Link to home
Start Free TrialLog in
Avatar of Erika Koelle
Erika KoelleFlag for United States of America

asked on

How to apply GPO a computer in a specific OU (User Map Drive - loopback) but not any other computers and how to exclude certain users from having GPO applied.

Windows GPO question.

I have two GPO's:
1.  Restricted Access - hides many Control Panel options, etc.
2.  Map V: drive to \\fileserver\sharename

AD OU's:
Computers - W7PC001, W7PC002, etc...
Servers - WIN2012SVR
Users - Tom, Ken, Joe, etc...

Loopback is enabled for MAP V: Drive GPO because it's a user setting

What I need to do:
1.  If user Tom, Ken or Joe log in to Server WIN2012SVR (via Remote Desktop) then apply GPO Restricted Access and Map V: Drive
2.  If user Tom, Ken or Joe log in to their regular Windows 7 PC then the GPO's should NOT be applied
3.  If user Administrator logs in then the GPO Restricted Access should not apply but MAP V: Drive should apply

Many thanks...

EK
Avatar of Christian KAZADi
Christian KAZADi
Flag of Canada image

Hi,

You should apply your GPO on Computer Configuration and not User configuration in Group Policy Management Editor.

This is the only good way to avoid conflict.

Goto GPM Editor > Computer Configuration > Preferences > ...

Good chance,

CK
Avatar of Erika Koelle

ASKER

Need to apply Drive Mapping for a user and that's NOT a computer setting.
You Can apply on both...

The difference is on user, only user that the gpo apply to can see the map drive but on computer all domain users connected to the computer can see the map drive.

The second way is to script via powershell. With a if  computername=.... then net use ...

Hope that will help you

CK
Configure drive map gpp item in GPO and apply this gpo to ou containing your server
If ou contains more servers, use security filtering and apply gpo to only specific server account above
Same time add wmi filter based on group which contains your users
Now whenevr your selected users logon to this server with rdp, they will get mapped drive
And finally in same gpo enable loopback processing in replace mode
Its located under computer config / admin templates / system / group policy
1. Create a GPO you want to apply
2. In Active Directory Users and Computers create a security group and assign people you want to apply GPO to
3. Assign GPO to your OU but in security Filtering add only Group you've just created (remove domain users)
4. Enforce Policy
5. Refresh policy on group member computer (gpupdate /force) or restart computer to see if Policy was applied
  1. Create a single GPO in the root of the domain and set it to enforce (All current and future preferences can go in here.)
  2. Add the drive mappings as GPO drive mapping preferences
  3. Add item-level filtering on these drive mappings. You can use AND and OR etc. to specify conditions as per your requirement
This is exactly what I've said !!!
No, it is not. Massive difference between security filtering and item-level filtering. My solution does not rely on OU filtering either. With ILT you can also do operators such as must be this user on that computer.

Read my comment again Tom !!!

Also, your comment isn't technically correct. You do not remove domain users (or authenticated users for that matter), you only remove their Apply Policy Permission from the GPO, they still need read.
Thanks everyone...we got it working.

Here's the final set up:
1.  Created GPO to Map V: drive to \\server\share in ROOT of OU's (not sure why this really was necessary, but it was)
2.  Didn't need to enforce it
3.  Created Active Directory Security Group and added user TOM in to it
4.  Security filtering:  Added AD Security Group and COMPUTER NAME of servers on which we want it to do the drive mapping

Did a bunch of GPUPDATE /FORCE commands and for good measure rebooted servers which were supposed to get V: Drive mapping.
Logged in as user TOM and V: drive was mapped correctly.  
Right clicked on V: drive and disconnected it
Logged OFF
Logged back in and V: drive mapped again correctly

Logged in as user KEN who is NOT in the AD Security Group to map the V: drive and it did NOT map the V: Drive.  


Checked Registry:
HKLM\software\microsoft\windows\currentversion\grouppolicy\state\#USERSID#\GPO-List
0 - Local Group Policy
1 - Default Domain Policy
2 - MapVDrive

whoami /user
#REM - Gives me user SID

All appears to be working perfectly.  Curious as to why it wouldn't work if I put the MapVDrive GPO somewhere else other than the ROOT of the OU?

Regards,
EK
Where you latched gpo?
At OU?
If at OU level, the computer and user account you added with security filtering is part of OU?
What happened here is user must be part of ou and computer is not
As a result gpo is applied to user only and that is what is required
However if computer also part of same ou, then all users who log on to particular computer should get gpo
This isn't working as expected.

GPO is at ROOT of OU and the filter is:
authenticated users
Server1
Server2

Server1 and Server2 are in an OU named Finance
The V: Drive mapping is working correctly

However, other servers are also getting the GPO applied like our SQL server.
SQL01 is in an OU named COMPUTERS which is a sub-OU off the ROOT.
I would do it the way I suggested in my previous comment
Hi Shaun,

We couldn't quite figure out how to do ILT and did the security filtering, which obviously didn't work.  The GPO is Enforced and were poking around in Delegation but can't figure out how to do the following:

User is Authenticated Users
AND
is connected to one of the following servers
Server1
Server2

So ONLY authenticated users on Server1 & Server2 will have the GPO applied.  It won't be applied on any other server or PC.
When you keep authenticated users group on security filtering tab, it defeat the purpose
Authenticated users group contains all users and computers accounts in ou and sub ou and then policy applies to all computers in ou
Hence remove authenticated users group from security filtering and keep only server1 & server2
We found an article online how to apply ILT and believe we did it successfully.  

Appreciate your help.

Will confirm once it's applied in production that it's working correctly.

Thanks,
EK
When you keep authenticated users group on security filtering tab, it defeat the purpose
Authenticated users group contains all users and computers accounts in ou and sub ou and then policy applies to all computers in ou
Hence remove authenticated users group from security filtering and keep only server1 & server2
This is not correct. You edit the GPO and remove apply policy permission from Authenticated Users. You do not remove it.

Anyways, when using ILT you do not need to change any permissions. You simply use ILT rules such as "Computer name is", "User name is", "User is part of group" etc.
That is one way to remove "apply GPO" permissions but removing authenticated users group itself will achieve same results and pretty straight forward and self explanatory

further this permission method would be helpful when you have added group to apply policy but you don't wanted to apply GPO to specific group member, in that case you would add user in list and remove his apply group policy permission from advanced tab
ASKER CERTIFIED SOLUTION
Avatar of Shaun Vermaak
Shaun Vermaak
Flag of Australia image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Accept: Shaun Vermaak (https:#a42709625)

If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

FireRunt
Experts-Exchange Cleanup Volunteer