Solved

Apply GPO to only one user

Posted on 2009-05-15
9
833 Views
Last Modified: 2012-06-27
Hi All,

We are running Windows 2003 AD. Our domain has multiple OU's...most users are in Company > HQ > Users.

There is a GPO I want to apply to only one user in the Users OU. This should not affect any other users. This GPO will contain one setting that we want to apply to this special user.

I was thinking of creating a GPO with this setting, GPO1, and also an AD security group, named Group1. I would then add this user to Group1.

Then, within the GPO, go to Security Filtering, and set it so that it is only applied to Group1. All other GPO's are applied to Authenticated users.

I would then move this GPO to the top of the list (Link Order 1) for the Users OU, so that it was was the most important.

Does this sound about right?

0
Comment
Question by:Joe_Budden
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +2
9 Comments
 
LVL 4

Expert Comment

by:delyan_valchev
ID: 24394521
That sounds exactly as it can be done. ;-)
Cheers,
Delyan
0
 
LVL 4

Expert Comment

by:delyan_valchev
ID: 24394554
If you want to follow best practices, create a set of domain local and global groups Group1 (gobal) and Group1-L (local), nest the global into local, make the user member of Group1 and set the GPO security filtering to Group1-L.
Cheers,
Delyan
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24394570
Yes. Spot on.

Ensure you remove 'Authenticated Users' from the new GPO so it just has the user and you're good to go.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Author Comment

by:Joe_Budden
ID: 24394574
Thanks...

Just to be double sure - as long as Security Filtering is set to Group1 *only*, it won't affect the other users.

Sorry - just want to be 100% sure before I affect everyone in the company :)
0
 
LVL 1

Author Comment

by:Joe_Budden
ID: 24394580
Sorry Tony - just saw your message-

Would it be better to set Security Filtering to User1, or Group1, if this is only going to apply to one user?
0
 
LVL 4

Accepted Solution

by:
delyan_valchev earned 300 total points
ID: 24394597
It's always better to have a group in the security filtering as you may need to add additional users later and instead of editing the GPO you rely on simple group membership.

Just to be double sure - as long as Security Filtering is set to Group1 *only*, it won't affect the other users.
Exactly. You can double check the whole granular permissions in the Delegation tab.
0
 
LVL 27

Assisted Solution

by:bluntTony
bluntTony earned 200 total points
ID: 24394600
Doesn't really matter. Best practice is to put the user into a global, nest the global into a domain local, but in the real world this is overkill for one user/policy.

It's up to you. The end result is the same really. If you know this is never going to apply to any other user, you can just apply the filtering to the user. If not, put him/her in a group.
0
 
LVL 15

Expert Comment

by:Rob Stone
ID: 24394826
When you have applied it for peace of mind run MMC on a DC, then add RSOP and run a report in planning mode on the said user above, and another user to ensure their settings have been set as expected.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24395138
and for anyone else that may run into this question in the future, I have a blog entry on security filtering here
 
http://adisfun.blogspot.com/2009/04/security-filtering-and-group-policy.html
Thanks
Mike
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
This article runs through the process of deploying a single EXE application selectively to a group of user.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question