• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 314
  • Last Modified:

Group Policy Quandary

Here is what I would like to do...?  

I have machines and users in different OUs, which have to stay that way.  I would like to create a GP that is applied at both the computer and user level.  How can this be done. Obviously, it cannot be done by just creating a policy and applying at one OU, as the other OU would not be affected.  However, if I were to move the policy at a higher level, it would affect both, but would be too global.  I only want the policy to affect a handful of machines, but all users when they use those specific machines.  Is this possible?  If so how?  Maybe WMI....???

Thanks
0
craryg
Asked:
craryg
  • 6
  • 3
1 Solution
 
mdiglioCommented:
Hello,
In order to do this you will need to create one group policy that contains Both user and Computer settings and apply this to the OU with the computer in it.
The one catch is you must enable something called group policy loopback processing.
This will force all users who log into a specific set of computer to have whatever user settings are enabled in that policy applied to them

So create one policy that has all computer and user settings you want and then add this policy
Computer Configuration > administrative templates > system > Group Policy > use Group Policy Loopback Processsing Mode. You'll probably set it to 'Merge'

My explanation might have been a little confusing, it will make more sense after you use it.
Also here is an MS article with another explanation
http://support.microsoft.com/?id=231287
0
 
mdiglioCommented:
I must have glanced over this requirement...
"I only want the policy to affect a handful of machines"

If that is the case you need to either create a new OU for these computers or
place theses computers in their own group and use security filtering from the GPMC.
This can be explained more if that is the way you have to do it.
0
 
crarygAuthor Commented:
It sounds like we might be heading in the right direction, but maybe I should be a bit more specific.  I need for the machines to stay in their OUs as they are right now (for many other reasons). The users (in another OU) must stay in theirs as well.  I need for a policy to be applied to just a handful of machines affecting both the user that logs in and that specific machine.  So, if I were user 1 logging into normal workstation, all would be find.  However, if I were user 1 logging into special workstation 1, I might get a different background, screensaver, etc.

Does that help?
0
Veeam and MySQL: How to Perform Backup & Recovery

MySQL and the MariaDB variant are among the most used databases in Linux environments, and many critical applications support their data on them. Watch this recorded webinar to find out how Veeam Backup & Replication allows you to get consistent backups of MySQL databases.

 
mdiglioCommented:
Ok, are these 'handful of machines' the only computers in that OU ?
If so then, we are all set and you can use Loopback Processing.
0
 
crarygAuthor Commented:
Unfortunately not.  There are others, so I was think the policy would be applied based on group association...
0
 
mdiglioCommented:
Ok the first step is to setup your group policy and include the loopback processing mode

Then create a new group and add these computers to that group

Then using the Group Policy Management Console navigate to this Group Policy >
under the 'Security filtering' section you will need to remove 'authenticated users' and
then add the newly created computer group and add 'Domain Users'

If we would have left authenticated users then the policy would apply to every computer.
Then in order for your users to read the policy we need to add some user group to the policy as well.
I chose 'Domain Users' but if you have a better one then go ahead and add, that or make a new one
0
 
mdiglioCommented:
craryg, did you have any problems getting this going ?
0
 
crarygAuthor Commented:
I apologize for not responding to your very diligent efforts.  I recently changed jobs and my e-mail was slow to follow.  Yes, this did work and I will award full points.

Thanks again!
0
 
mdiglioCommented:
Glad you got it working!
Thanks for the points
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

  • 6
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now