craryg
asked on
Group Policy Quandary
Here is what I would like to do...?
I have machines and users in different OUs, which have to stay that way. I would like to create a GP that is applied at both the computer and user level. How can this be done. Obviously, it cannot be done by just creating a policy and applying at one OU, as the other OU would not be affected. However, if I were to move the policy at a higher level, it would affect both, but would be too global. I only want the policy to affect a handful of machines, but all users when they use those specific machines. Is this possible? If so how? Maybe WMI....???
Thanks
I have machines and users in different OUs, which have to stay that way. I would like to create a GP that is applied at both the computer and user level. How can this be done. Obviously, it cannot be done by just creating a policy and applying at one OU, as the other OU would not be affected. However, if I were to move the policy at a higher level, it would affect both, but would be too global. I only want the policy to affect a handful of machines, but all users when they use those specific machines. Is this possible? If so how? Maybe WMI....???
Thanks
I must have glanced over this requirement...
"I only want the policy to affect a handful of machines"
If that is the case you need to either create a new OU for these computers or
place theses computers in their own group and use security filtering from the GPMC.
This can be explained more if that is the way you have to do it.
"I only want the policy to affect a handful of machines"
If that is the case you need to either create a new OU for these computers or
place theses computers in their own group and use security filtering from the GPMC.
This can be explained more if that is the way you have to do it.
ASKER
It sounds like we might be heading in the right direction, but maybe I should be a bit more specific. I need for the machines to stay in their OUs as they are right now (for many other reasons). The users (in another OU) must stay in theirs as well. I need for a policy to be applied to just a handful of machines affecting both the user that logs in and that specific machine. So, if I were user 1 logging into normal workstation, all would be find. However, if I were user 1 logging into special workstation 1, I might get a different background, screensaver, etc.
Does that help?
Does that help?
Ok, are these 'handful of machines' the only computers in that OU ?
If so then, we are all set and you can use Loopback Processing.
If so then, we are all set and you can use Loopback Processing.
ASKER
Unfortunately not. There are others, so I was think the policy would be applied based on group association...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
craryg, did you have any problems getting this going ?
ASKER
I apologize for not responding to your very diligent efforts. I recently changed jobs and my e-mail was slow to follow. Yes, this did work and I will award full points.
Thanks again!
Thanks again!
Glad you got it working!
Thanks for the points
Thanks for the points
In order to do this you will need to create one group policy that contains Both user and Computer settings and apply this to the OU with the computer in it.
The one catch is you must enable something called group policy loopback processing.
This will force all users who log into a specific set of computer to have whatever user settings are enabled in that policy applied to them
So create one policy that has all computer and user settings you want and then add this policy
Computer Configuration > administrative templates > system > Group Policy > use Group Policy Loopback Processsing Mode. You'll probably set it to 'Merge'
My explanation might have been a little confusing, it will make more sense after you use it.
Also here is an MS article with another explanation
http://support.microsoft.com/?id=231287