Solved

Apply GPO to certain users only when logging into certain computer

Posted on 2014-04-22
3
1,803 Views
Last Modified: 2014-04-22
We have computer objects in one OU and user objects in another OU. We need users to get certain User Configuration settings when they log into certain computers. So we have a security group for that set of users and a security group for that set of computers. But the users are in an OU with other users the policy shouldn't apply to and the computers are in an OU with other computer objects that should not have this policy apply to. Moving the users or computers into new OUs is not an option for us unfortunately.

If I create a user configuration GPO and link it to the computer objects OU with a scope containing the group of computers to apply to plus a group with the users to apply to will it only apply to those users when they log into those computers?
0
Comment
Question by:DITGUY
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40015143
Apply the policy to the computers OU. Then configuring the GPO to Merge or Replace. This will give you what you are looking for.

You can go into the Advanced section and apply permissions, so only the User Security Group and Computer Security Group have Read and Apply GPO permissions.

Make sure you remove the other security groups such as Everyone or Authenticated Users. Or, set those groups to Deny Read / Apply GPO.
0
 

Author Comment

by:DITGUY
ID: 40015153
I saw this article. I assume it's what you're referring to. http://technet.microsoft.com/en-us/library/cc782810%28v=ws.10%29.aspx

If I configure LBP with merge will it apply all the GPOs from the user's OU plus the ones in the computer OU that are user configuration settings and let those be the final result for any conflicts?

I don't fully understand replace vs merge.
0
 
LVL 31

Accepted Solution

by:
Gareth Gudger earned 500 total points
ID: 40015171
Yes.

If you set Merge on the GPO that is assigned to the Computers OU, it will try and merge all user configurations of all GPOs that user has. However, the computer GPO will take precedence. So if two policies have the same setting on one item, the Merge Policy should overwrite that one setting. All other settings from every GPO will be applied, if there is no conflict.

If you use Replace the entire policy on the Computer OU is used. It completely overrides the policy on the user OU, regardless of any conflicts or not.
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question