none
Settings for computer per user

    Question

  • Hello.
    That's the problem: I need to configure computer settings based on logging user. Target setting is "set roaming profile path for all users logging onto this computer". If user belongs to specific group, then apply policy to all computers in OU, if not - deny.
    What I tried doing in test environment:

    Created user group "roaming users"

    Created separate OU, put affected computers into

    Created GPO linked to my OU, in security filtering added "roaming users" (read, apply)

    The following occurs: if I leave authenticated users (read, apply) in filtering, then all users logging onto this PC have their profiles roaming. If I remove Apply property, then nobody have profiles roaming.
    I tested it with and without loopback - result is the same. And I don't want to create group of computers (maybe except using wildcards in WMI)

    Any Ideas? I was looking into WMI filtering, but not sure.

    Preventing advices about configuring roaming profiles as property of user: in production we have different locations and slow links between. I configure separate GPOs for each one with different target servers replicating with each other.

    As an option, if possible to use wildcards for computer names (like "RU-%", "US-%" etc.) and store computers in one OU, that could be useful too.



    Friday, December 26, 2014 12:10 AM

Answers

  • Hi,

    >>Target setting is "set roaming profile path for all users logging onto this computer". If user belongs to specific group, then apply policy to all computers in OU, if not - deny.

    Before going further, why do we do this? Based on your description and according to me, there will be no way for us to achieve this via group policy. For group policy, once the settings are applied for computers, all users logging onto the computers will apply the settings.

    Best regards,

    Frank Shen


    Monday, December 29, 2014 9:30 AM
    Moderator
  • > I need to configure computer settings based on logging user. Target
    > setting is "set roaming profile path for all users logging onto this
    > computer".
     
    Doesn't work neither way... The user profile MUST be loaded before GPOs
    are applied. So, even if you use GPP Registry to change HKLM\ values,
    this happens AFTER the user profile is already loaded.
     
    You should use DFSN instead.
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Monday, January 12, 2015 1:02 PM
  • So, I've found option in DFS settings, "Exclude targets outside of the client's site", That is what I need for my purpose.
    Thursday, February 05, 2015 3:11 AM

All replies

  • Hi,

    >>Target setting is "set roaming profile path for all users logging onto this computer". If user belongs to specific group, then apply policy to all computers in OU, if not - deny.

    Before going further, why do we do this? Based on your description and according to me, there will be no way for us to achieve this via group policy. For group policy, once the settings are applied for computers, all users logging onto the computers will apply the settings.

    Best regards,

    Frank Shen


    Monday, December 29, 2014 9:30 AM
    Moderator
  • > I need to configure computer settings based on logging user. Target
    > setting is "set roaming profile path for all users logging onto this
    > computer".
     
    Doesn't work neither way... The user profile MUST be loaded before GPOs
    are applied. So, even if you use GPP Registry to change HKLM\ values,
    this happens AFTER the user profile is already loaded.
     
    You should use DFSN instead.
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Monday, January 12, 2015 1:02 PM
  • DFS namespace is not suitable, see ms articles about it: http://blogs.technet.com/b/askds/archive/2010/09/01/microsoft-s-support-statement-around-replicated-user-profile-data.aspx
    We use DFS to replicate this data across locations, but PC must work only with one node at the moment.
    Monday, January 12, 2015 1:27 PM
  • So, I've found option in DFS settings, "Exclude targets outside of the client's site", That is what I need for my purpose.
    Thursday, February 05, 2015 3:11 AM