Can I apply a 'User' Group policy preference by User OU and select an 'Is Not' for Computer OU

Posted on 2011-10-12
Last Modified: 2012-05-12
We are trying to take advantage of Group Policy Preferences to target specific people or computers in the business using 'Item Level Targeting'. On the most part this works brilliantly, but one specific situation doesn't seem to work and I'd like to both know that it should work, and if it should how do we do it! I imagine something simple is being missed or it fundamentally doesn't allow this to work.

I have created a GPO with the shortcuts I want creating in the 'Startup' folder. I have used the User Configuration\Preferences\Windows Settings\Shortcuts section to create the shortcut. I want the members in the team to log on to any PC in their team's computer OU and get the shortcut. This is easy, as I just apply the GPO to the User OU and it works. But, there are standalone PC's in the department that do not need the shortcuts copying to the 'Startup' folder on login, so I created an OU in the computers OU for the department called 'Standalone' and added 'Is Not' statements against the Standalone OU specifying Computers as the target.

All in all, this means if the user logs in the GPO is targeted at the User based on their OU. The shortcut group policy preference item is under the User section of the GPO. The targeting (supposedly) allows the shortcut to be created, unless the Computer is in the 'Standalone' OU. Well, this is how it should work.

In reality, the shortcut gets created no matter which PC they log onto, so this isn't working. Is this because item level targeting for User items applied to User OUs won't count Computers as targeting criteria? We would like to do similar things with printers based on where users sit based on the computer so I'd like to know if it's possible and how to achieve it.
Question by:Keithburnham
    LVL 39

    Expert Comment

    by:Krzysztof Pytko
    When you set up User Configuration policy it is always to user object, no matter on which PC he/she is logging on. You cannot define or restrict anything for computer there.

    I don't know if it would work, but you can try with loopback processing

    LVL 1

    Author Comment

    I thought as much, but I can't believe that they wouldn't include that ability. It's odd, as I knew this with normal group policies this logic applied, but I was hoping that item level targeting would be able to use the PC as a criteria as it makes sense that targets are separate from the User/Computer you are applying the GPO to. Bear in mind that this is on 2008 and group policy preferences, not standard group policy. I have used loopback before to do similar things with standard group policy and it does indeed work, but it appears to be a slightly different method here.

    It's weird, I cannot find any Microsoft page to confirm this is the case for Group Policy Preferences. Does anyone have a link to anything that can confirm or deny this?
    LVL 20

    Expert Comment

    by:Hendrik Wiese
    Not sure if this is going to work, but worth a shot.

    1. On your AD create a Goup and add all the desired computers into the group
    2. Now open Group Policy Manager and select your policy
    3. In the right pane under security filtering > remove the authenticated users and only add the newly created group.
    4. Now you can apply the policy to the top level domain as only the selected computers will be affected.
    5. Test and let me know if it helps!!!

    Hendrik Wiese
    LVL 37

    Expert Comment

    You should use a group policy at the OU level of the COMPUTER objects and then use loop back policy processing to get the user part of the computers policy to apply. This way you can target users only when they log in to those computers in a particular OU.
    LVL 1

    Author Comment

    @Hendrik : Thanks for that. I'm trying to achieve a situation where I can apply this one GPO to the 10 or so user OUs that use these shortcuts and then only worry about placing standalone PCs into specific OUs to exclude them (probably 3 or 4 of these exist but more could come along). I just need a method that's scalable as I don't want to specify those included as I'd rather specify those who are not.

    @Neilsr : I will check if the OU structure for the computers mirrors that of the user objects (the AD design separates the users and computers). If so I can try the loopback and see if that works that way in regards Item Level Targeting. I was hoping it wouldn't be like this and that the targeting is outside the normal limitations of group policy, but I can't seem to explain very well what I am trying to do. Sorry guys.

    Looks like I need to try it with Loopback and get back to you with results.
    LVL 3

    Expert Comment

    As you have already applied user level group policy .You can try looback policy for these machines where you dont want to place shortcut .An overview of loopback policy is given here :

    LVL 1

    Accepted Solution

    Unfortuantely there has been no solution to this problem (apart from lookback policy processing which ive already got in place in certain OU's and no direct link to a microsoft article informing that GPP cannot be applied to a computer for which user is currently logged into.
    LVL 1

    Author Closing Comment

    No official MS documentation

    Featured Post

    What Should I Do With This Threat Intelligence?

    Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

    Join & Write a Comment

    Ever notice how you can't use a new drive in Windows without having Windows assigning a Disk Signature?  Ever have a signature collision problem (especially with Virtual Machines?)  This article is intended to help you understand what's going on and…
    Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now