none
Apply Regional Options (user) to certain Computers in OU, with Security Filtering, Loopback merge mode

    Question

  • Hi, we have 3 computers within an OU (TestOU) that need to have Regional Options set so their clock is in 24-hr format. There are many other computers in the OU that do not need 24-hr clock format. We already have Loopback Processing in Merge Mode applied to the TestOU the computers are in.

    So I created an new GPP GPO, and linked it to the TestOU, but I also edited the Security Filtering of the GPO to include only a Group containing the computers I need to set to 24-hr clock. However gpresult shows the GPO is "Reason Denied: Empty".

    However, if I change the Security Filtering to include "Authenticated Users", the GPO applies OK.

    So is there any way I can apply this loopback GPO to a subset of computers within an OU? I would prefer to use an AD Group to define the subset. (I realize I can achieve this with a WMI Filter, but I would like the Help Desk to be able to simply add/remove a computer from a "24hourClock" AD group as needed.)

    Thanks in advance for any advice!

    Tuesday, May 12, 2015 5:31 PM

Answers

  • > So is there any way I can apply this loopback GPO to a *subset * of
    > computers within an OU? I would prefer to use an AD Group to define the
    > *subset*. (I realize I can achieve this with a WMI Filter, but I would
    > like the Help Desk to be able to simply add/remove a computer from a
    > "24hourClock" AD group as needed.)
     
    Yes, of course :-)
     
    In security filtering, add
     
    a) "Domain Users" and
    b) a new security group that contains your computers
     
    In Loopback "Merge", User GPOs will only apply if the computer has read
    rights for the GPO in question.
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    • Marked as answer by ChrisFitz Wednesday, May 13, 2015 8:10 PM
    Wednesday, May 13, 2015 7:23 AM

All replies

  • Since you are in merge mode, how about putting the GPO on the Users OU's and security filter by user, since the Regional Options is a User setting.

    Not a direct answer yet, as I am attempting to test your scenario.  Loopback with security filters is something I avoid at all costs.

    Tuesday, May 12, 2015 5:58 PM
  • Thank you, however we only want the GPO to aplly to certain computers. Your suggestion would mean the GPO would apply to all computers these users login to (within the linked OU of course).

    Looks like I could probably make a new sub-OU and linkt the loopback GPO there an have it work, however creating on OU for just 3 computers seems like overkill.

    Tuesday, May 12, 2015 6:02 PM
  • > So is there any way I can apply this loopback GPO to a *subset * of
    > computers within an OU? I would prefer to use an AD Group to define the
    > *subset*. (I realize I can achieve this with a WMI Filter, but I would
    > like the Help Desk to be able to simply add/remove a computer from a
    > "24hourClock" AD group as needed.)
     
    Yes, of course :-)
     
    In security filtering, add
     
    a) "Domain Users" and
    b) a new security group that contains your computers
     
    In Loopback "Merge", User GPOs will only apply if the computer has read
    rights for the GPO in question.
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    • Marked as answer by ChrisFitz Wednesday, May 13, 2015 8:10 PM
    Wednesday, May 13, 2015 7:23 AM
  • Thank you Martin! That worked great!
    Wednesday, May 13, 2015 8:11 PM