Announcement

Collapse
No announcement yet.

Linking GPO to specific machines and users

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Linking GPO to specific machines and users

    I've created a GPO that redirects folders, but I only want it apply to certain workstations and not all workstations. On top of that, I want it to apply to only some users (which I've added to a group) who log on to those workstations and not all users who log on to those workstations.

    Basically, the 1st criteria is computer, then users.

    I don't know how to set this up via Group Policy Management since I'm entirely clear on how GPOs, OUs, GPOs, and user Groups interact.

    Server 2003 R2

  • #2
    Re: Linking GPO to specific machines and users

    So you only want to redirect certain users' folders (members of that group you created) and on top of that, only when they log into certain computers? Hmmm... unless I"m mistaken you could create a GPO using loopback processing and then only grant the rights to apply that GPO to the specific user group.

    Loopback processing applies the User Config portion of a GPO that is applied to a computer, and applies it to the user that logs in. So maybe that wouldn't work after all since the GPO is really applied first to the computer object. I'm not familiar enough with loopback processing to be certain.

    You might be able to hack something using WMI filtering. My head hurts thinking about this.
    Wesley David
    LinkedIn | Careers 2.0
    -------------------------------
    Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
    Vendor Neutral Certifications: CWNA
    Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
    Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

    Comment


    • #3
      Re: Linking GPO to specific machines and users

      Nonapeptide, thanks for leading me in the right direction.

      I did not know that User Configurations don't apply when linked to OUs containing computers and Computer Configurations don't apply when linked to OUs containing Users. This Loopback Processing seems the way to do link Comps and User Settings and Users with Comp Settings.

      Thanks
      Last edited by HotDay2222; 7th March 2010, 18:36. Reason: editing wrong info

      Comment


      • #4
        Re: Linking GPO to specific machines and users

        After struggling to understand how Group Policy Objects, Users, Computers, Organizational Units, Loopback Processing all interrelate and now making sense of it all, I want to follow up on my own question.

        Group Policy Objects("GPO") have 2 categories - Computer Settings and User Settings. Computer Settings will apply only to computer objects and user settings will apply only to user objects. This means that if you have an Organizational Unit ("OU") that contains only computers and you link a GPO to this OU, then only the computer settings of the linked GPO will apply to that OU, the users settings will not. For example, if in the linked GPO the setting "Add Logoff to Start Menu" is enabled, it will not have an effect because it is a User Setting. However, if a setting such as "Remove Windows Installer" is enabled, then that setting will have an effect on everyone who logs on the machines that the OU contains.

        I. The issue with GPOs is the types of setting (users setting vs machine setting) has to match the criteria of setting (users objects vs machine objects).
        A ) For example, if I want the Computer Setting "Remove Windows Installer" (type: computer setting) to be applied to Machine Laptop (criteria: machine object), then it easy to do because all I need to do is create an OU, drop Machine Laptop in that OU, and link the GPO. Whoever logs on Machine Laptop, or any other machines in the OU, will have Windows Installer removed.
        B) Likewise, if I want to enable "Add logoff to Start Menu" (type: user setting) for User John Smith (criteria: user object), it is also easy to do. Take user John Smith, place him in an OU, then link the GPO to the OU. Mr. Smith will have the Logoff Button Added to his start menu regardless of the computer in which he logs on.
        A1) However, what happens if in scenario A I want "Remove Windows Installer" (type: computer setting) to be applied, not to Machine Laptop (criteria: machine object) as in the scenario above, but to user John Smith (criteria: user object). Placing John Smith in an OU and linking the GPO to that OU will not work because the type and criteria do not match.
        B1) What if in scenario B, I want to enable "Add Logoff to Start Menu" (type: user setting), not to John Smith (criteria: user object), but to anyone who logs on machine Laptop (criteria: machine object). Again, just like in A1, it won't work because criteria and type do not match. However, there is an easy solution to this one - Loopback Policy. By enabling Loopback Policy Processing in the same GPO, it allows User Settings to be applied to Machine Objects, so anyone who logon Machine Laptop will get the Logoff Button in the Start Menu.

        This is why I like User Setting, because admins have more flexibility on how to apply them.
        C1) If you have user settings and want to apply to certain users, simply link GPO to OU containing users.
        C2) If you have user settings and want to apply to certain machines, simply link GPO to OU containing machines and turn on Loopback Policy Precessing in the GPO.
        D1) If you have computer setting and want to apply to certain machine objects, simply link GPO to OU containing machines.
        D2) If you have computer setting and want to apply to certain user objects (as in example A1), then tough luck! ***I'm not aware of any GPO workaround to this
        ***

        I hope this helps.

        Comment


        • #5
          Re: Linking GPO to specific machines and users

          Wow, way to update a long dormant thread. Thanks!
          Wesley David
          LinkedIn | Careers 2.0
          -------------------------------
          Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
          Vendor Neutral Certifications: CWNA
          Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
          Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

          Comment

          Working...
          X