We help IT Professionals succeed at work.

How can I set a GPO to apply to only certain user groups when computer is in a specific OU

ajwellman
ajwellman used Ask the Experts™
on
I am trying to set a GPO that will apply to only selected user groups within a specific computer OU.  I have 2 OU of computers that need to have different computer and user settings but have common user groups.  For example I have computers in 1 OU that I want to have the GPO apply but not to the other OU.  There are several user groups that need different settings, but the users log on to either computer OU depending of the class.  I have students that depending on the class log on to computers in 1 lab versus the other and the GPO settings need to be different.  Also have teachers in the same situation, and their settings need to be different than students.  I have tried to set up a GPO and link it to the specific computer OU and in the security filtering I have removed authenticated users and added the students group.  However, the gpo isin't being applied when I log on as a student regardless of which computer OU.
Any help in pointing me in the right direction would be greatly appreciated.
Art w
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2013
Commented:
So you want certain user settings to only apply at certain computers
What you will have to do is enable loopback processing.     Group Policy MVP Darren MarElia has a good writeup on loopback here

http://sdmsoftware.com/blog/2009/01/06/please-explain-loopback-processing/

My friends at CB5 have a really good in-depth series on loopback  

http://www.grouppolicy.biz/2010/02/loopback-policy-processing-debug-series-replace-mode-cb5-blog/

I haven't fully tested your scenario with loopback on top of security filtering for two groups.

Thanks

Mike  
Mike ThomasConsultant
Top Expert 2010
Commented:
Create a security group and set the permissions on the policy to only that group, remove the default "authenticated users" group and just add the computers you want to get the policy to the group you created.

Author

Commented:
Thanks for the quick replies

I have tried the loop-back, but didn't have much success.  I guess I just don't know how to set it up.  If I link the GPO to the computer OU, the GPO applies the computer settings but not the user settings.  If I put it on the user OU, it applies regardless of what computer OU it connect to.  I thought about setting up the security group, and add the computers to it, but it will be a hassle to maintain, there are 200+ computers that I want it to apply to and 24 in the group that I do not want affected.  That may be the way I have to go but was hoping there was a way to link it to the computer OU and only to the users OU.
Thanks

Author

Commented:
I have tried to link the GPO to the User OU and added a security filter for the group that contains just the computers I want to get the GPO.  If I remove the authenticated users, then the GPO user settings are not accessed.  If I leave the authenticated users or the user group then the GPO is applied to all computer OUs. It ignores the computer group security filter.  I guess I just don't understand how the filter is applied.  I am try to read up on it, but haven't found anything yet.  
Any Help in solving this will be greatly appreciated.
Art W.
Top Expert 2013

Commented:
user settings will not apply to computers unless you enable loopback.  If those users are not in that OU those setting won't apply.

Author

Commented:
Thanks mkline71,
I am not sure what you mean.  I currently have the GPO linked to a OU that the user I am testing is a member.  I have the computers for the OU that I want to have the GPO apply in a group that I have as a security filter.  I have tried both with and without loopback enabled.  If I have only the computer group in the security filter, the user settings are not applied to any computer OU.  If I include authenticate users as well as the compuer group in the filter, then the user settings are applied to both computer OUs when I log on to computers in each OU as that same user.  
Excuse my misunderstanding, but as you can tell, I am quite a novice at GPOs.
Thanks again for you time and help
Art W

Author

Commented:
I have solved the problem.  At least I have a working solution.  I put linked the GPO to the appropriate computer OU with loopback enabled.  I then added the user group to the security filter.  I also had to add a group that contains the computers in the OU to the security filter and it works OK.  Applies to the computer settings as well as the user settings.  But when the user logs on to a computer in the other OU, no GPOs applied.

Thanks again for the help and suggestions.

Author

Commented:
found a solution to the problem.