Best way to apply a group policy to a single server?

Hi all,

I need all users logging into one of two (citrix) servesr (WIndows 2003 R2) to get an entry into Ilocal intranet sites.  I don't need  or want it across the domain, I just need it for usiers logging into one of 2 specific citrix servers.  

WHats the best way to do this?

I tried using local group policy editor and went to user configuration, and set to import internet settings.  I closed gp tried a gpupdate /force and reboot, but users logging don't seem to get it.

One related questions, will this apply to only new users logging in?  or would apply to ven existing users on the server?  thanks.
toomanyserversAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

wmeerzaCommented:
Put both servers into their own OU and apply the group policy for the OU. This will enforce the rules for just those servers in the group.
0
wmeerzaCommented:
sorry, just put the one you need into the OU.
0
toomanyserversAuthor Commented:
thanks for the quick answer. Question though.  I have other citrix servers which I dont want to get this setting.  

Once I get this straighted out, I will want to have a different group policy apply to all the citrix servers. (one that will not allow local drive access)

I guess I can make 2 OUs and have 2 GPs on 1 OU and 1 on the other.  DOes this seem like a clean way to do this?

Also if I want all users to get it,  will making the setting on the user configuration do it?  The setting is not available under the computer policy,.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

wmeerzaCommented:
Thats right, all you have suggested will work just fine. When the user logs into the citrix server with the 2 group policies, they will be applied (at the user level too). All other users logging into servers in the other OU will get 1 group policy applied.
0
toomanyserversAuthor Commented:
thanks.  I set up an OU, added the citrix server in there.  Set up a GPO, set the local intranet sites the way I want it, but users logging in via citrix dont seem to be getting it.  I tried gpupdate /force and rebootinga  couple of time.  I guess I will wait until the morning and see what is going on.
0
wmeerzaCommented:
Hmm,  Could take a while, maybe (in group policy) use the group policy results wizard to see what happens for a user logging on if it still doesn't work.
0
toomanyserversAuthor Commented:
I ran the results wizard and I am getting this under the setting

These settings were applied only by GPOs that do not contain Internet Explorer Enhanced Security Configuration (ESC) settings because this computer does not have ESC enabled. ESC settings cannot be applied to this computer.

I had turned off IE ESC because its more hassle than its worth.  If I need to have it on for this GP to work, I will.  I just turned it on and tried reapplying the policy.  So far same results in the results wizard.
I am just trying to get a site added as a local intranet site.  

I am going to User config ->windows settings -> IE Maintenance -> Security Zones and Content, Security Zoneys and Privacy

am I missing something?

0
PberSolutions ArchitectCommented:
User based GPO's must be applied to OU's that contain users
Computer based GPO's must be applied to OU's that contain computers.

There is a caveat to that, and that is loopback.

You need to use loopback processing to allow users settings to be set to a GPO applied to computers.
See this:
http://support.microsoft.com/kb/260370
http://support.microsoft.com/kb/231287

To apply this GPO to only one or two computers without restructuring your OU's, just set the Security filtering from the default of "Authenticated Users" to only the computer names you want.  Use the GPMC for this: http://www.microsoft.com/windowsserver2003/gpmc/default.mspx

0
toomanyserversAuthor Commented:
Thanks for the links.  I created a loopback GPO just applied the loopback property under Computer property.  I then created another GPO that just applied the intranet sites at the user level.

I see in the MS article that on the loopback policy, the terminal server in the OU needs to be added in the secuiry properties.  However the MS site shows how to do it without the GPMC.  With the GPMC there is no property -> security, though there is security filiering.  Should the server name be added to the security filitering?

Once the loopback policy works, then any linked user GPO should flow to just that server?

Thanks,.
0
PberSolutions ArchitectCommented:
The Property Security and the security filtering in GPMC are one in the same.  If there are other servers in the same OU, then just change the security filtering to only the TS's that you want for both GPO's you've created.

...or you can just create a new OU for the TS servers and just move the two TS servers into that OU and apply the GPO's to that OU and leave the security filtering at the default of authenticated users.  Actually I'm starting to question weather the users would get the IE settings unless that GPO had authenticated users defined.

Once loopback is turned on for those servers, you can then apply user based GPO's to those servers and have the users obtain those policy settings.





0
wmeerzaCommented:
with the OU that you have made the change, have you set the Loopback security filtering to apply to Authenticated users? Also, you may want to create a security group and add the required users to it and use it for security filtering on your new group policy.
0
toomanyserversAuthor Commented:
Hi, I did set the Loopback policy to apply to authenicated users.  I added the users to a security group.

I just tried logging in as a user on the terminal server.   My intranet site GPO says it was applied (but users don't have the settings)  Also I am getting this from gpresult (which is probably why the IE GPO isnt working yet)


The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
    loopback-citrix
        Filtering:  Disabled (GPO)
0
PberSolutions ArchitectCommented:
Right click the GPO in GPMC and select GPO Status, Enabled.

Which GPO is that one?  The GPO to turn on the loopback on the citrix servers?  Or the one that sets the users IE settings?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
toomanyserversAuthor Commented:
the loopback GPO is the one that says disabled.  I just checked GPMC and  "Link Enabled" is selected.

The one that sets the user IE settings says its applied in the gpresult output, but users logging in are not getting them.

 
0
toomanyserversAuthor Commented:
scratch that.  sorry, I see what you mean.  I will try that now.
0
toomanyserversAuthor Commented:
That did it.  I had it set to computer policy only, but it looks like it needs to be fully enabled.  
Thanks seems to be working!

0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.