[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 413
  • Last Modified:

Group policy for particular computer

I have a user who works in the office from desktop computer and who also has laptop to work from home and bringing to office sometimes. How can I make one group policy applied to him when he works on the desktop in the office and another group policy applied when he works on his laptop? I have a MyDocuments redirection policy, but I dont want it to be applied when user works on his portable computer. His laptop in the domain.
0
AlexC77
Asked:
AlexC77
  • 4
  • 2
  • 2
  • +1
1 Solution
 
ZabagaRCommented:
I thought I had an answer, but I have to think about it now....

Becuase your group policies are divided in to "computer policies" and "user policies".  MyDocuments redirection I believe is a user policy.  This means, you can apply it according to USER, not computer.  What you need to do is have a policy dependent on COMPUTER.....a policy just for the laptop or the existing policy and you'd exclude the laptop from it.

Go to:

Group Policy -> Properties -> Security Tab

You could add "laptop" to the list an choose to "Apply Group Policy" (ALLOW) or (DENY)

So you can have a policy & set this laptop to either allow or deny a policy you make.  But as I said, the problem is that the folder redirect is based per user, not computer.

Follow?
0
 
sciwriterCommented:
There is no way to do this with group policies easily, because the group policy depends on the login name, and as long as he has that, he is stuck with ONE group policy.

This is one of the GREATEST hassles of MS networking.  The ONLY solution, as MS conceived it, is for the person to use TWO SEPARATE LOGINS, with separate name and password.  As two separate logins, you can configure them totally different.  SURE it is a pain in the neck for him to login differently at different places -- but this is the way Microsoft conceived it -- and they way you HAVE to do it, accoring to them.  Two separate profiles, two separate logins on the one machine, two separate sets of desktops,,, oh joy.
0
 
ZabagaRCommented:
sciwriter - yeah I agree - two logons to accomodate ......ugh......I didn't want to suggest it!!!!!
I was hoping I'd think of another idea.....I may....hmmm.....I'll think about it.

0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
sciwriterCommented:
Zab -- there are hacks to this -- the one I love is a dual boot -- that is easier than switching profiles.
Another great alternative is to develop a windows login script that senses the gateway you are connected to, but it requires pre/boot TCP/IP drivers.  There are others too.  Problem is, with all of them, they are even more trouble for most people than simply switching profiles.

So what I suggest to people is this -- hey, take everything out of your own login folder, all in the Desktop and Start Menu/Programs and dump this ALL into "All Users".  Now, no matter what you logon as, you will get the same layout, so you would almost never notice the difference.  Even the "MyDocs" directory can be redirected.  This works great until you install new apps, which go into one profile or the other.  

Fundamentally, it is a flawed MS solution to a problem that should not need to exist.  They could have made windows XP natively dual homable to two different TCP/IP gateways, thus totally eradicating the need for this nonsense.  But MS does not understand enough about TCP/IP to do this ... yet...
0
 
AlexC77Author Commented:
What if I will deny group policy reading for that laptop as ZabagaR suggested in first answer?

0
 
sciwriterCommented:
Then you have no access.  If you joined a login to a group, and you later deny group policy access to the resources you want to share, surely the implications are clear -- you have no access to those resources.
0
 
AlexC77Author Commented:
No, I mean what if I have a group policy for folder redirection but I set "deny read" for particular computer? Does it mean that whoever login from that computer will not have MyDocuments redirected?
0
 
sciwriterCommented:
The privileges assigned to a user on a network are based on LOGIN NAME AND PASSWORD, *NOT* by computer.  IF a person has 2 computers that you want handled differently when at the office, all they need is DIFFERENT LOGINS and you can setup different deny/allow privileges.  Meaning, the user name and password that he uses on each system must be DIFFERENT -- JOE with PW = me on the laptop, versus JMartin with PW=joe on the desktop are two DIFFERENT logins, as far as the Client for MS Networks is concerned.  Based on that, you can do anything you want on the server, becuase it views them as two whole different people, regardless of the person behind the login.  Windows cannot discern people, it can only discern computer login names and passwords.  THerefore, if he agrees to this, you have what you want.  If he wants to get around it, it's as simple as changing the login on the laptop to equal that on the desktop, and he gets the SAME privileges on both machines.
0
 
oBdACommented:
You need the loopback feature to apply different user policies, depending on which machine the user logs on.

1. If you don't have a dedicated "Laptop OU" yet, create one. Create a new GPO in your Laptop OU, named, for example "Loopback"; check "Disable User Configuration Settings" in properties. Edit the GPO and enable: Computer Configuration - Administrative Templates - group policies - User group policy loopback processing mode. Set the mode to replace (or merge, whatever suits you better). You can leave the default security settings.
2. Now you can create your additional GPO(s) for your users in this OU. If possible, check "Disable Computer Configuration Settings" in those. Important: Do *not* use the "Loopback" GPO to configure other settings than the loopback feature! These GPOs will now only apply if the users logon to a Laptop.
Note that if you're using "merge" in the Loopback GPO, you'll have to explicitly create a user policy to direct the My Documents folder back to the local folder. If you're using "replace", that shouldn't be necessary (it might be, though, if the user has had the redirection policy already applied; disabling a redirection policy can be tricky), but you might have to redefine other policies you want applied to the user.
Note, too, that you do (or "may") *not* need to put the users in (or below) the Laptop OU. New GPOs in that OU will be applied to *all* users logging on to a laptop in that OU, even though those users are not in/below the Laptop OU.
To exclude administrators, use the security group filtering. I'd recommend to do the following (for any GPO, not only the Laptop): For every GPO, create a global security group named, for example, GPol<GPO name> (*G*lobal *Pol*icy group for GPO <name>). Make the desired users member of this group. In the security settings for the GPO, remove the "Apply Policy" and "Read policy" right for the default "Authenticated Users", add it for the proper security group instead. That way you do not only have an easy control over who has which policies applied, you're pretty safe from surprises as well ...

Loopback Processing of Group Policy
http://support.microsoft.com/?kbid=231287
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 4
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now