Solved

Apply GPO to only one user

Posted on 2009-05-15
9
835 Views
Last Modified: 2012-06-27
Hi All,

We are running Windows 2003 AD. Our domain has multiple OU's...most users are in Company > HQ > Users.

There is a GPO I want to apply to only one user in the Users OU. This should not affect any other users. This GPO will contain one setting that we want to apply to this special user.

I was thinking of creating a GPO with this setting, GPO1, and also an AD security group, named Group1. I would then add this user to Group1.

Then, within the GPO, go to Security Filtering, and set it so that it is only applied to Group1. All other GPO's are applied to Authenticated users.

I would then move this GPO to the top of the list (Link Order 1) for the Users OU, so that it was was the most important.

Does this sound about right?

0
Comment
Question by:Joe_Budden
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +2
9 Comments
 
LVL 4

Expert Comment

by:delyan_valchev
ID: 24394521
That sounds exactly as it can be done. ;-)
Cheers,
Delyan
0
 
LVL 4

Expert Comment

by:delyan_valchev
ID: 24394554
If you want to follow best practices, create a set of domain local and global groups Group1 (gobal) and Group1-L (local), nest the global into local, make the user member of Group1 and set the GPO security filtering to Group1-L.
Cheers,
Delyan
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24394570
Yes. Spot on.

Ensure you remove 'Authenticated Users' from the new GPO so it just has the user and you're good to go.
0
SharePoint Admin?

Enable Your Employees To Focus On The Core With Intuitive Onscreen Guidance That is With You At The Moment of Need.

 
LVL 1

Author Comment

by:Joe_Budden
ID: 24394574
Thanks...

Just to be double sure - as long as Security Filtering is set to Group1 *only*, it won't affect the other users.

Sorry - just want to be 100% sure before I affect everyone in the company :)
0
 
LVL 1

Author Comment

by:Joe_Budden
ID: 24394580
Sorry Tony - just saw your message-

Would it be better to set Security Filtering to User1, or Group1, if this is only going to apply to one user?
0
 
LVL 4

Accepted Solution

by:
delyan_valchev earned 300 total points
ID: 24394597
It's always better to have a group in the security filtering as you may need to add additional users later and instead of editing the GPO you rely on simple group membership.

Just to be double sure - as long as Security Filtering is set to Group1 *only*, it won't affect the other users.
Exactly. You can double check the whole granular permissions in the Delegation tab.
0
 
LVL 27

Assisted Solution

by:bluntTony
bluntTony earned 200 total points
ID: 24394600
Doesn't really matter. Best practice is to put the user into a global, nest the global into a domain local, but in the real world this is overkill for one user/policy.

It's up to you. The end result is the same really. If you know this is never going to apply to any other user, you can just apply the filtering to the user. If not, put him/her in a group.
0
 
LVL 15

Expert Comment

by:Rob Stone
ID: 24394826
When you have applied it for peace of mind run MMC on a DC, then add RSOP and run a report in planning mode on the said user above, and another user to ensure their settings have been set as expected.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24395138
and for anyone else that may run into this question in the future, I have a blog entry on security filtering here
 
http://adisfun.blogspot.com/2009/04/security-filtering-and-group-policy.html
Thanks
Mike
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Active Directory Disappeared 2 46
Change Exchange 2010 Namespace 6 69
Domain .local to .co.uk 2 54
Unable to start workstation service 12 390
This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question