Solved

Apply GPO to certain users only when logging into certain computer

Posted on 2014-04-22
3
1,744 Views
Last Modified: 2014-04-22
We have computer objects in one OU and user objects in another OU. We need users to get certain User Configuration settings when they log into certain computers. So we have a security group for that set of users and a security group for that set of computers. But the users are in an OU with other users the policy shouldn't apply to and the computers are in an OU with other computer objects that should not have this policy apply to. Moving the users or computers into new OUs is not an option for us unfortunately.

If I create a user configuration GPO and link it to the computer objects OU with a scope containing the group of computers to apply to plus a group with the users to apply to will it only apply to those users when they log into those computers?
0
Comment
Question by:DITGUY
  • 2
3 Comments
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40015143
Apply the policy to the computers OU. Then configuring the GPO to Merge or Replace. This will give you what you are looking for.

You can go into the Advanced section and apply permissions, so only the User Security Group and Computer Security Group have Read and Apply GPO permissions.

Make sure you remove the other security groups such as Everyone or Authenticated Users. Or, set those groups to Deny Read / Apply GPO.
0
 

Author Comment

by:DITGUY
ID: 40015153
I saw this article. I assume it's what you're referring to. http://technet.microsoft.com/en-us/library/cc782810%28v=ws.10%29.aspx

If I configure LBP with merge will it apply all the GPOs from the user's OU plus the ones in the computer OU that are user configuration settings and let those be the final result for any conflicts?

I don't fully understand replace vs merge.
0
 
LVL 31

Accepted Solution

by:
Gareth Gudger earned 500 total points
ID: 40015171
Yes.

If you set Merge on the GPO that is assigned to the Computers OU, it will try and merge all user configurations of all GPOs that user has. However, the computer GPO will take precedence. So if two policies have the same setting on one item, the Merge Policy should overwrite that one setting. All other settings from every GPO will be applied, if there is no conflict.

If you use Replace the entire policy on the Computer OU is used. It completely overrides the policy on the user OU, regardless of any conflicts or not.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
This article explains the steps required to use the default Photos screensaver to display branding/corporate images
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question