Apply GPO to only one user

Hi All,

We are running Windows 2003 AD. Our domain has multiple OU's...most users are in Company > HQ > Users.

There is a GPO I want to apply to only one user in the Users OU. This should not affect any other users. This GPO will contain one setting that we want to apply to this special user.

I was thinking of creating a GPO with this setting, GPO1, and also an AD security group, named Group1. I would then add this user to Group1.

Then, within the GPO, go to Security Filtering, and set it so that it is only applied to Group1. All other GPO's are applied to Authenticated users.

I would then move this GPO to the top of the list (Link Order 1) for the Users OU, so that it was was the most important.

Does this sound about right?

LVL 1
Joe_BuddenAsked:
Who is Participating?
 
delyan_valchevConnect With a Mentor Commented:
It's always better to have a group in the security filtering as you may need to add additional users later and instead of editing the GPO you rely on simple group membership.

Just to be double sure - as long as Security Filtering is set to Group1 *only*, it won't affect the other users.
Exactly. You can double check the whole granular permissions in the Delegation tab.
0
 
delyan_valchevCommented:
That sounds exactly as it can be done. ;-)
Cheers,
Delyan
0
 
delyan_valchevCommented:
If you want to follow best practices, create a set of domain local and global groups Group1 (gobal) and Group1-L (local), nest the global into local, make the user member of Group1 and set the GPO security filtering to Group1-L.
Cheers,
Delyan
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
bluntTonyCommented:
Yes. Spot on.

Ensure you remove 'Authenticated Users' from the new GPO so it just has the user and you're good to go.
0
 
Joe_BuddenAuthor Commented:
Thanks...

Just to be double sure - as long as Security Filtering is set to Group1 *only*, it won't affect the other users.

Sorry - just want to be 100% sure before I affect everyone in the company :)
0
 
Joe_BuddenAuthor Commented:
Sorry Tony - just saw your message-

Would it be better to set Security Filtering to User1, or Group1, if this is only going to apply to one user?
0
 
bluntTonyConnect With a Mentor Commented:
Doesn't really matter. Best practice is to put the user into a global, nest the global into a domain local, but in the real world this is overkill for one user/policy.

It's up to you. The end result is the same really. If you know this is never going to apply to any other user, you can just apply the filtering to the user. If not, put him/her in a group.
0
 
Rob StoneCommented:
When you have applied it for peace of mind run MMC on a DC, then add RSOP and run a report in planning mode on the said user above, and another user to ensure their settings have been set as expected.
0
 
Mike KlineCommented:
and for anyone else that may run into this question in the future, I have a blog entry on security filtering here
 
http://adisfun.blogspot.com/2009/04/security-filtering-and-group-policy.html
Thanks
Mike
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.