• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2059
  • Last Modified:

Apply GPO to certain users only when logging into certain computer

We have computer objects in one OU and user objects in another OU. We need users to get certain User Configuration settings when they log into certain computers. So we have a security group for that set of users and a security group for that set of computers. But the users are in an OU with other users the policy shouldn't apply to and the computers are in an OU with other computer objects that should not have this policy apply to. Moving the users or computers into new OUs is not an option for us unfortunately.

If I create a user configuration GPO and link it to the computer objects OU with a scope containing the group of computers to apply to plus a group with the users to apply to will it only apply to those users when they log into those computers?
0
DITGUY
Asked:
DITGUY
  • 2
1 Solution
 
Gareth GudgerCommented:
Apply the policy to the computers OU. Then configuring the GPO to Merge or Replace. This will give you what you are looking for.

You can go into the Advanced section and apply permissions, so only the User Security Group and Computer Security Group have Read and Apply GPO permissions.

Make sure you remove the other security groups such as Everyone or Authenticated Users. Or, set those groups to Deny Read / Apply GPO.
0
 
DITGUYAuthor Commented:
I saw this article. I assume it's what you're referring to. http://technet.microsoft.com/en-us/library/cc782810%28v=ws.10%29.aspx

If I configure LBP with merge will it apply all the GPOs from the user's OU plus the ones in the computer OU that are user configuration settings and let those be the final result for any conflicts?

I don't fully understand replace vs merge.
0
 
Gareth GudgerCommented:
Yes.

If you set Merge on the GPO that is assigned to the Computers OU, it will try and merge all user configurations of all GPOs that user has. However, the computer GPO will take precedence. So if two policies have the same setting on one item, the Merge Policy should overwrite that one setting. All other settings from every GPO will be applied, if there is no conflict.

If you use Replace the entire policy on the Computer OU is used. It completely overrides the policy on the user OU, regardless of any conflicts or not.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now