Group Policy, Application of User Configuration & Computer Configuration as they realte to User OU & Computer OU

Posted on 2006-04-10
Medium Priority
Last Modified: 2008-01-09

     I have two OUs

     Employees - OU that contains all active employees
     Workstations - OU that contains all active computers (Servers & laptops excluded)

     I have two Security Groups

     Employees - Global Security Group that contains all of the current employees
     Workstations - Global Security Group that contains all of the active workstations in the Domain.

     Have one GPO, 'Proxy Settings', which configures IE to use a proxy server and disables the end-users ability to change proxy settings in IE.

     I would like to apply this policy to the Workstations OU, even though the GPO settings being used are in the 'User Configuration' section of GPO.
     I do not want this policy applied based on the users membership in a security group. I only want this policy applied to the workstations
    and all of the users that logon to these workstations.

    Would I need to add all of my users and all of my workstations to the same security group and then use this security group in 'Security Filtering' for the GPO?

   Or Am I out in left field?

Question by:keatscon
  • 2

Accepted Solution

tactonic_grate earned 750 total points
ID: 16424211
I normally apply proxy settings at domain OU level- since you want all users/machines in your domain to have this applied. The key is when you said, "I only want this policy applied to the workstations and all the users that logon to these workstations". If you don't want the settings to apply to administrators (or associated groups) filter those out.

If you really want to apply User Configuration settings to machines, then what you might be able to do is still have your GPO defined on the "Workstations" OU but use "Loopback Processing" of the GPO. See the MS article here:


Good luck!


Expert Comment

ID: 16424221
Just found this too- looks good to me:


Tac :)

Expert Comment

ID: 16424433
the key to this question is -

"I do not want this policy applied based on the users membership in a security group. I only want this policy applied to the workstations and all of the users that logon to these workstations."

So, all you need to do is to create\link the 'Proxy Settings' GPO to the 'Workstations' OU.
LVL 51

Expert Comment

ID: 16425580
If the Proxy settings are in the User Configuration portion of the GPO, then the settings apply to Users - NOT workstations.  Since the User Accounts must be in the path of the GPO for it to apply, linking it to the workstation OU is not going to do anything for you.

You have 2 choices:

1)  As already mentioned, enable Loopback Processing on the GPO.  Computer Config>Admin Templates>System>Group Policy::User group policy loopback processing mode.

2)  Link the GPO to the Employess OU.

Security groups are not going to help you in this scenario.


Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
Learn about cloud computing and its benefits for small business owners.
This Micro Tutorial will teach you how to add a cinematic look to any film or video out there. There are very few simple steps that you will follow to do so. This will be demonstrated using Adobe Premiere Pro CS6.
With just a little bit of  SQL and VBA, many doors open to cool things like synchronize a list box to display data relevant to other information on a form.  If you have never written code or looked at an SQL statement before, no problem! ...  give i…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question