Can I apply a 'User' Group policy preference by User OU and select an 'Is Not' for Computer OU

We are trying to take advantage of Group Policy Preferences to target specific people or computers in the business using 'Item Level Targeting'. On the most part this works brilliantly, but one specific situation doesn't seem to work and I'd like to both know that it should work, and if it should how do we do it! I imagine something simple is being missed or it fundamentally doesn't allow this to work.

I have created a GPO with the shortcuts I want creating in the 'Startup' folder. I have used the User Configuration\Preferences\Windows Settings\Shortcuts section to create the shortcut. I want the members in the team to log on to any PC in their team's computer OU and get the shortcut. This is easy, as I just apply the GPO to the User OU and it works. But, there are standalone PC's in the department that do not need the shortcuts copying to the 'Startup' folder on login, so I created an OU in the computers OU for the department called 'Standalone' and added 'Is Not' statements against the Standalone OU specifying Computers as the target.

All in all, this means if the user logs in the GPO is targeted at the User based on their OU. The shortcut group policy preference item is under the User section of the GPO. The targeting (supposedly) allows the shortcut to be created, unless the Computer is in the 'Standalone' OU. Well, this is how it should work.

In reality, the shortcut gets created no matter which PC they log onto, so this isn't working. Is this because item level targeting for User items applied to User OUs won't count Computers as targeting criteria? We would like to do similar things with printers based on where users sit based on the computer so I'd like to know if it's possible and how to achieve it.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Krzysztof PytkoSenior Active Directory EngineerCommented:
When you set up User Configuration policy it is always to user object, no matter on which PC he/she is logging on. You cannot define or restrict anything for computer there.

I don't know if it would work, but you can try with loopback processing

KeithburnhamAuthor Commented:
I thought as much, but I can't believe that they wouldn't include that ability. It's odd, as I knew this with normal group policies this logic applied, but I was hoping that item level targeting would be able to use the PC as a criteria as it makes sense that targets are separate from the User/Computer you are applying the GPO to. Bear in mind that this is on 2008 and group policy preferences, not standard group policy. I have used loopback before to do similar things with standard group policy and it does indeed work, but it appears to be a slightly different method here.

It's weird, I cannot find any Microsoft page to confirm this is the case for Group Policy Preferences. Does anyone have a link to anything that can confirm or deny this?
Hendrik WieseInformation Security ManagerCommented:
Not sure if this is going to work, but worth a shot.

1. On your AD create a Goup and add all the desired computers into the group
2. Now open Group Policy Manager and select your policy
3. In the right pane under security filtering > remove the authenticated users and only add the newly created group.
4. Now you can apply the policy to the top level domain as only the selected computers will be affected.
5. Test and let me know if it helps!!!

Hendrik Wiese
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

Neil RussellTechnical Development LeadCommented:
You should use a group policy at the OU level of the COMPUTER objects and then use loop back policy processing to get the user part of the computers policy to apply. This way you can target users only when they log in to those computers in a particular OU.
KeithburnhamAuthor Commented:
@Hendrik : Thanks for that. I'm trying to achieve a situation where I can apply this one GPO to the 10 or so user OUs that use these shortcuts and then only worry about placing standalone PCs into specific OUs to exclude them (probably 3 or 4 of these exist but more could come along). I just need a method that's scalable as I don't want to specify those included as I'd rather specify those who are not.

@Neilsr : I will check if the OU structure for the computers mirrors that of the user objects (the AD design separates the users and computers). If so I can try the loopback and see if that works that way in regards Item Level Targeting. I was hoping it wouldn't be like this and that the targeting is outside the normal limitations of group policy, but I can't seem to explain very well what I am trying to do. Sorry guys.

Looks like I need to try it with Loopback and get back to you with results.
As you have already applied user level group policy .You can try looback policy for these machines where you dont want to place shortcut .An overview of loopback policy is given here :

KeithburnhamAuthor Commented:
Unfortuantely there has been no solution to this problem (apart from lookback policy processing which ive already got in place in certain OU's and no direct link to a microsoft article informing that GPP cannot be applied to a computer for which user is currently logged into.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
KeithburnhamAuthor Commented:
No official MS documentation
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.