Sign in
 

none
Apply user GPO to a group of users on one computer

 > 

    Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi, I have a user-level GPO that I'd like to apply to a group of user when they log on a specific computer.

    I'd like not to create an OU containing only the computer, I'd like to apply the policy to an OU containing other servers and filter on that particular one. But I need also to filter for users, since I don't want domain admins to apply the policy.

    Can you help me?

    Monday, December 07, 2015 4:17 PM
    |

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote
    Hi,
     
    Am 10.12.2015 um 17:16 schrieb maurice7785:
    > What I want to achieve is to apply the policy for UserGroup1 only on
    > Server1 and Server2. Remember that the policy is a USER policy.
     
    Giving Server1+Server2 "apply" rights on the user policy will not change
    anything in behavior, as long Loop is in mergemode.
    You can define "deny" for computer in that GPO and it would be applied
    to the user ... because the computer will never apply that GPO with
    userconfiguration.
     
    In Loop with replacemode, computer security settings can be used as a
    security filter.
     
    3 options:
    a) use replace ...
     
    b) disable loopback, link the GPO to the users and use WMI Filter
     
    c) keep loopback, keep link and use WMI Filter
     
    Mark
    --
    Mark Heitbrink - MVP Windows Server - Group Policy
     
    GPO Tool: http://www.reg2xml.com - Registry Export File Converter
     
    Thursday, December 10, 2015 4:40 PM
    |
  • Question
    Sign in to vote
    0
    Sign in to vote
    > In Loop with replacemode, computer security settings can be used as a
    > security filter.
     
    Update: This applies to merge mode, not replace mode.
     
    In replace mode, the computer ignores the GPO completely and the user
    evaluates as usual. In merge mode, the computer evaluates "read access",
    and if the computer has no read access, the GPO will not be applied
    regardless of user rights.
     
    > a) use replace ...
    > b) disable loopback, link the GPO to the users and use WMI Filter
    > c) keep loopback, keep link and use WMI Filter
     
    d) Use Group Policy Preferences and target the computer through Item
    Level Targeting (security group - computer is a member of)
     
    Thursday, December 10, 2015 5:04 PM
    |

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hey,

    On the group policy you created you must add it to the computer only as the attachment!

    Hope this helps!GPO ADD

    Pelicano

    Monday, December 07, 2015 4:22 PM
    |
  • Question
    Sign in to vote
    0
    Sign in to vote
    Hi,
     
    Am 07.12.2015 um 17:17 schrieb maurice7785:
    > I'd like not to create an OU containing only the computer,
     
    - create a GPO,  it your users OU
    - security filtering set to desired Security group
    - add WMI Filter to only address the single computer
      select * from win32_computersystem where dnshostname='YOURPC'
     
    Mark
    --
    Mark Heitbrink - MVP Windows Server - Group Policy
     
    GPO Tool: http://www.reg2xml.com - Registry Export File Converter
     
    • Proposed as answer by Joao Pelicano Monday, December 07, 2015 8:03 PM
    Monday, December 07, 2015 4:46 PM
    |
  • Question
    Sign in to vote
    0
    Sign in to vote
    > Hi, I have a user-level GPO that I'd like to apply to a group of user
    > when they log on a specific computer.
     
     
    Althouhg the URL mentions "screen saver", it deals exactly with your
    requirement.
     
    Tuesday, December 08, 2015 11:31 AM
    |
  • Question
    Sign in to vote
    0
    Sign in to vote

    Thank you all for your suggestions. So, I must assume that the following configuration will not work (see picture below).

    The policy is in loopback mode merge enabled. Server1, server2 and userGroup1 apply the policy. Authenticated users and other groups only read the policy.

    What I want to achieve is to apply the policy for UserGroup1 only on Server1 and Server2. Remember that the policy is a USER policy.



    • Edited by maurice7785 Thursday, December 10, 2015 4:23 PM
    Thursday, December 10, 2015 4:16 PM
    |
  • Question
    Sign in to vote
    0
    Sign in to vote
    Hi,
     
    Am 10.12.2015 um 17:16 schrieb maurice7785:
    > What I want to achieve is to apply the policy for UserGroup1 only on
    > Server1 and Server2. Remember that the policy is a USER policy.
     
    Giving Server1+Server2 "apply" rights on the user policy will not change
    anything in behavior, as long Loop is in mergemode.
    You can define "deny" for computer in that GPO and it would be applied
    to the user ... because the computer will never apply that GPO with
    userconfiguration.
     
    In Loop with replacemode, computer security settings can be used as a
    security filter.
     
    3 options:
    a) use replace ...
     
    b) disable loopback, link the GPO to the users and use WMI Filter
     
    c) keep loopback, keep link and use WMI Filter
     
    Mark
    --
    Mark Heitbrink - MVP Windows Server - Group Policy
     
    GPO Tool: http://www.reg2xml.com - Registry Export File Converter
     
    Thursday, December 10, 2015 4:40 PM
    |
  • Question
    Sign in to vote
    0
    Sign in to vote
    > In Loop with replacemode, computer security settings can be used as a
    > security filter.
     
    Update: This applies to merge mode, not replace mode.
     
    In replace mode, the computer ignores the GPO completely and the user
    evaluates as usual. In merge mode, the computer evaluates "read access",
    and if the computer has no read access, the GPO will not be applied
    regardless of user rights.
     
    > a) use replace ...
    > b) disable loopback, link the GPO to the users and use WMI Filter
    > c) keep loopback, keep link and use WMI Filter
     
    d) Use Group Policy Preferences and target the computer through Item
    Level Targeting (security group - computer is a member of)
     
    Thursday, December 10, 2015 5:04 PM
    |
  • Question
    Sign in to vote
    0
    Sign in to vote
    Am 10.12.2015 um 18:04 schrieb Martin Binder [MVP]:
    > Update: This applies to merge mode, not replace mode.
     
    Thanks, I always mix this up ...
     
    Mark
    --
    Mark Heitbrink - MVP Windows Server - Group Policy
     
    GPO Tool: http://www.reg2xml.com - Registry Export File Converter
     
    Thursday, December 10, 2015 10:46 PM
    |