none
Apply user GPO to a group of users on one computer

    Question

  • Hi, I have a user-level GPO that I'd like to apply to a group of user when they log on a specific computer.

    I'd like not to create an OU containing only the computer, I'd like to apply the policy to an OU containing other servers and filter on that particular one. But I need also to filter for users, since I don't want domain admins to apply the policy.

    Can you help me?

    Monday, December 7, 2015 4:17 PM

Answers

  • Hi,
     
    Am 10.12.2015 um 17:16 schrieb maurice7785:
    > What I want to achieve is to apply the policy for UserGroup1 only on
    > Server1 and Server2. Remember that the policy is a USER policy.
     
    Giving Server1+Server2 "apply" rights on the user policy will not change
    anything in behavior, as long Loop is in mergemode.
    You can define "deny" for computer in that GPO and it would be applied
    to the user ... because the computer will never apply that GPO with
    userconfiguration.
     
    In Loop with replacemode, computer security settings can be used as a
    security filter.
     
    3 options:
    a) use replace ...
     
    b) disable loopback, link the GPO to the users and use WMI Filter
     
    c) keep loopback, keep link and use WMI Filter
     
    Mark
    --
    Mark Heitbrink - MVP Windows Server - Group Policy
     
    GPO Tool: http://www.reg2xml.com - Registry Export File Converter
     
    Thursday, December 10, 2015 4:40 PM
  • > In Loop with replacemode, computer security settings can be used as a
    > security filter.
     
    Update: This applies to merge mode, not replace mode.
     
    In replace mode, the computer ignores the GPO completely and the user
    evaluates as usual. In merge mode, the computer evaluates "read access",
    and if the computer has no read access, the GPO will not be applied
    regardless of user rights.
     
    > a) use replace ...
    > b) disable loopback, link the GPO to the users and use WMI Filter
    > c) keep loopback, keep link and use WMI Filter
     
    d) Use Group Policy Preferences and target the computer through Item
    Level Targeting (security group - computer is a member of)
     
    Thursday, December 10, 2015 5:04 PM

All replies

  • Hey,

    On the group policy you created you must add it to the computer only as the attachment!

    Hope this helps!GPO ADD


    Pelicano

    Monday, December 7, 2015 4:22 PM
  • Hi,
     
    Am 07.12.2015 um 17:17 schrieb maurice7785:
    > I'd like not to create an OU containing only the computer,
     
    - create a GPO,  it your users OU
    - security filtering set to desired Security group
    - add WMI Filter to only address the single computer
      select * from win32_computersystem where dnshostname='YOURPC'
     
    Mark
    --
    Mark Heitbrink - MVP Windows Server - Group Policy
     
    GPO Tool: http://www.reg2xml.com - Registry Export File Converter
     
    • Proposed as answer by Joao Pelicano Monday, December 7, 2015 8:03 PM
    Monday, December 7, 2015 4:46 PM
  • > Hi, I have a user-level GPO that I'd like to apply to a group of user
    > when they log on a specific computer.
     
     
    Althouhg the URL mentions "screen saver", it deals exactly with your
    requirement.
     
    Tuesday, December 8, 2015 11:31 AM
  • Thank you all for your suggestions. So, I must assume that the following configuration will not work (see picture below).

    The policy is in loopback mode merge enabled. Server1, server2 and userGroup1 apply the policy. Authenticated users and other groups only read the policy.

    What I want to achieve is to apply the policy for UserGroup1 only on Server1 and Server2. Remember that the policy is a USER policy.



    • Edited by maurice7785 Thursday, December 10, 2015 4:23 PM
    Thursday, December 10, 2015 4:16 PM
  • Hi,
     
    Am 10.12.2015 um 17:16 schrieb maurice7785:
    > What I want to achieve is to apply the policy for UserGroup1 only on
    > Server1 and Server2. Remember that the policy is a USER policy.
     
    Giving Server1+Server2 "apply" rights on the user policy will not change
    anything in behavior, as long Loop is in mergemode.
    You can define "deny" for computer in that GPO and it would be applied
    to the user ... because the computer will never apply that GPO with
    userconfiguration.
     
    In Loop with replacemode, computer security settings can be used as a
    security filter.
     
    3 options:
    a) use replace ...
     
    b) disable loopback, link the GPO to the users and use WMI Filter
     
    c) keep loopback, keep link and use WMI Filter
     
    Mark
    --
    Mark Heitbrink - MVP Windows Server - Group Policy
     
    GPO Tool: http://www.reg2xml.com - Registry Export File Converter
     
    Thursday, December 10, 2015 4:40 PM
  • > In Loop with replacemode, computer security settings can be used as a
    > security filter.
     
    Update: This applies to merge mode, not replace mode.
     
    In replace mode, the computer ignores the GPO completely and the user
    evaluates as usual. In merge mode, the computer evaluates "read access",
    and if the computer has no read access, the GPO will not be applied
    regardless of user rights.
     
    > a) use replace ...
    > b) disable loopback, link the GPO to the users and use WMI Filter
    > c) keep loopback, keep link and use WMI Filter
     
    d) Use Group Policy Preferences and target the computer through Item
    Level Targeting (security group - computer is a member of)
     
    Thursday, December 10, 2015 5:04 PM
  • Am 10.12.2015 um 18:04 schrieb Martin Binder [MVP]:
    > Update: This applies to merge mode, not replace mode.
     
    Thanks, I always mix this up ...
     
    Mark
    --
    Mark Heitbrink - MVP Windows Server - Group Policy
     
    GPO Tool: http://www.reg2xml.com - Registry Export File Converter
     
    Thursday, December 10, 2015 10:46 PM