Group Policy - how to make "User" registry policy work on select set of computers
Server 2008R2 AD. I thought I had this figured out, but I'm not getting the result I want. I am trying to set registry values using a User GPO but I want to link it only to my servers, in one of 2 OUs - Domain Controllers or Domain Servers.
Essentially, this is so some select users (including Domain Admins) will have these registry entries set if they log in to the servers.
So I have this correct: User Config->Pref->Windows Set->Registry
Do I link it to my Servers? Or to the select Users? Then what at the filtering section? I'm just not clear on this - I've tried a few things and still gpresult shows my GPO as either denied, or not there at all.
Thanks.
Essentially, this is so some select users (including Domain Admins) will have these registry entries set if they log in to the servers.
So I have this correct: User Config->Pref->Windows Set->Registry
Do I link it to my Servers? Or to the select Users? Then what at the filtering section? I'm just not clear on this - I've tried a few things and still gpresult shows my GPO as either denied, or not there at all.
Thanks.
MHMAdmins
I would link it to your computers and in the read filtering add the names of your servers to read/apply the filter and enforce them on the OU container you want it to pertain to.
Sounds like a case for Loopback!
http://deployhappiness.com/loopback-policy-how-a-computer-gets-a-transgender-operation/
http://deployhappiness.com/loopback-policy-how-a-computer-gets-a-transgender-operation/
Once you have made the change in GPO, then on that server run gpupdate to asynchronously apply the change, then on the domain controllers run gpupdate /force and then you may have to reboot before the changes show up in gpresult depending on what settings. Normally registry changes require a reboot for the machine to make the hive key active.
ASKER
Now I'm confused - I get what loopback mode does (have not yet tried it), but do I need that? Here is a statement of what I am trying to do:
Apply "User" GPO on certain computers only for certain users only.
Since it is for certain Users, I don't think I need the loopback model (because Users->Users), but how do I limit it to applying to certain computers only?
Apply "User" GPO on certain computers only for certain users only.
Since it is for certain Users, I don't think I need the loopback model (because Users->Users), but how do I limit it to applying to certain computers only?
I would think you could use Security Filtering on the GPO to apply it to the specified users, then use WMI Filtering to target the computers you want it to apply to. Something like:
Select * from Win32_ComputerSystem where __SERVER = "Server1" OR __SERVER = "Server2"
Select * from Win32_ComputerSystem where __SERVER = "Server1" OR __SERVER = "Server2"
ASKER
So is it true that Security Filtering must be applied to match the type of GPO; that User policies must have users in the Security filtering, same for Computer policies must have computers in the filters? In other words you can't setup a User policy and filter it only for certain computers (except using WMI). Correct?
Security Filtering can apply to users, groups, or computers, but those objects have to reside in the OU you link to. So, if filtering that way by users you'll have to link it to an OU where those users are located. The WMI filters don't have the same limitation I believe.
In rethinking this, I would recommend doing some testing to see if this option will work the way you want it to. WMI filters can slow logon performance a bit (I've seen them used a lot, though), and you'll have to maintain the list, so if you have a lot of computers you want to filter for that could present a challenge.
In rethinking this, I would recommend doing some testing to see if this option will work the way you want it to. WMI filters can slow logon performance a bit (I've seen them used a lot, though), and you'll have to maintain the list, so if you have a lot of computers you want to filter for that could present a challenge.
ASKER
Thanks - I need to do some more testing on this.
There is a way: it's called MLGPO and is a local thing. Configure MLGPOs for a defined user group right at the server(s).
ASKER
I have a manual process for now until I investigate these suggestions - if anybody can just answer my question a few posts back (So is it true that...) I'll award points.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
So Security Filtering doesn't even make sense when applied to a computer?
Yes it does, because keep in mind computers have accounts just like users do, and those accounts have permissions rules as well. You'll see Authenticated Users as the default Security Filter, but that is a little misleading because it is any authenticated account, which also includes computers joined to the domain.
ASKER
Makes sense. So if I put both COMPUTER1 and user USER2 in Security Filtering, does that apply the GPO to
a. this USER2 on any computer
b. any user on COMPUTER1
c. only USER2 on COMPUTER1
Sorry if I am being thick, I just don't get the boolean sense that is used. I thought I understood it but the results proved otherwise...
a. this USER2 on any computer
b. any user on COMPUTER1
c. only USER2 on COMPUTER1
Sorry if I am being thick, I just don't get the boolean sense that is used. I thought I understood it but the results proved otherwise...
No problem at all. C would be the only answer because A would be correct except for the fact you have COMPUTER1 as the second limiting factor. B would be correct except for the fact you have USER2 as the second limiting factor.
ASKER
So it's a logical AND as between Users and Computers.
This is what keeps throwing me off because it can't be a logical AND between Users - a User can't be both USER1 and USER2. Same for Computers.
So it must be: [(USER1 or USER2 or ... USERn) AND (COMP2 or COMP2 or ... COMPn)]
In other words (English) - "one of these named users on one of these named computers"
Seem right? Thanks again. It's about time I got this correct.
This is what keeps throwing me off because it can't be a logical AND between Users - a User can't be both USER1 and USER2. Same for Computers.
So it must be: [(USER1 or USER2 or ... USERn) AND (COMP2 or COMP2 or ... COMPn)]
In other words (English) - "one of these named users on one of these named computers"
Seem right? Thanks again. It's about time I got this correct.
Yep, that looks correct.
ASKER
Points to Chuck for sticking with me - now I need to get it done and tested!