Klinkeye
asked on
Apply computer policy only to certain users
Ok, most of my searching has only yielded ways to apply user policies to users on certain computers. What I want is the reverse.
I have an overall group policy which disables clipboard redirection on the terminal server. This policy applies properly to everyone that logs into the terminal server.
However, I would like to allow a few certain users the ability to use clipboard redirection.
I have an overall group policy which disables clipboard redirection on the terminal server. This policy applies properly to everyone that logs into the terminal server.
However, I would like to allow a few certain users the ability to use clipboard redirection.
Could make another user group for the specific users you want to have that removed off of.
Use Group Policy Security Filtering
Refer this: http://www.windowsnetworking.com/articles_tutorials/group-policy-security-filtering.html
Refer this: http://www.windowsnetworking.com/articles_tutorials/group-policy-security-filtering.html
ASKER
When I remove "authenticated users" and just add the user to the filtered users, when I run go modeling for that user on the ts I get a permission denied for that gpo.
I would do this that way. GPO Security Filtering but...
Do not remove Authenticayed Users, leave them. So, by default each user will apply this policy. Now, edit its DACL by selecting GPO in GPMC console. Go to "Delegation" tab in right pane and click "Advanced" button on right bottom. Then use DACL editor (like NTFS file/folder permission). Put there security group for users who shouldn't have this policy applied. Now set up "Deny" for that group in these 2 permissions:
- Read
- Apply group policy
Now, they cannot apply it and during logon process, it doesn't read GPO content (faster logon)
REgards,
Krzysztof
Do not remove Authenticayed Users, leave them. So, by default each user will apply this policy. Now, edit its DACL by selecting GPO in GPMC console. Go to "Delegation" tab in right pane and click "Advanced" button on right bottom. Then use DACL editor (like NTFS file/folder permission). Put there security group for users who shouldn't have this policy applied. Now set up "Deny" for that group in these 2 permissions:
- Read
- Apply group policy
Now, they cannot apply it and during logon process, it doesn't read GPO content (faster logon)
REgards,
Krzysztof
ASKER
I'll have to try this on Monday.
What about loopback.
How to merge or replace settings using loopback
http://technet.microsoft.com/en-us/library/cc782810(v=ws.10).aspx
Loopback processing of Group Policy
http://support.microsoft.com/kb/231287
How to apply Group Policy objects to Terminal Services
http://support.microsoft.com/kb/260370
Now if you want to setup a separate OU with your TS servers in it or use WMI filtering in your current OU
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnanchor/html/anch_wmi.asp
Here is an example of the syntax:
SELECT * FROM Win32_ComputerSystem WHERE Name = 'MyComputer'
Where mycomputer = your TS server name.
How to merge or replace settings using loopback
http://technet.microsoft.com/en-us/library/cc782810(v=ws.10).aspx
Loopback processing of Group Policy
http://support.microsoft.com/kb/231287
How to apply Group Policy objects to Terminal Services
http://support.microsoft.com/kb/260370
Now if you want to setup a separate OU with your TS servers in it or use WMI filtering in your current OU
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnanchor/html/anch_wmi.asp
Here is an example of the syntax:
SELECT * FROM Win32_ComputerSystem WHERE Name = 'MyComputer'
Where mycomputer = your TS server name.
ASKER
Thanks for the input, but I've already got loopback processing enabled. I also have no problem applying the GPO to just the terminal servers, however what I'm after is selectively applying the GPO (which only contains computer settings) to certain users that log onto the terminal servers.
So, my scenario should be suitable in this case ;)
Krzysztof
Krzysztof
ASKER
Possibly. I did have a mess about with the delegation section before posting my question. Will let u know how it goes Monday.
Klinkeye, from 2008 TS on, this is available as a user policy, too. Is your TS 2008 or 2008 R2? http://www.group-policy.com/ref/policy/2789/Do_not_allow_clipboard_redirection
This will never work since the Computer settings apply on the entire system and also apply when the machine boots.
That is going to be pretty difficult since Computer settings are system wide (HKLM) and not user specific (HKCU).
That is going to be pretty difficult since Computer settings are system wide (HKLM) and not user specific (HKCU).
yo_bee, couldn't we eliminate the need of a computer policy at all?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It's actually server2003. I think yo_bee might be right. The computer policies can't be applied to users selectively.
ASKER
What I was after cannot be done.