Answered by:
Computer based group policy to change display setting

Question
Answers
-
> Of course I want to applied this GPO only to that particular group of> computers.No :) You want it to apply to all users logging on to that particulargroup of computers. So you enable loopback for those computers, and forthis to work, you add the computer group to security filtering. And youconfigure the user settings, and for this to work, you MUST add domainusers to security filtering....
Martin
Mal ein GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :))- Marked as answer by Frank Shen5Moderator Thursday, March 19, 2015 1:55 AM
-
> Now thing is if we add in any user in the security filtering, then> users can not only change MG2 but also can change display setting for> all the computers in the Marketing OU (MG1, MG2, MG3, MG4).Only if loopback is enabled on these other computers, too... You couldcreate different OUs for those 4 groups instead of simply using securityfiltering.And to show you a different approach:
Martin
Mal ein GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :))- Marked as answer by Frank Shen5Moderator Thursday, March 19, 2015 1:55 AM
All replies
-
Have you considered Group Policy Loopback Processing ?
e.g.: http://evilgpo.blogspot.com.au/2012/02/loopback-demystified.html
Don
(Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!) -
I have created a AD group and put the 30 computers on that group inside an OU. I have created a GPO and linked that GPO to that OU. For computer side I have enable Administrative Template/System/Group policy- User Group Policy loopback precessing mode. And From User side I have configured Disable the display control Panel And Hide Setting Tab to Disable. In the Security Filtering I have added that particular computer group and in the Delegation tab (Advanced..) I have applied Read + Apply group policy to that particulat group.
But Still log in users to that particular computers group can not change the Display settings
-
> Group Policy loopback precessing mode. And From User side I have"Replace" or "Merge"?> Disable. In the Security Filtering I have added that particular computer> group and in the Delegation tab (Advanced..) I have applied Read + Apply> group policy to that particulat group.Of course, if you want this GPO to apply to users, you need "DomainUsers" in the security filtering, too :)
Martin
Mal ein GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :)) -
@Martin,
I have tried both with Replace and Merge.
Of course I want to applied this GPO only to that particular group of computers.
If I add users in the security filtering then it works for that particular users log in.
But it does not work with computers if I add computers in the security filtering.
- Edited by Alvi932 Thursday, March 12, 2015 8:09 AM
-
User side I have configured Disable the display control Panel And Hide Setting Tab to Disable. In the Security Filtering I have added that particular computer group and in the Delegation tab (Advanced..) I have applied Read + Apply group policy to that particulat group.
But Still log in users to that particular computers group can not change the Display settings
Don
(Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)- Edited by DonPick Thursday, March 12, 2015 8:27 AM
-
-
@Don,
These 30 computers - are these the computers where I want the users to be Allowed to change settings
Umm, then you don't want to set the settings to "Disable.... and Hide...." for this scenario ?Don
(Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!) -
> Of course I want to applied this GPO only to that particular group of> computers.No :) You want it to apply to all users logging on to that particulargroup of computers. So you enable loopback for those computers, and forthis to work, you add the computer group to security filtering. And youconfigure the user settings, and for this to work, you MUST add domainusers to security filtering....
Martin
Mal ein GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :))- Marked as answer by Frank Shen5Moderator Thursday, March 19, 2015 1:55 AM
-
@Martin,
I just want to make clear the scenerio.
for examplme we have OU name" Marketing" which contains 100 windows 7 desktop computer.
Inside this OU we have created 4 computer groups in the AD based on the computer location in the marketing department. for example MG1= 40 Computers, MG2= 30 Computers which have dual display, MG3= 15 computers and MG4= 15 Computes.
There is a GPO applied to this "Marketing" OU which prevents users to change the control panel display settings.
Now the situation is users log in to the MG2 needs to change the display settings. Thats why I have created a separed GPO "Display Config" GPO and linked with the "Marketing" OU. Then configured the Loopback processing mode in the computer side and associate user control panel setting in the user side. And added security filtering for MG2 computer group and from delegation control applied Read + Applied group policy.
Now thing is if we add in any user in the security filtering, then users can not only change MG2 but also can change display setting for all the computers in the Marketing OU (MG1, MG2, MG3, MG4).
-
> Now thing is if we add in any user in the security filtering, then> users can not only change MG2 but also can change display setting for> all the computers in the Marketing OU (MG1, MG2, MG3, MG4).Only if loopback is enabled on these other computers, too... You couldcreate different OUs for those 4 groups instead of simply using securityfiltering.And to show you a different approach:
Martin
Mal ein GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :))- Marked as answer by Frank Shen5Moderator Thursday, March 19, 2015 1:55 AM