Solved

Apply GPO to only one user

Posted on 2009-05-15
9
829 Views
Last Modified: 2012-06-27
Hi All,

We are running Windows 2003 AD. Our domain has multiple OU's...most users are in Company > HQ > Users.

There is a GPO I want to apply to only one user in the Users OU. This should not affect any other users. This GPO will contain one setting that we want to apply to this special user.

I was thinking of creating a GPO with this setting, GPO1, and also an AD security group, named Group1. I would then add this user to Group1.

Then, within the GPO, go to Security Filtering, and set it so that it is only applied to Group1. All other GPO's are applied to Authenticated users.

I would then move this GPO to the top of the list (Link Order 1) for the Users OU, so that it was was the most important.

Does this sound about right?

0
Comment
Question by:Joe_Budden
  • 3
  • 2
  • 2
  • +2
9 Comments
 
LVL 4

Expert Comment

by:delyan_valchev
ID: 24394521
That sounds exactly as it can be done. ;-)
Cheers,
Delyan
0
 
LVL 4

Expert Comment

by:delyan_valchev
ID: 24394554
If you want to follow best practices, create a set of domain local and global groups Group1 (gobal) and Group1-L (local), nest the global into local, make the user member of Group1 and set the GPO security filtering to Group1-L.
Cheers,
Delyan
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24394570
Yes. Spot on.

Ensure you remove 'Authenticated Users' from the new GPO so it just has the user and you're good to go.
0
 
LVL 1

Author Comment

by:Joe_Budden
ID: 24394574
Thanks...

Just to be double sure - as long as Security Filtering is set to Group1 *only*, it won't affect the other users.

Sorry - just want to be 100% sure before I affect everyone in the company :)
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 1

Author Comment

by:Joe_Budden
ID: 24394580
Sorry Tony - just saw your message-

Would it be better to set Security Filtering to User1, or Group1, if this is only going to apply to one user?
0
 
LVL 4

Accepted Solution

by:
delyan_valchev earned 300 total points
ID: 24394597
It's always better to have a group in the security filtering as you may need to add additional users later and instead of editing the GPO you rely on simple group membership.

Just to be double sure - as long as Security Filtering is set to Group1 *only*, it won't affect the other users.
Exactly. You can double check the whole granular permissions in the Delegation tab.
0
 
LVL 27

Assisted Solution

by:bluntTony
bluntTony earned 200 total points
ID: 24394600
Doesn't really matter. Best practice is to put the user into a global, nest the global into a domain local, but in the real world this is overkill for one user/policy.

It's up to you. The end result is the same really. If you know this is never going to apply to any other user, you can just apply the filtering to the user. If not, put him/her in a group.
0
 
LVL 15

Expert Comment

by:Rob Stone
ID: 24394826
When you have applied it for peace of mind run MMC on a DC, then add RSOP and run a report in planning mode on the said user above, and another user to ensure their settings have been set as expected.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24395138
and for anyone else that may run into this question in the future, I have a blog entry on security filtering here
 
http://adisfun.blogspot.com/2009/04/security-filtering-and-group-policy.html
Thanks
Mike
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Starting in Windows Server 2008, Microsoft introduced the Group Policy Central Store. This automatically replicating location allows IT administrators to have the latest and greatest Group Policy (GP) configuration settings available. Let’s expl…
Do you have users whose passwords are expiring and they are constantly calling you?  Well I sure did and needed a way to put an end to this.  We have a lot of remote users which would not be notified that their passwords were expiring since they wer…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now