Computer GPO Settings Apply to Some Users Security Filtering

jeepr94 used Ask the Experts™
Hi, i have a group of terminal servers. Users connect to these terminal servers and need to have a terminal services profile. I want to setup the profile location in the GPO under comptuer settings. I do not want to do this in the ADUC properties as there are mulitiple groups of Terminal Servers. I am gradually making some changes on a per user basis so i want this GPO to apply to only some users. So here is the issue:

I have a GPO with proper TS Profile settings applied to the OU. I removed the default Authenticated users and added a single user test_account that the GPO would only apply to.

It does not apply the setting. When running the GPO results wizard it shows the GPO as "incaccessible." Now, if i add the actual computer to Security Filtering then the GPO WILL apply but it applies to ALL users even though i only have the computer and the one user in Security Filtering. I immediately disabled this because this is not he desired effect.

So the question is, can i create a GPO with Computer config settings that will only apply to some users.

I have thought about doing loop back processing merge and apply teh GPO to the user but that would not work as it would apply to all computers being logged in and i only wnat it to apply to a group of Terminal Servers.

Any help is appreciated.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
The computer settings will only apply to computer accounts listed in the "Apply To" list.

The user settings will only apply if you use loopback mode.  Both the computer (server) and the user have to be added to the security to get the loopback process to work correctly for both your terminal server and the test_account user.

(or if the user account is in the same OU as the terminal server, which I assume that it isn't)
Merge mode would apply all GPOs that would normally apply to a user logging on to their workstation, as well as the Terminal server GPO (user) settings.

Most people like to control the TS environment, so REPLACE mode is more widely used for terminal servers.


I think i will have to try this on the weekend. But if i add both the user and the Computer (as i did earlier) it applied settings to ALL users. But actually not sure i had loopback processing enabled. Will try this weekend and award poitns if it works.
Build an E-Commerce Site with Angular 5

Learn how to build an E-Commerce site with Angular 5, a JavaScript framework used by developers to build web, desktop, and mobile applications.

That would be expected if you had "Authenticated Users" (which means all computers as well as users) in the scope, but not if you had only SERVER and USER in there.


I did not have Authenticated Users i only Had the one user i wanted it to apply to and the Computer but it still applied to all users logging in. It was a Computer policy so i don't think it paid attention to the one user i added. But if i enable loopback processing i am thinking that may work (i will be trying this tommorow and will update here).
Computer policy settings will only apply to the computer, so any computer will be applied regardless of the user logging on.  Any user settings in the GPO are what would get applied during loopback processing.  Merge mode would also apply the user settings for other GPOs that would normally get applied when logging on to a desktop computer.


Ok, i got confused at to what loopback was. I was thinking computer apply as user but it is other way around. So apparently this is not possible to have computer settings apply only to SOME users.
Correct, though there is some overlap in computer/user GPO settings that may work.


No way to do it. Awarding points for effort.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial