Solved

Group Policy - how to make "User" registry policy work on select set of computers

Posted on 2013-11-11
18
465 Views
Last Modified: 2013-11-13
Server 2008R2 AD.  I thought I had this figured out, but I'm not getting the result I want.  I am trying to set registry values using a User GPO but I want to link it only to my servers, in one of 2 OUs - Domain Controllers or Domain Servers.

Essentially, this is so some select users (including Domain Admins) will have these registry entries set if they log in to the servers.

So I have this correct: User Config->Pref->Windows Set->Registry

Do I link it to my Servers? Or to the select Users?  Then what at the filtering section?    I'm just not clear on this - I've tried a few things and still gpresult shows my GPO as either denied, or not there at all.

Thanks.
0
Comment
Question by:dvanaken
  • 8
  • 6
  • 2
  • +2
18 Comments
 
LVL 9

Expert Comment

by:MHMAdmins
ID: 39639219
I would link it to your computers and in the read filtering add the names of your servers to read/apply the filter and enforce them on the OU container you want it to pertain to.
0
 
LVL 21

Expert Comment

by:Joseph Moody
ID: 39639255
0
 
LVL 9

Expert Comment

by:MHMAdmins
ID: 39639270
Once you have made the change in GPO, then on that server run gpupdate to asynchronously apply the change, then on the domain controllers run gpupdate /force and then you may have to reboot before the changes show up in gpresult depending on what settings. Normally registry changes require a reboot for the machine to make the hive key active.
0
 

Author Comment

by:dvanaken
ID: 39639555
Now I'm confused - I get what loopback mode does (have not yet tried it), but do I need that?  Here is a statement of what I am trying to do:

Apply "User" GPO on certain computers only for certain users only.  

Since it is for certain Users, I don't think I need the loopback model (because Users->Users), but how do I limit it to applying to certain computers only?
0
 
LVL 3

Expert Comment

by:chuckmccullough
ID: 39641858
I would think you could use Security Filtering on the GPO to apply it to the specified users, then use WMI Filtering to target the computers you want it to apply to. Something like:

Select * from Win32_ComputerSystem where __SERVER = "Server1" OR __SERVER = "Server2"
0
 

Author Comment

by:dvanaken
ID: 39641964
So is it true that Security Filtering must be applied to match the type of GPO; that User policies must have users in the Security filtering, same for Computer policies must have computers in the filters?   In other words you can't setup a User policy and filter it only for certain computers (except using WMI).  Correct?
0
 
LVL 3

Expert Comment

by:chuckmccullough
ID: 39642238
Security Filtering can apply to users, groups, or computers, but those objects have to reside in the OU you link to. So, if filtering that way by users you'll  have to link it to an OU where those users are located. The WMI filters don't have the same limitation I believe.

In rethinking this, I would recommend doing some testing to see if this option will work the way you want it to. WMI filters can slow logon performance a bit (I've seen them used a lot, though), and you'll have to maintain the list, so if you have a lot of computers you want to filter for that could present a challenge.
0
 

Author Comment

by:dvanaken
ID: 39642776
Thanks - I need to do some more testing on this.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39642842
There is a way: it's called MLGPO and is a local thing. Configure MLGPOs for a defined user group right at the server(s).
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 

Author Comment

by:dvanaken
ID: 39644579
I have a manual process for now until I investigate these suggestions - if anybody can just answer my question a few posts back (So is it true that...) I'll award points.
0
 
LVL 3

Accepted Solution

by:
chuckmccullough earned 500 total points
ID: 39644948
I haven't found anything that definitively states you have to apply security filtering to the same object type as your GPO is targeting, but I think logically it would make sense.

Using my thoughts from above, you have a GPO with user policies, so you'll link that GPO to an OU containing those users. Then you use Security Filtering to specify the users/groups you want this to apply to. From there to target the computers you want it to apply to you use WMI Filtering.
0
 

Author Comment

by:dvanaken
ID: 39644962
So Security Filtering doesn't even make sense when applied to a computer?
0
 
LVL 3

Expert Comment

by:chuckmccullough
ID: 39645014
Yes it does, because keep in mind computers have accounts just like users do, and those accounts have permissions rules as well. You'll see Authenticated Users as the default Security Filter, but that is a little misleading because it is any authenticated account, which also includes computers joined to the domain.
0
 

Author Comment

by:dvanaken
ID: 39645310
Makes sense.  So if I put both COMPUTER1 and user USER2 in Security Filtering, does that apply the GPO to

a. this USER2 on any computer
b. any user on COMPUTER1
c. only USER2 on COMPUTER1

Sorry if I am being thick, I just don't get the boolean sense that is used. I thought I understood it but the results proved otherwise...
0
 
LVL 3

Expert Comment

by:chuckmccullough
ID: 39645350
No problem at all. C would be the only answer because A would be correct except for the fact you have COMPUTER1 as the second limiting factor. B would be correct except for the fact you have USER2 as the second limiting factor.
0
 

Author Comment

by:dvanaken
ID: 39645421
So it's a logical AND as between Users and Computers.

This is what keeps throwing me off because it can't be a logical AND between Users - a User can't be both USER1 and USER2.  Same for Computers.

So it must be:  [(USER1 or USER2 or ... USERn)  AND  (COMP2 or COMP2 or ... COMPn)]

In other words (English) - "one of these named users on one of these named computers"

Seem right?  Thanks again.  It's about time I got this correct.
0
 
LVL 3

Expert Comment

by:chuckmccullough
ID: 39645581
Yep, that looks correct.
0
 

Author Closing Comment

by:dvanaken
ID: 39645779
Points to Chuck for sticking with me - now I need to get it done and tested!
0

Featured Post

Promote certifications in your email signature

Has your company recently won an award or achieved a certification? They'll no doubt want to show it off. Email signature images used to promote certifications & awards can instantly establish credibility with a recipient and provide you with numerous benefits.

Join & Write a Comment

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now