Solved

Apply GPO to certain users only when logging into certain computer

Posted on 2014-04-22
3
1,720 Views
Last Modified: 2014-04-22
We have computer objects in one OU and user objects in another OU. We need users to get certain User Configuration settings when they log into certain computers. So we have a security group for that set of users and a security group for that set of computers. But the users are in an OU with other users the policy shouldn't apply to and the computers are in an OU with other computer objects that should not have this policy apply to. Moving the users or computers into new OUs is not an option for us unfortunately.

If I create a user configuration GPO and link it to the computer objects OU with a scope containing the group of computers to apply to plus a group with the users to apply to will it only apply to those users when they log into those computers?
0
Comment
Question by:DITGUY
  • 2
3 Comments
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40015143
Apply the policy to the computers OU. Then configuring the GPO to Merge or Replace. This will give you what you are looking for.

You can go into the Advanced section and apply permissions, so only the User Security Group and Computer Security Group have Read and Apply GPO permissions.

Make sure you remove the other security groups such as Everyone or Authenticated Users. Or, set those groups to Deny Read / Apply GPO.
0
 

Author Comment

by:DITGUY
ID: 40015153
I saw this article. I assume it's what you're referring to. http://technet.microsoft.com/en-us/library/cc782810%28v=ws.10%29.aspx

If I configure LBP with merge will it apply all the GPOs from the user's OU plus the ones in the computer OU that are user configuration settings and let those be the final result for any conflicts?

I don't fully understand replace vs merge.
0
 
LVL 31

Accepted Solution

by:
Gareth Gudger earned 500 total points
ID: 40015171
Yes.

If you set Merge on the GPO that is assigned to the Computers OU, it will try and merge all user configurations of all GPOs that user has. However, the computer GPO will take precedence. So if two policies have the same setting on one item, the Merge Policy should overwrite that one setting. All other settings from every GPO will be applied, if there is no conflict.

If you use Replace the entire policy on the Computer OU is used. It completely overrides the policy on the user OU, regardless of any conflicts or not.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Synchronize a new Active Directory domain with an existing Office 365 tenant
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question