• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 857
  • Last Modified:

Apply GPO to only one user

Hi All,

We are running Windows 2003 AD. Our domain has multiple OU's...most users are in Company > HQ > Users.

There is a GPO I want to apply to only one user in the Users OU. This should not affect any other users. This GPO will contain one setting that we want to apply to this special user.

I was thinking of creating a GPO with this setting, GPO1, and also an AD security group, named Group1. I would then add this user to Group1.

Then, within the GPO, go to Security Filtering, and set it so that it is only applied to Group1. All other GPO's are applied to Authenticated users.

I would then move this GPO to the top of the list (Link Order 1) for the Users OU, so that it was was the most important.

Does this sound about right?

0
Joe_Budden
Asked:
Joe_Budden
  • 3
  • 2
  • 2
  • +2
2 Solutions
 
delyan_valchevCommented:
That sounds exactly as it can be done. ;-)
Cheers,
Delyan
0
 
delyan_valchevCommented:
If you want to follow best practices, create a set of domain local and global groups Group1 (gobal) and Group1-L (local), nest the global into local, make the user member of Group1 and set the GPO security filtering to Group1-L.
Cheers,
Delyan
0
 
bluntTonyCommented:
Yes. Spot on.

Ensure you remove 'Authenticated Users' from the new GPO so it just has the user and you're good to go.
0
NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

 
Joe_BuddenAuthor Commented:
Thanks...

Just to be double sure - as long as Security Filtering is set to Group1 *only*, it won't affect the other users.

Sorry - just want to be 100% sure before I affect everyone in the company :)
0
 
Joe_BuddenAuthor Commented:
Sorry Tony - just saw your message-

Would it be better to set Security Filtering to User1, or Group1, if this is only going to apply to one user?
0
 
delyan_valchevCommented:
It's always better to have a group in the security filtering as you may need to add additional users later and instead of editing the GPO you rely on simple group membership.

Just to be double sure - as long as Security Filtering is set to Group1 *only*, it won't affect the other users.
Exactly. You can double check the whole granular permissions in the Delegation tab.
0
 
bluntTonyCommented:
Doesn't really matter. Best practice is to put the user into a global, nest the global into a domain local, but in the real world this is overkill for one user/policy.

It's up to you. The end result is the same really. If you know this is never going to apply to any other user, you can just apply the filtering to the user. If not, put him/her in a group.
0
 
Rob StoneCommented:
When you have applied it for peace of mind run MMC on a DC, then add RSOP and run a report in planning mode on the said user above, and another user to ensure their settings have been set as expected.
0
 
Mike KlineCommented:
and for anyone else that may run into this question in the future, I have a blog entry on security filtering here
 
http://adisfun.blogspot.com/2009/04/security-filtering-and-group-policy.html
Thanks
Mike
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 3
  • 2
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now