Group Policy - Computer specific

tomsimanovich7016 · 2014-08-20T19:57:22.000Z

I apologize if this has been asked, but something isn’t clicking with me in regards to Group Policies and I tried to search through the forums.

Ultimately, I am trying to apply a computer group policy that has specific computer settings that I want to apply when a user logs in. I understand that this appears to need Loopback enabled, and I have done so. The snag I am hitting is that I can’t seem to get a policy to apply until I actually assign a computer to the policy under Security Filtering.

In a nutshell our domain is set up like this:

DOMAINNAME.COM
-Minnesota
-Staff
-Workstations

So based on the above setup (I hope it’s clear), I Linked my new policy to the Workstations OU.

I then put the target user in Security Filtering under User. I go to Delegation tab and change Authenticated Users to Have Read Access (but not apply). I then make sure that the specified user has Apply Group Policy Rights.

However, the policy never applies. It will only apply if I specify the Computer name under Security Filtering. Why is it applying as such?

More info: If I have 100 workstations under the Workstations group, I may want to apply this specific policy only to a certain few workstations when a specific user logs into it. I thought that applying the “User Group Policy loopback processing mode” and setting to Enabled would allow the policy to apply to any computer under the Workstations OU when a specific user logged in.

Am I missing a step possibly?

When I run a RSOP and specify a computer and user combo - the policy I am trying to apply shows under Computer Configuration Summary > Denied GPOs. It then shows Access Denied (Security Filtering) unless I put the full Computer name in the Security filtering.

mg36572 · 2014-08-20T20:04:56.000Z

If applied to the top level OU of Minnesota what do you get?

tomsimanovich7016 · 2014-08-20T20:15:20.000Z

Thank you for the response. That does work, but I want to make sure that no users will inherit the policy unless I specify them through a policy.

To complicate things (a little) our domain looks like this:

DOMAINNAME.COM
-Minnesota
-Staff
-Workstations
-Terminal Servers (BLOCK INHERITANCE CHECKED)

So, does this tell me that I am ok that it will only apply to a user that I specify through the Policy. Should I have maybe applied the policy to the “Users” OU instead of the computers OU?

brentjohnson5048 · 2014-08-20T20:19:22.000Z

Did you deny the Apply to authenticated users? A deny overrules any allow applied later to a user.

why dont you just create a security group with the users you want it to apply to and assign that group to the GP instead of assigning read but not apply to authenticated users?

mg36572 · 2014-08-20T20:23:52.000Z

I would create a group for the users you need to filter and remove authenticated users and apply the created group.

semicolon · 2014-08-20T20:37:56.000Z

Generally, authenticated users is the way to go; ‘Security Filtering’ should be looked at when necessary.

If you are using a loopback policy AND security filtering, the desired computers and all user accounts (to whom tou want the settings to be loopbacked) must be added to the filter. If only user accounts are added, the computer accounts cannot read the policy to apply it, of only computer accounts, the the user accounts can’t read it to merger nor replace their settings.

You may need to either create a new OU to which you link this policy and in which the computers are stored (GPO would be filtered to authenticated users in that case), or you need a security group(s),containing the computers you want and all users.

craigduff · 2014-08-20T20:46:19.000Z

You cannot apply computer settings based on what user logs in. Cannot to my knowledge anyway.

Loopback is to apply user settings assigned to the computer’s GPOs when ever any user logs into that computer.

If you need to assign user settings when a user logs into a specific computer you can use WMI filters, but I don’t think that is what you are after.

tomsimanovich7016 · 2014-08-21T11:41:19.000Z

Brent9432:

Did you deny the Apply to authenticated users? A deny overrules any allow applied later to a user.

why dont you just create a security group with the users you want it to apply to and assign that group to the GP instead of assigning read but not apply to authenticated users?

Brent9432, I don’t Deny the Apply policy, I just choose to uncheck it. Is that incorrect? When I uncheck the Apply Group Policy it then removes them from the Security Filtering, but appears to work otherwise.

Brent9432:

Did you deny the Apply to authenticated users? A deny overrules any allow applied later to a user.

why dont you just create a security group with the users you want it to apply to and assign that group to the GP instead of assigning read but not apply to authenticated users?

I do have a group that I will apply these to. When I am ready to switch these users to the project I’m working on, I apply them to a specific group, so I will be targeting the group. For testing I am just using one individual user.

If I am understanding correctly, I can make sure that no user/computer gets these policies unless they are a member of the Group I created once I put that group into Security Filtering. Also, because I applied the Use User Group Policy Loopback mode this is applying specifically to this user if they log on to a computer which happens to be in a sub OU of Minnesota, for example.

brentjohnson5048 · 2014-08-21T12:38:44.000Z

Thats allright but it seems like the long way around to apply to auth users and then uncheck the apply when you could just leave auth users off and apply to the security group containing the users and computers you want it to apply to.

Auth users is great when you want to apply to everyone but not when you want to apply to a select group.

Also check Which area you made the setting in Computer or User settings. sometimes you apply a computer setting for something you should be appling a user setting to.

lewisbrown · 2014-08-21T13:51:05.000Z

Are you wanting the same policy to apply to all users when logging onto these machines or not? If so then i would out the computers into a Security Group and add that Group to Security Filtering. Then Create another group for specific users if you are wanting that aswell. Hope this helps, ask for more info if needed

tomsimanovich7016 · 2014-08-21T14:59:28.000Z

I’m confused now. I thought I had it working, in fact I swear I did by applying it to the Minnesota OU. However, today it does not appear to be applying and shows Denied (Security Filtering) under Computer Policies.

The Policy I created only has settings contained under Computer Configuration. If I look on the Settings Tab, I see User Configuration (Enabled) and it says No Settings Defined.

The things I configured are all under Computer Configuration > Policies > Administrative Templates

When I run a RSOP, I see Denied GPOs under Computer Configuration and the policy is denied there. However, I expand User Configuration Summary and it shows under Applied GPOs?

Is this normal behavior?

I am attaching a copy of the policy settings in case that helps…

xa_policy.JPG1024×380 129 KB

tomsimanovich7016 · 2014-08-21T15:24:16.000Z

LewisBrown:

Are you wanting the same policy to apply to all users when logging onto these machines or not? If so then i would out the computers into a Security Group and add that Group to Security Filtering. Then Create another group for specific users if you are wanting that aswell. Hope this helps, ask for more info if needed

No, long story short I am moving users to a new version of Citrix. This requires a new version of Citrix Receiver to be installed, and then policies specific to that application have to be applied. As I move a user, I add them to a group, Citrix User. However, the new Citrix receiver is very tedious in how it operates so I’m trying to get it to:

Apply a policy setting to :
-enable pass through authentication
-Auto Start a Program (Citrix Receiver).

Most of the users do not have local admin rights, so If I could save the step of logging in as the local Admin account and applying these manually it’d save me time. Also, Citrix Receiver I want to auto pop up, and so far I can accomplish this by putting the Citrix Receiver application into the All Users Startup Folder…but that also has to be done in the Admin account.

brentjohnson5048 · 2014-08-21T17:28:28.000Z

RSOP runs as the user whose credentials are active on the command prompt. So… if the user account you launched the RSOP as does not get the GPO assigned to it then it will show as filtered out or denied.

You would be better off using group policy modeling in the group policy management tool.

As to the settings remember that computer settings are for computers and user settings are for user accounts. You have to ask yourself are the settings I am trying to make computer settings that apply to the computer regardless of who signs in or are they settings for the user account. This can vary with the application.

your program to run on login exe is in the right place but I cant speak to the citrix items since that is a custom ADMX

semicolon · 2014-08-21T17:49:27.000Z

I understand that you’re moving users over to the new Citrix one at a time; however, I’m also assuming that you cannot have different versions of the Citrix receiver on a computer at the same time.

Are your users are hot-desking?

Are you trying to make it such that when a migrated user sits down at a computer with the old receiver the new receiver is installed; but when an un-migrated user laters sits down that the new receiver is uninstalled and the old citrix receiver is re-installed? This is not achievable with Group Policy unless the Citrix application is a per-user installation and multiple users can have multiple versions of the software, in which case, I don’t understand why you would be looking at a computer setting anyway you probably wouldn’t be looking at a computer configuration anyway.

If your users are not hot-desking, and you’re not using any user configurations - let’s make this simple and leave the users out of it. You have a computer config, with either a security filter for the group of computers with the new application. When the user is “migrated” move their computer account to the security group and restart. As it sounds like a temporary GPO, it’s probably not appropriate to create a whole separate OU for the computers and a security filter would probably be more appropriate.

–

In any case, when proceeding further with testing, I’d copy your GPO to a new one and accept the “default GPO permissions.” Unlink the old GPO and link the new. It sounds like the permissions have been modified a bit, to be safe, I would just ensure you are back at the default before adding more/different security filters.

tomsimanovich7016 · 2014-08-21T17:57:01.000Z

RSOP runs as the user whose credentials are active on the command prompt. So… if the user account you launched the RSOP as does not get the GPO assigned to it then it will show as filtered out or denied.

You would be better off using group policy modeling in the group policy management tool.

As to the settings remember that computer settings are for computers and user settings are for user accounts. You have to ask yourself are the settings I am trying to make computer settings that apply to the computer regardless of who signs in or are they settings for the user account. This can vary with the application.

your program to run on login exe is in the right place but I cant speak to the citrix items since that is a custom ADMX

So I am actually attaching the Citrix through an .ADM instead of a .ADMX. I do that by going to Computer Configuration > Policies > RIGHT CLICK Administrative Templates > Add/Remove Template and browse to the template (on my local PC, not a network share). My understanding was that this added it to a place in the SYSVOL, similar to a ADMX, but not exactly the same.

I am also testing the RSOP through Group Policy Manager. That is where I get the results that show the Policy applied to the User Settings instead of Computer Configuration.

Also, no hot desking or anything like that. If the user switches, I put the new version of Receiver on their PC. However, I have multiple sites and most are setup with the OU’s the same as Minnesota shown at the top of this post. Researching the individual PC that each user logs in and tying it to a policy isn’t ideal in my opinion, I thought that applying the Loopback Policy would avoid me having to do that.

I want to basically target a User (or Group) and apply Computer Configuration Policies to that specific user when he/she logs onto a computer.

semicolon · 2014-08-21T18:02:24.000Z

ADM templates are only available on the server/workstation on which they’re “used”; they are not replicated, to the best of my recollection.

On any other computer running GPMC, I believe, they would just appear as “extra registry settings.”

semicolon · 2014-08-21T18:06:13.000Z

As stated previously, you cannot - through GP - configure or control computer settings/configs based upon the user who logs in. You must do the legwork in this case to determine the user’s workstation.

Loopback policy is precisely the opposite of what you are trying to achieve - controlling user settings based upon which computer is logged into.

semicolon · 2014-08-21T18:11:41.000Z

I’ll concede that it is entirely possible to leverage GP to run a login script or other process based upon a user’s group membership that makes the equivalent computer setting changes; but you run into issues with permissions, or exposing administrative credentials.

brentjohnson5048 · 2014-08-21T21:51:28.000Z

your screenshot says its an ADMX, but that’s beside the point. I agree with Semicolon, start over with a new GPO that is un-messedaroundwith. you’ll spend less time starting over than trying to unscrew the old one.