Solved

Applying Group Policy to specific group on specific machine

Posted on 2010-11-14
12
537 Views
Last Modified: 2012-05-10
What I want to accomplish is to apply policy for Security Group "restricted users" on specific terminal server machine.

1. I have created a Security group "restricted users"
2. I have created OU "terminal servers"
3. I have created GPO "TS restrictions" and linked it to "terminal servers" OU

The policy does not seem to work, unless it is linked to the root of the domain, but then it affects all of the machines in the domain.

When I run GPRESULT /H GPReport.html logged on on the machine as the user that supposed to be restricted by the policy - the report tells me that the policy is in effect - yet I do not see results (in my case for testing I just want to hide local C drive from the users)

What am I doing wrong?

0
Comment
Question by:pyotrek
  • 6
  • 3
  • 3
12 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 500 total points
ID: 34133902
See this question I helped with a few months ago (deals with loopback and security filtering)

http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_26409306.html

Since you want user settings to apply to a machine you need to use loopback processing  and then use security filtering with that (I'm assuming your users are not in the terminal servers OU (only the TS servers)

Good overview on loopback here http://sdmsoftware.com/blog/2009/01/06/please-explain-loopback-processing/

Thanks

mike
0
 
LVL 1

Author Comment

by:pyotrek
ID: 34133905
correction!

The GPRESULT shows that the only policy in effect is the Default Domain Policy
0
 
LVL 5

Expert Comment

by:DesiRocks
ID: 34133968
Have you tried enforced option to see whether it applies the policy.

Right click on "TS Restriction" group policy and select enforced and then run gpupdate on terminals and see whether it helps.

Thanks,
Desiguy
0
 
LVL 1

Author Comment

by:pyotrek
ID: 34133980
Yes I did the "enforce" and the gpupdate, and it does not apply this policy unles it is in the root of the domain - than it works perfectly.
0
 
LVL 1

Author Comment

by:pyotrek
ID: 34134028
mkline71:

I do not think that in my scenario loopback is needed - regardless I have enabled it and it did not have any effect.

There must be something fundementally wrong with what I am doing.

Once again:
When the GPO is linked to the root of the domain all settings take effect for "restricted users" group - at the same time I can logon to that machine as a user that is not memmber of "restricted users" and no restrictions are in place - which is what I would expect .

When I delete the GPO from the domain root, and link it to the OU "terminal servers" nothing happens - it is as if that policy was not existing in that OU - only the "Default Domain Policy takes effect.
0
 
LVL 5

Expert Comment

by:DesiRocks
ID: 34134200
Hi Pyotrek,

Can you check your link order of group policy using Group policy management.

You should apply group policy to the users as it is related to user policy and not computer policy.

For more information check this link http://support.microsoft.com/kb/231289

Create an OU and move users to that OU and apply the group policy.

Thanks,
DesiRocks
0
Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users do...so should you!

 
LVL 57

Expert Comment

by:Mike Kline
ID: 34136315
When you have it linked to the root it applies to all users and computers.  When you have it linked at the TS OU it only applies to objects inside that OU.  

Does the TS restrictions GPO contain user or computer settings (or both)

Thanks

Mmike
0
 
LVL 1

Author Comment

by:pyotrek
ID: 34138011
mkline71:
1. When I have it linked to the root it applies to all computers, but only to users in the security group "restricted users".

2. When I have it linked at the TS OU it does not seem to apply to anything.

When I run GPRESULT  for the user that is part of the security group "restricted users" it tells me that the only GPO applied is "Domain Default Policy" (Local policy is not applied as it is empty.

When I run GPRESULT for the user that is not part of the security group "restricted users" it tells me that the only GPO applied is "Domain Default Policy", but it tells me as well that the "TS restrictions" GPO is not applied as it is empty - so a t least it is seeing it and not applying. Since this users is domain admin maybe thare is something with the security that does not allow the other user to read the TS restrictions policy???! .

3. The TS restrictions GPO contatins only user settings at this point. Eventually I would like add more settings.



0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 34138065
but at the root it also applies to the users (as they fall under the root)

If you were to move one of thsose restriced users into that OU it would work (otherwise you need to use loopback)

Thanks
Mike
0
 
LVL 5

Expert Comment

by:DesiRocks
ID: 34141497
As a mentioned earlier Create an OU something called "Terminal server users" and then move those users to that OU.

Once you have restricted users in that OU then apply the group policy to those users and it should work with out any issue.

You can not apply policy to computer and expect to work for Users. when you add it on root it works because under the root OU, you have users also so Create a new OU and apply policy.

0
 
LVL 1

Author Comment

by:pyotrek
ID: 34168968
DesiRocks:
You are right - I have created OU called "TS USERS" and when I apply GPO "TS Restrictions" that OU the policy takes its effect.

Unfortunatelly it also applies to the users that are part of "TS USERS" when they log on to any other machine.

My goal is to have GPO apply to "specific users" on "specific machines".
After re-reading what mkline1 wrote I think there migt be a reason why he has Genius rank :)

The problem I have is that from the above suggestions - I know that I should be doing something diffrent than what I am doing, but I knew that before asking the question.

If possible I would appreciate a litte example how to set this up step by step.
I was unable to find anything that show step by step instruction on hot to setup "loopback" in server 2008 R2 environment.

Maybe than I would be able to get the idea.
0
 
LVL 1

Author Closing Comment

by:pyotrek
ID: 34231914
I followed the suggestion of Loopback, but had to find resources that desribe the procedure in terms easier to follow.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now