How to set different GPO settings Per User and Per Server basis
Posted on 2009-05-17
FIRST - The question:
I am wandering is there a way to enable different sets of policies that will be applied to a different sets of users that are located in OU outside of locked OU, via Loopback Processing, depending on a TS they connect.
I have the following situation:
- Server1 DC/TS/2003
- Server2 DC/TS/2003
Two groups of users:
# Group2 access the local network only directly to Server2 using Terminal Services.
# Group1 is a mixed group of users that both thrive on local network using thick clients, and connect to the Server1 outside of the company via Terminal Services. There are some users in Group1 that use thin clients for their daily work.
# Both groups reside outside of child containers relative to DC/TS container
# Both groups use Roaming User Profiles and Redirected Folders
Now, here is what I am thinking to do to have restrictive policies enabled when users connect to the TS and have loose ones when they work on their own computer:
# Group1 is normal OU group with a limited set of settings
# Group2 is special OU group that have strictly limited complete Windows UI
# When a user from Group1 connects to a Server1 -> a Replace Loopback Processing applies to them so they get a completely new UI experience
# When a user from Group2 connects to a Server2 -> no Loopback on them, as they have strict UI set in the first place
Now, how to make this also work in reverse mode? That is when User2 connects to Server1 and User1 to Server2?
I understand that I can have only one, universal locked down GPO that will Loopback to ALL users that connect, and not selectively.
I've tried to explain this well, tho If something is not clear, please just ask for more.