Answered by:
Apply user GPO to a group of users on one computer

-
Hi, I have a user-level GPO that I'd like to apply to a group of user when they log on a specific computer.
I'd like not to create an OU containing only the computer, I'd like to apply the policy to an OU containing other servers and filter on that particular one. But I need also to filter for users, since I don't want domain admins to apply the policy.
Can you help me?
Question
Answers
-
Hi,Am 10.12.2015 um 17:16 schrieb maurice7785:> What I want to achieve is to apply the policy for UserGroup1 only on> Server1 and Server2. Remember that the policy is a USER policy.Giving Server1+Server2 "apply" rights on the user policy will not changeanything in behavior, as long Loop is in mergemode.You can define "deny" for computer in that GPO and it would be appliedto the user ... because the computer will never apply that GPO withuserconfiguration.In Loop with replacemode, computer security settings can be used as asecurity filter.3 options:a) use replace ...b) disable loopback, link the GPO to the users and use WMI Filterc) keep loopback, keep link and use WMI FilterMark--Mark Heitbrink - MVP Windows Server - Group PolicyHomepage: http://www.gruppenrichtlinien.de - deutschGPO Tool: http://www.reg2xml.com - Registry Export File Converter
- Marked as answer by Mary DongMicrosoft contingent staff, Moderator Tuesday, December 22, 2015 1:18 AM
-
> In Loop with replacemode, computer security settings can be used as a> security filter.Update: This applies to merge mode, not replace mode.In replace mode, the computer ignores the GPO completely and the userevaluates as usual. In merge mode, the computer evaluates "read access",and if the computer has no read access, the GPO will not be appliedregardless of user rights.> a) use replace ...> b) disable loopback, link the GPO to the users and use WMI Filter> c) keep loopback, keep link and use WMI Filterd) Use Group Policy Preferences and target the computer through ItemLevel Targeting (security group - computer is a member of)
- Marked as answer by Mary DongMicrosoft contingent staff, Moderator Tuesday, December 22, 2015 1:18 AM
All replies
-
-
Hi,Am 07.12.2015 um 17:17 schrieb maurice7785:> I'd like not to create an OU containing only the computer,- create a GPO, it your users OU- security filtering set to desired Security group- add WMI Filter to only address the single computerselect * from win32_computersystem where dnshostname='YOURPC'Mark--Mark Heitbrink - MVP Windows Server - Group PolicyHomepage: http://www.gruppenrichtlinien.de - deutschGPO Tool: http://www.reg2xml.com - Registry Export File Converter
- Proposed as answer by Joao Pelicano Monday, December 07, 2015 8:03 PM
-
Thank you all for your suggestions. So, I must assume that the following configuration will not work (see picture below).
The policy is in loopback mode merge enabled. Server1, server2 and userGroup1 apply the policy. Authenticated users and other groups only read the policy.
What I want to achieve is to apply the policy for UserGroup1 only on Server1 and Server2. Remember that the policy is a USER policy.
- Edited by maurice7785 Thursday, December 10, 2015 4:23 PM
-
Hi,Am 10.12.2015 um 17:16 schrieb maurice7785:> What I want to achieve is to apply the policy for UserGroup1 only on> Server1 and Server2. Remember that the policy is a USER policy.Giving Server1+Server2 "apply" rights on the user policy will not changeanything in behavior, as long Loop is in mergemode.You can define "deny" for computer in that GPO and it would be appliedto the user ... because the computer will never apply that GPO withuserconfiguration.In Loop with replacemode, computer security settings can be used as asecurity filter.3 options:a) use replace ...b) disable loopback, link the GPO to the users and use WMI Filterc) keep loopback, keep link and use WMI FilterMark--Mark Heitbrink - MVP Windows Server - Group PolicyHomepage: http://www.gruppenrichtlinien.de - deutschGPO Tool: http://www.reg2xml.com - Registry Export File Converter
- Marked as answer by Mary DongMicrosoft contingent staff, Moderator Tuesday, December 22, 2015 1:18 AM
-
> In Loop with replacemode, computer security settings can be used as a> security filter.Update: This applies to merge mode, not replace mode.In replace mode, the computer ignores the GPO completely and the userevaluates as usual. In merge mode, the computer evaluates "read access",and if the computer has no read access, the GPO will not be appliedregardless of user rights.> a) use replace ...> b) disable loopback, link the GPO to the users and use WMI Filter> c) keep loopback, keep link and use WMI Filterd) Use Group Policy Preferences and target the computer through ItemLevel Targeting (security group - computer is a member of)
- Marked as answer by Mary DongMicrosoft contingent staff, Moderator Tuesday, December 22, 2015 1:18 AM
-
Am 10.12.2015 um 18:04 schrieb Martin Binder [MVP]:> Update: This applies to merge mode, not replace mode.Thanks, I always mix this up ...Mark--Mark Heitbrink - MVP Windows Server - Group PolicyHomepage: http://www.gruppenrichtlinien.de - deutschGPO Tool: http://www.reg2xml.com - Registry Export File Converter