Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Can I apply a 'User' Group policy preference by User OU and select an 'Is Not' for Computer OU

Posted on 2011-10-12
Medium Priority
Last Modified: 2012-05-12
We are trying to take advantage of Group Policy Preferences to target specific people or computers in the business using 'Item Level Targeting'. On the most part this works brilliantly, but one specific situation doesn't seem to work and I'd like to both know that it should work, and if it should how do we do it! I imagine something simple is being missed or it fundamentally doesn't allow this to work.

I have created a GPO with the shortcuts I want creating in the 'Startup' folder. I have used the User Configuration\Preferences\Windows Settings\Shortcuts section to create the shortcut. I want the members in the team to log on to any PC in their team's computer OU and get the shortcut. This is easy, as I just apply the GPO to the User OU and it works. But, there are standalone PC's in the department that do not need the shortcuts copying to the 'Startup' folder on login, so I created an OU in the computers OU for the department called 'Standalone' and added 'Is Not' statements against the Standalone OU specifying Computers as the target.

All in all, this means if the user logs in the GPO is targeted at the User based on their OU. The shortcut group policy preference item is under the User section of the GPO. The targeting (supposedly) allows the shortcut to be created, unless the Computer is in the 'Standalone' OU. Well, this is how it should work.

In reality, the shortcut gets created no matter which PC they log onto, so this isn't working. Is this because item level targeting for User items applied to User OUs won't count Computers as targeting criteria? We would like to do similar things with printers based on where users sit based on the computer so I'd like to know if it's possible and how to achieve it.
Question by:Keithburnham
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36954628
When you set up User Configuration policy it is always to user object, no matter on which PC he/she is logging on. You cannot define or restrict anything for computer there.

I don't know if it would work, but you can try with loopback processing


Author Comment

ID: 36954653
I thought as much, but I can't believe that they wouldn't include that ability. It's odd, as I knew this with normal group policies this logic applied, but I was hoping that item level targeting would be able to use the PC as a criteria as it makes sense that targets are separate from the User/Computer you are applying the GPO to. Bear in mind that this is on 2008 and group policy preferences, not standard group policy. I have used loopback before to do similar things with standard group policy and it does indeed work, but it appears to be a slightly different method here.

It's weird, I cannot find any Microsoft page to confirm this is the case for Group Policy Preferences. Does anyone have a link to anything that can confirm or deny this?
LVL 21

Expert Comment

by:Hendrik Wiese
ID: 36954708
Not sure if this is going to work, but worth a shot.

1. On your AD create a Goup and add all the desired computers into the group
2. Now open Group Policy Manager and select your policy
3. In the right pane under security filtering > remove the authenticated users and only add the newly created group.
4. Now you can apply the policy to the top level domain as only the selected computers will be affected.
5. Test and let me know if it helps!!!

Hendrik Wiese
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

LVL 37

Expert Comment

by:Neil Russell
ID: 36954712
You should use a group policy at the OU level of the COMPUTER objects and then use loop back policy processing to get the user part of the computers policy to apply. This way you can target users only when they log in to those computers in a particular OU.

Author Comment

ID: 36954840
@Hendrik : Thanks for that. I'm trying to achieve a situation where I can apply this one GPO to the 10 or so user OUs that use these shortcuts and then only worry about placing standalone PCs into specific OUs to exclude them (probably 3 or 4 of these exist but more could come along). I just need a method that's scalable as I don't want to specify those included as I'd rather specify those who are not.

@Neilsr : I will check if the OU structure for the computers mirrors that of the user objects (the AD design separates the users and computers). If so I can try the loopback and see if that works that way in regards Item Level Targeting. I was hoping it wouldn't be like this and that the targeting is outside the normal limitations of group policy, but I can't seem to explain very well what I am trying to do. Sorry guys.

Looks like I need to try it with Loopback and get back to you with results.

Expert Comment

ID: 36954888
As you have already applied user level group policy .You can try looback policy for these machines where you dont want to place shortcut .An overview of loopback policy is given here :


Accepted Solution

Keithburnham earned 0 total points
ID: 37220382
Unfortuantely there has been no solution to this problem (apart from lookback policy processing which ive already got in place in certain OU's and no direct link to a microsoft article informing that GPP cannot be applied to a computer for which user is currently logged into.

Author Closing Comment

ID: 37242323
No official MS documentation

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
I’m willing to make a bet that your organization stores sensitive data in your Windows File Servers; files and folders that you really don’t want making it into the wrong hands.
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question