Alternatively, leave "authenticated users" with read and apply group policy
permissions and set deny on NY employees.
--
Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email:
(E-Mail Removed)
Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.
This posting is provided "AS IS" with no warranties, and confers no rights.
"Roger Abell [MVP]" <(E-Mail Removed)> wrote in message
news:%233nCz$(E-Mail Removed)...
> The security group filtering of the loopback GPO must also
> allow the computers. In your example, as only LA Employees
> should have the GPO applied via loopback when logging into
> the computers in NY Desktops OU, you could add the group
> Domain Computers (in addition to LA Employees) to the GPO's
> security group filtering. In that way, only the LA Employees
> will have the loopback GPO applied when they log into any
> of the machines in that OU. If one wanted a loopback GPO to
> apply to any user logging into any machine in the OU then one
> could just leave the security group filtering at its default of
> Authenticated Users. If only a subset of the machines in the
> OU should do this, then one would need to either make a new
> subOU or define a security group for use in filtering whose
> members are the machines that should apply the loopback GPO.
>
> "jm" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> Roger,
>> Thank you very much for your response - Not sure why I did not think of
>> using Loopback mode.
>>
>> Ok. So I have tried it but am running into some challenges.
>>
>> I have a OU called "NY DESKTOPS" - I created a new policy and enabled
>> Loopback processing mode (Merge). In the same policy, I enabled Active
>> Desktop and set the path for the HTML page. I have this policy set to
>> only apply to users from LA - i.e. LA Employees.
>> In the "NY DESKTOPS" OU there is another policy linked that applies to
>> 'AUTHENTICATED USERS" This is the standard gpo for my NY desktops.
>> So in total, there are two gpo's linked to this OU.
>> So when I log into a computer (i'm in the LA employee group), i do not
>> get the settings.... Any idea why?
>>
>> Thanks again.
>>
>>
>> "Roger Abell [MVP]" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>>> "jm" <jm@GMAIL> wrote in message
>>> news:53E28875-24FE-4EDF-B051-(E-Mail Removed)...
>>>> Hello Everyone.
>>>>
>>>> I am trying to set a standard desktop background for certain users. I
>>>> have the part working....
>>>>
>>>> What I can't see to get around is that I don't want this to happen to
>>>> all my users. Just to users how are visiting from a different branch
>>>> office. Do I need to use a WMI filter? If so, can anyone help me with
>>>> Query design?
>>>>
>>>> Basically, I do not want the policy to apply if IP Address begins with
>>>> 172.22. -- make sense?
>>>>
>>>
>>> No, I cannot really follow your statements.
>>>
>>> If you want certain user policies to apply for a specific set of
>>> user accounts but only when they are logging onto a particular
>>> set of computers, then you would use a GPO set for loopback
>>> processing. Such a GPO is linked so that the set of computers
>>> is within its scope, and the security group filtering needs to be
>>> such that only those computers and only the users you desire to
>>> impact have read/apply of the GPO.
>>> Search on GPO loopback
>>>
>>> Roger
>>>
>>>
>>
>>
>
>
Similar Threads
