Applying Group Policy to specific group on specific machine

What I want to accomplish is to apply policy for Security Group "restricted users" on specific terminal server machine.

1. I have created a Security group "restricted users"
2. I have created OU "terminal servers"
3. I have created GPO "TS restrictions" and linked it to "terminal servers" OU

The policy does not seem to work, unless it is linked to the root of the domain, but then it affects all of the machines in the domain.

When I run GPRESULT /H GPReport.html logged on on the machine as the user that supposed to be restricted by the policy - the report tells me that the policy is in effect - yet I do not see results (in my case for testing I just want to hide local C drive from the users)

What am I doing wrong?

LVL 1
pyotrekAsked:
Who is Participating?
 
Mike KlineConnect With a Mentor Commented:
See this question I helped with a few months ago (deals with loopback and security filtering)

http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_26409306.html

Since you want user settings to apply to a machine you need to use loopback processing  and then use security filtering with that (I'm assuming your users are not in the terminal servers OU (only the TS servers)

Good overview on loopback here http://sdmsoftware.com/blog/2009/01/06/please-explain-loopback-processing/

Thanks

mike
0
 
pyotrekAuthor Commented:
correction!

The GPRESULT shows that the only policy in effect is the Default Domain Policy
0
 
DesiRocksCommented:
Have you tried enforced option to see whether it applies the policy.

Right click on "TS Restriction" group policy and select enforced and then run gpupdate on terminals and see whether it helps.

Thanks,
Desiguy
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
pyotrekAuthor Commented:
Yes I did the "enforce" and the gpupdate, and it does not apply this policy unles it is in the root of the domain - than it works perfectly.
0
 
pyotrekAuthor Commented:
mkline71:

I do not think that in my scenario loopback is needed - regardless I have enabled it and it did not have any effect.

There must be something fundementally wrong with what I am doing.

Once again:
When the GPO is linked to the root of the domain all settings take effect for "restricted users" group - at the same time I can logon to that machine as a user that is not memmber of "restricted users" and no restrictions are in place - which is what I would expect .

When I delete the GPO from the domain root, and link it to the OU "terminal servers" nothing happens - it is as if that policy was not existing in that OU - only the "Default Domain Policy takes effect.
0
 
DesiRocksCommented:
Hi Pyotrek,

Can you check your link order of group policy using Group policy management.

You should apply group policy to the users as it is related to user policy and not computer policy.

For more information check this link http://support.microsoft.com/kb/231289

Create an OU and move users to that OU and apply the group policy.

Thanks,
DesiRocks
0
 
Mike KlineCommented:
When you have it linked to the root it applies to all users and computers.  When you have it linked at the TS OU it only applies to objects inside that OU.  

Does the TS restrictions GPO contain user or computer settings (or both)

Thanks

Mmike
0
 
pyotrekAuthor Commented:
mkline71:
1. When I have it linked to the root it applies to all computers, but only to users in the security group "restricted users".

2. When I have it linked at the TS OU it does not seem to apply to anything.

When I run GPRESULT  for the user that is part of the security group "restricted users" it tells me that the only GPO applied is "Domain Default Policy" (Local policy is not applied as it is empty.

When I run GPRESULT for the user that is not part of the security group "restricted users" it tells me that the only GPO applied is "Domain Default Policy", but it tells me as well that the "TS restrictions" GPO is not applied as it is empty - so a t least it is seeing it and not applying. Since this users is domain admin maybe thare is something with the security that does not allow the other user to read the TS restrictions policy???! .

3. The TS restrictions GPO contatins only user settings at this point. Eventually I would like add more settings.



0
 
Mike KlineCommented:
but at the root it also applies to the users (as they fall under the root)

If you were to move one of thsose restriced users into that OU it would work (otherwise you need to use loopback)

Thanks
Mike
0
 
DesiRocksCommented:
As a mentioned earlier Create an OU something called "Terminal server users" and then move those users to that OU.

Once you have restricted users in that OU then apply the group policy to those users and it should work with out any issue.

You can not apply policy to computer and expect to work for Users. when you add it on root it works because under the root OU, you have users also so Create a new OU and apply policy.

0
 
pyotrekAuthor Commented:
DesiRocks:
You are right - I have created OU called "TS USERS" and when I apply GPO "TS Restrictions" that OU the policy takes its effect.

Unfortunatelly it also applies to the users that are part of "TS USERS" when they log on to any other machine.

My goal is to have GPO apply to "specific users" on "specific machines".
After re-reading what mkline1 wrote I think there migt be a reason why he has Genius rank :)

The problem I have is that from the above suggestions - I know that I should be doing something diffrent than what I am doing, but I knew that before asking the question.

If possible I would appreciate a litte example how to set this up step by step.
I was unable to find anything that show step by step instruction on hot to setup "loopback" in server 2008 R2 environment.

Maybe than I would be able to get the idea.
0
 
pyotrekAuthor Commented:
I followed the suggestion of Loopback, but had to find resources that desribe the procedure in terms easier to follow.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.