorily.
  Regards,
  Pradeepkumar Haragoldavar