Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 278
  • Last Modified:

Exclude user based Group Policy to a Machine

Is it possible to exclude a group policy from running on a machine even though the policy is user based? What I am hoping to accomplish is this:

User A has a desktop PC and a laptop.

There are some policies enabled for Mapped drives and folder redirection for the entire office.

I want to prevent the laptop(s) from receiving these policies since I will be using WebDav to mount drive letters when the user is roaming.

I have tried to add the user's laptop in the delegation tab and set a deny permission but that does not seem to work.
  • 3
1 Solution
Liam SomervilleSenior Security ConsultantCommented:
If you're looking to apply different user policies based on the computer a user is logging on to, you're going to be working with loopback processing.

If you're new to this, it might twist your brain a little. You apply a GPO to the machine that enabled loopback processing. This will cause the machine to apply any user GPOs that are linked to its OU during a user's logon.

Here's what you need to do:

1. Apply and link Loopback Processing GPO to laptop OU

2. Link a user policy disabling mapped drives/folder redirection to the laptop OU

That's it! The trick is to make sure you're applying the user policy to the laptop's OU, but other than that everything is just Group Policy 101.
finkeltronAuthor Commented:
I don't see Loopback processing in GPedit. The instructions you sent apply to Windows 2000 to 2003. I'm running 2012R2
Liam SomervilleSenior Security ConsultantCommented:
Should be in the same place as previous versions of Windows. I don't have a 2012 DC available at the moment but can spin one up if need be. Can you check this location first?

Computer Configuration\Policies\Administrative Templates\System\Group Policy
Setting\User Group Policy loopback processing mode
Liam SomervilleSenior Security ConsultantCommented:
Here's a pretty good article on the topic — Server 2012-specific — looks like they changed the setting name slightly.

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now