• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1558
  • Last Modified:

Best way to apply a group policy to a single server?

Hi all,

I need all users logging into one of two (citrix) servesr (WIndows 2003 R2) to get an entry into Ilocal intranet sites.  I don't need  or want it across the domain, I just need it for usiers logging into one of 2 specific citrix servers.  

WHats the best way to do this?

I tried using local group policy editor and went to user configuration, and set to import internet settings.  I closed gp tried a gpupdate /force and reboot, but users logging don't seem to get it.

One related questions, will this apply to only new users logging in?  or would apply to ven existing users on the server?  thanks.
0
toomanyservers
Asked:
toomanyservers
  • 8
  • 5
  • 3
2 Solutions
 
wmeerzaCommented:
Put both servers into their own OU and apply the group policy for the OU. This will enforce the rules for just those servers in the group.
0
 
wmeerzaCommented:
sorry, just put the one you need into the OU.
0
 
toomanyserversAuthor Commented:
thanks for the quick answer. Question though.  I have other citrix servers which I dont want to get this setting.  

Once I get this straighted out, I will want to have a different group policy apply to all the citrix servers. (one that will not allow local drive access)

I guess I can make 2 OUs and have 2 GPs on 1 OU and 1 on the other.  DOes this seem like a clean way to do this?

Also if I want all users to get it,  will making the setting on the user configuration do it?  The setting is not available under the computer policy,.
0
Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

 
wmeerzaCommented:
Thats right, all you have suggested will work just fine. When the user logs into the citrix server with the 2 group policies, they will be applied (at the user level too). All other users logging into servers in the other OU will get 1 group policy applied.
0
 
toomanyserversAuthor Commented:
thanks.  I set up an OU, added the citrix server in there.  Set up a GPO, set the local intranet sites the way I want it, but users logging in via citrix dont seem to be getting it.  I tried gpupdate /force and rebootinga  couple of time.  I guess I will wait until the morning and see what is going on.
0
 
wmeerzaCommented:
Hmm,  Could take a while, maybe (in group policy) use the group policy results wizard to see what happens for a user logging on if it still doesn't work.
0
 
toomanyserversAuthor Commented:
I ran the results wizard and I am getting this under the setting

These settings were applied only by GPOs that do not contain Internet Explorer Enhanced Security Configuration (ESC) settings because this computer does not have ESC enabled. ESC settings cannot be applied to this computer.

I had turned off IE ESC because its more hassle than its worth.  If I need to have it on for this GP to work, I will.  I just turned it on and tried reapplying the policy.  So far same results in the results wizard.
I am just trying to get a site added as a local intranet site.  

I am going to User config ->windows settings -> IE Maintenance -> Security Zones and Content, Security Zoneys and Privacy

am I missing something?

0
 
PberSolutions ArchitectCommented:
User based GPO's must be applied to OU's that contain users
Computer based GPO's must be applied to OU's that contain computers.

There is a caveat to that, and that is loopback.

You need to use loopback processing to allow users settings to be set to a GPO applied to computers.
See this:
http://support.microsoft.com/kb/260370
http://support.microsoft.com/kb/231287

To apply this GPO to only one or two computers without restructuring your OU's, just set the Security filtering from the default of "Authenticated Users" to only the computer names you want.  Use the GPMC for this: http://www.microsoft.com/windowsserver2003/gpmc/default.mspx

0
 
toomanyserversAuthor Commented:
Thanks for the links.  I created a loopback GPO just applied the loopback property under Computer property.  I then created another GPO that just applied the intranet sites at the user level.

I see in the MS article that on the loopback policy, the terminal server in the OU needs to be added in the secuiry properties.  However the MS site shows how to do it without the GPMC.  With the GPMC there is no property -> security, though there is security filiering.  Should the server name be added to the security filitering?

Once the loopback policy works, then any linked user GPO should flow to just that server?

Thanks,.
0
 
PberSolutions ArchitectCommented:
The Property Security and the security filtering in GPMC are one in the same.  If there are other servers in the same OU, then just change the security filtering to only the TS's that you want for both GPO's you've created.

...or you can just create a new OU for the TS servers and just move the two TS servers into that OU and apply the GPO's to that OU and leave the security filtering at the default of authenticated users.  Actually I'm starting to question weather the users would get the IE settings unless that GPO had authenticated users defined.

Once loopback is turned on for those servers, you can then apply user based GPO's to those servers and have the users obtain those policy settings.





0
 
wmeerzaCommented:
with the OU that you have made the change, have you set the Loopback security filtering to apply to Authenticated users? Also, you may want to create a security group and add the required users to it and use it for security filtering on your new group policy.
0
 
toomanyserversAuthor Commented:
Hi, I did set the Loopback policy to apply to authenicated users.  I added the users to a security group.

I just tried logging in as a user on the terminal server.   My intranet site GPO says it was applied (but users don't have the settings)  Also I am getting this from gpresult (which is probably why the IE GPO isnt working yet)


The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
    loopback-citrix
        Filtering:  Disabled (GPO)
0
 
PberSolutions ArchitectCommented:
Right click the GPO in GPMC and select GPO Status, Enabled.

Which GPO is that one?  The GPO to turn on the loopback on the citrix servers?  Or the one that sets the users IE settings?
0
 
toomanyserversAuthor Commented:
the loopback GPO is the one that says disabled.  I just checked GPMC and  "Link Enabled" is selected.

The one that sets the user IE settings says its applied in the gpresult output, but users logging in are not getting them.

 
0
 
toomanyserversAuthor Commented:
scratch that.  sorry, I see what you mean.  I will try that now.
0
 
toomanyserversAuthor Commented:
That did it.  I had it set to computer policy only, but it looks like it needs to be fully enabled.  
Thanks seems to be working!

0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 8
  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now