Re: Applying user object policy (filtering based on computer location)

I wouldn't recommend to set deny since it will be harder for you to troubleshoot if that's neccessary...

--
Regards G Johansson
fantomen@xxxxxxxxxxxxxxx
http://GPfaq.se


"Mark Renoden [MSFT]" <markreno@xxxxxxxxxxxxxxxxxxxx> wrote in message news:7F640F1F-6392-4247-A606-1CEC21A39AB5@xxxxxxxxxxxxxxxx
Alternatively, leave "authenticated users" with read and apply group policy permissions and set deny on NY employees.

--
Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: markreno@xxxxxxxxxxxxxxxxxxxx

Please note you'll need to strip ".online" from my email address to email me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.
"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message news:%233nCz$tEIHA.2004@xxxxxxxxxxxxxxxxxxxxxxx
The security group filtering of the loopback GPO must also
allow the computers. In your example, as only LA Employees
should have the GPO applied via loopback when logging into
the computers in NY Desktops OU, you could add the group
Domain Computers (in addition to LA Employees) to the GPO's
security group filtering. In that way, only the LA Employees
will have the loopback GPO applied when they log into any
of the machines in that OU. If one wanted a loopback GPO to
apply to any user logging into any machine in the OU then one
could just leave the security group filtering at its default of
Authenticated Users. If only a subset of the machines in the
OU should do this, then one would need to either make a new
subOU or define a security group for use in filtering whose
members are the machines that should apply the loopback GPO.

"jm" <jm@xxxxxxxxx> wrote in message news:O7kttCNEIHA.1056@xxxxxxxxxxxxxxxxxxxxxxx
Roger,
Thank you very much for your response - Not sure why I did not think of using Loopback mode.

Ok. So I have tried it but am running into some challenges.

I have a OU called "NY DESKTOPS" - I created a new policy and enabled Loopback processing mode (Merge). In the same policy, I enabled Active Desktop and set the path for the HTML page. I have this policy set to only apply to users from LA - i.e. LA Employees.
In the "NY DESKTOPS" OU there is another policy linked that applies to 'AUTHENTICATED USERS" This is the standard gpo for my NY desktops.
So in total, there are two gpo's linked to this OU.
So when I log into a computer (i'm in the LA employee group), i do not get the settings.... Any idea why?

Thanks again.


"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message news:uD6Z0qGEIHA.1208@xxxxxxxxxxxxxxxxxxxxxxx
"jm" <jm@GMAIL> wrote in message news:53E28875-24FE-4EDF-B051-D15C6CCB140B@xxxxxxxxxxxxxxxx
Hello Everyone.

I am trying to set a standard desktop background for certain users. I have the part working....

What I can't see to get around is that I don't want this to happen to all my users. Just to users how are visiting from a different branch office. Do I need to use a WMI filter? If so, can anyone help me with Query design?

Basically, I do not want the policy to apply if IP Address begins with 172.22. -- make sense?


No, I cannot really follow your statements.

If you want certain user policies to apply for a specific set of
user accounts but only when they are logging onto a particular
set of computers, then you would use a GPO set for loopback
processing. Such a GPO is linked so that the set of computers
is within its scope, and the security group filtering needs to be
such that only those computers and only the users you desire to
impact have read/apply of the GPO.
Search on GPO loopback

Roger








.

Relevant Pages

  • Re: Complex GPO Configuration Issue
    ... I have read a lot of posts and articles on loopback processing and have used ... If you enforce a policy then it will override all other polices in the path ... to the user/computer unless another GPO closer to the user/computer is also ... What I'm getting for user configuration is ...
    (microsoft.public.windows.group_policy)
  • Re: Applying user object policy (filtering based on computer location)
    ... leave "authenticated users" with read and apply group policy permissions and set deny on NY employees. ... should have the GPO applied via loopback when logging into ...
    (microsoft.public.win2000.group_policy)
  • Re: Applying user object policy (filtering based on computer location)
    ... The security group filtering of the loopback GPO must also ... the computers in NY Desktops OU, ...
    (microsoft.public.win2000.group_policy)
  • Re: Mulitiple Loopback GPOs and one OU
    ... I tested what you've indicated..interesting...it reads from my first policy, ... that loopback is implemented and then it ends up applying the ... explicitly apply computer settings in a GPO via a security filter...they seem ... loopback policy is even read on the GPO that has an explicit Deny on it? ...
    (microsoft.public.windows.group_policy)
  • RE: Im falling my hairs with this domain gpo problem
    ... Where is the GPO linked? ... Do Authenticated users and Domain Computers have permissions to "Apply ... I'm having problem with a domain policy. ... only local security policy was showed in the gpresult log (for ...
    (Focus-Microsoft)