Group Policy Quandary

Here is what I would like to do...?  

I have machines and users in different OUs, which have to stay that way.  I would like to create a GP that is applied at both the computer and user level.  How can this be done. Obviously, it cannot be done by just creating a policy and applying at one OU, as the other OU would not be affected.  However, if I were to move the policy at a higher level, it would affect both, but would be too global.  I only want the policy to affect a handful of machines, but all users when they use those specific machines.  Is this possible?  If so how?  Maybe WMI....???

Who is Participating?
Ok the first step is to setup your group policy and include the loopback processing mode

Then create a new group and add these computers to that group

Then using the Group Policy Management Console navigate to this Group Policy >
under the 'Security filtering' section you will need to remove 'authenticated users' and
then add the newly created computer group and add 'Domain Users'

If we would have left authenticated users then the policy would apply to every computer.
Then in order for your users to read the policy we need to add some user group to the policy as well.
I chose 'Domain Users' but if you have a better one then go ahead and add, that or make a new one
In order to do this you will need to create one group policy that contains Both user and Computer settings and apply this to the OU with the computer in it.
The one catch is you must enable something called group policy loopback processing.
This will force all users who log into a specific set of computer to have whatever user settings are enabled in that policy applied to them

So create one policy that has all computer and user settings you want and then add this policy
Computer Configuration > administrative templates > system > Group Policy > use Group Policy Loopback Processsing Mode. You'll probably set it to 'Merge'

My explanation might have been a little confusing, it will make more sense after you use it.
Also here is an MS article with another explanation
I must have glanced over this requirement...
"I only want the policy to affect a handful of machines"

If that is the case you need to either create a new OU for these computers or
place theses computers in their own group and use security filtering from the GPMC.
This can be explained more if that is the way you have to do it.
Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

crarygAuthor Commented:
It sounds like we might be heading in the right direction, but maybe I should be a bit more specific.  I need for the machines to stay in their OUs as they are right now (for many other reasons). The users (in another OU) must stay in theirs as well.  I need for a policy to be applied to just a handful of machines affecting both the user that logs in and that specific machine.  So, if I were user 1 logging into normal workstation, all would be find.  However, if I were user 1 logging into special workstation 1, I might get a different background, screensaver, etc.

Does that help?
Ok, are these 'handful of machines' the only computers in that OU ?
If so then, we are all set and you can use Loopback Processing.
crarygAuthor Commented:
Unfortunately not.  There are others, so I was think the policy would be applied based on group association...
craryg, did you have any problems getting this going ?
crarygAuthor Commented:
I apologize for not responding to your very diligent efforts.  I recently changed jobs and my e-mail was slow to follow.  Yes, this did work and I will award full points.

Thanks again!
Glad you got it working!
Thanks for the points
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.