Applying group policy based on machine...

[Sean]

Ok, we are a school, we have two computer labs. I have setup an OU
for all of our Students, and I have setup an OU for computers with OUs
underneath it for the two labs; Lab1 and Lab2. It looks like this:

-------------------------
Domain
|
|-Students
|
|-Computers
| |
| |-Lab1
| |
| |-Lab2
| |
--------------------------

Now what I want to accomplish is to setup a standard basic GPO for
students, but then I want to have a GPO for the Lab computers that
gives the user different access based on which lab they are in. If
they are in lab1, they will not have access to local drives or my
computer, while if they are in Lab2, they will have access to the
floppy and cdrom, but not the c drive. I have the user gpo being
applied, but I can't seem to get gpos applied for a user based on the
machine they are logged into. Where do I create the GPO for the
machines, what rights do I apply to it, etc??

Any ideas would be GREATLY appreciated.

 

[Steven L Umbach]

Loopback processing could possibly work for you. Loopback processing is part of
"computer configuration" and when applied to a computer the user policy in the OU
that the computer is located in will apply to users logging onto the computer in
either a replace or merge mode. See the link below for more information. -- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;231287

 

[Sean]

I read your post and the link... it seems like that would only be used
in a situation where you want the policy for the computer object to be
applied to ALL users who use this computer. In our situation we only
want it applied to the students and not the teachers or other staff.
I did a gpresult for the computer in the Lab OU and this is what I
get....


----------------------------------------------------------------------------
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\Administrator>gpresult /S PO01A

Microsoft (R) Windows (R) Operating System Group Policy Result tool
v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 4/3/2004 at 5:35:14 PM


RSOP data for SCHOOL1\Administrator on PO01A : Logging Mode
-----------------------------------------------------------------

OS Type: Microsoft Windows XP Professional
OS Configuration: Member Workstation
OS Version: 5.1.2600
Terminal Server Mode: Remote Administration
Site Name: Nevada
Roaming Profile:
Local Profile: C:\Documents and
Settings\administrator.SCHOOL1
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
CN=PO01A,OU=PLATO Lab,OU=Computers,OU=Nevada,DC=thisschools,DC=edu
Last time Group Policy was applied: 4/3/2004 at 5:33:01 PM
Group Policy was applied from: server1.thisschool.edu
Group Policy slow link threshold: 500 kbps
Domain Name: SCHOOL1
Domain Type: Windows 2000

Applied Group Policy Objects
-----------------------------
Default Domain Policy

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)

PLATO Lab GPO
Filtering: Not Applied (Empty)

The computer is a part of the following security groups
-------------------------------------------------------
BUILTIN\Administrators
Everyone
BUILTIN\Users
PO01A$
Domain Computers
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users


USER SETTINGS
--------------
CN=Administrator,CN=Users,DC=thisschools,DC=edu
Last time Group Policy was applied: 4/3/2004 at 5:29:34 PM
Group Policy was applied from: server1.thisschool.edu
Group Policy slow link threshold: 500 kbps
Domain Name: SCHOOL1
Domain Type: Windows 2000

Applied Group Policy Objects
-----------------------------
Default Domain Policy

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)

The user is a part of the following security groups
---------------------------------------------------
Domain Users
Everyone
BUILTIN\Users
BUILTIN\Administrators
Schema Admins
Domain Admins
Group Policy Creator Owners
Enterprise Admins
LOCAL
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users

C:\Documents and Settings\Administrator>

----------------------------------------------------------------------------

The result, at least to me, is saying that the GPO is empty, yet it
isn't. Is this the reason that I am not seeing the GPO take affect,
because it hasn't been applied... and for what reasons would I get
this result?

Thanks for the help.

 

[Steven L Umbach]

I believe you can use loopback processing and "filter" it - in other words for the
GPO in the OU where the computer resides you would give deny apply permissions to the
administrators and teachers. See the link below on GPO and how to filter.

http://support.microsoft.com/default.aspx?scid=kb;en-us;322176

Your gpresult does indicate that the GPO's are empty for associated user and computer
policy. Possibly the changes have not propagated yet. It helps to use secedit
/refreshpolicy user_policy /enforce on a domain controller after implementing changes
to user policy and on a XP Pro machine you will probably have to logon a couple of
times before user policy will be propagated. You ran gpresult as the administrator
which exists in the default users container in which case user policy will only be
applied from the domain and local policies assuming loopback processing has not been
enabled in the Plato OU. A user must be within the scope of influence of a user
configuration policy before policy will apply to them. So if you configure user
configuration in the Plato OU and loopback processing is not enabled, then the user
account that you want the policy to apply to must be in the Plato OU. --- Steve

I read your post and the link... it seems like that would only be used
in a situation where you want the policy for the computer object to be
applied to ALL users who use this computer. In our situation we only
want it applied to the students and not the teachers or other staff.
I did a gpresult for the computer in the Lab OU and this is what I
get....


----------------------------------------------------------------------------
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\Administrator>gpresult /S PO01A

Microsoft (R) Windows (R) Operating System Group Policy Result tool
v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 4/3/2004 at 5:35:14 PM


RSOP data for SCHOOL1\Administrator on PO01A : Logging Mode
-----------------------------------------------------------------

OS Type: Microsoft Windows XP Professional
OS Configuration: Member Workstation
OS Version: 5.1.2600
Terminal Server Mode: Remote Administration
Site Name: Nevada
Roaming Profile:
Local Profile: C:\Documents and
Settings\administrator.SCHOOL1
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
CN=PO01A,OU=PLATO Lab,OU=Computers,OU=Nevada,DC=thisschools,DC=edu
Last time Group Policy was applied: 4/3/2004 at 5:33:01 PM
Group Policy was applied from: server1.thisschool.edu
Group Policy slow link threshold: 500 kbps
Domain Name: SCHOOL1
Domain Type: Windows 2000

Applied Group Policy Objects
-----------------------------
Default Domain Policy

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)

PLATO Lab GPO
Filtering: Not Applied (Empty)

The computer is a part of the following security groups
-------------------------------------------------------
BUILTIN\Administrators
Everyone
BUILTIN\Users
PO01A$
Domain Computers
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users


USER SETTINGS
--------------
CN=Administrator,CN=Users,DC=thisschools,DC=edu
Last time Group Policy was applied: 4/3/2004 at 5:29:34 PM
Group Policy was applied from: server1.thisschool.edu
Group Policy slow link threshold: 500 kbps
Domain Name: SCHOOL1
Domain Type: Windows 2000

Applied Group Policy Objects
-----------------------------
Default Domain Policy

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)

The user is a part of the following security groups
---------------------------------------------------
Domain Users
Everyone
BUILTIN\Users
BUILTIN\Administrators
Schema Admins
Domain Admins
Group Policy Creator Owners
Enterprise Admins
LOCAL
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users

C:\Documents and Settings\Administrator>

----------------------------------------------------------------------------

The result, at least to me, is saying that the GPO is empty, yet it
isn't. Is this the reason that I am not seeing the GPO take affect,
because it hasn't been applied... and for what reasons would I get
this result?

Thanks for the help.



"Steven L Umbach" <[email protected]> wrote in message

Loopback processing could possibly work for you. Loopback processing is part of
"computer configuration" and when applied to a computer the user policy in the OU
that the computer is located in will apply to users logging onto the computer in
either a replace or merge mode. See the link below for more information. -- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;231287

 

[Sean]

Steven,

Thanks for the continued information. I did attempt to get the
Loopback processing working, and it does in fact have the computer GPO
applying, however I don't seem to be able to filter the security
groups that I want. I have applied the Deny rights to the GPO for the
security groups that I don't want to have use the GPO, but when I run
gpresult for the user and computer, they still have the GPO in
question applied. Should gpresult not pick up on this right away? (I
did do a gpupdate on the server as well)

Thanks.

I believe you can use loopback processing and "filter" it - in other words for the
GPO in the OU where the computer resides you would give deny apply permissions to the
administrators and teachers. See the link below on GPO and how to filter.

http://support.microsoft.com/default.aspx?scid=kb;en-us;322176

Your gpresult does indicate that the GPO's are empty for associated user and computer
policy. Possibly the changes have not propagated yet. It helps to use secedit
/refreshpolicy user_policy /enforce on a domain controller after implementing changes
to user policy and on a XP Pro machine you will probably have to logon a couple of
times before user policy will be propagated. You ran gpresult as the administrator
which exists in the default users container in which case user policy will only be
applied from the domain and local policies assuming loopback processing has not been
enabled in the Plato OU. A user must be within the scope of influence of a user
configuration policy before policy will apply to them. So if you configure user
configuration in the Plato OU and loopback processing is not enabled, then the user
account that you want the policy to apply to must be in the Plato OU. --- Steve

I read your post and the link... it seems like that would only be used
in a situation where you want the policy for the computer object to be
applied to ALL users who use this computer. In our situation we only
want it applied to the students and not the teachers or other staff.
I did a gpresult for the computer in the Lab OU and this is what I
get....


----------------------------------------------------------------------------
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\Administrator>gpresult /S PO01A

Microsoft (R) Windows (R) Operating System Group Policy Result tool
v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 4/3/2004 at 5:35:14 PM


RSOP data for SCHOOL1\Administrator on PO01A : Logging Mode
-----------------------------------------------------------------

OS Type: Microsoft Windows XP Professional
OS Configuration: Member Workstation
OS Version: 5.1.2600
Terminal Server Mode: Remote Administration
Site Name: Nevada
Roaming Profile:
Local Profile: C:\Documents and
Settings\administrator.SCHOOL1
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
CN=PO01A,OU=PLATO Lab,OU=Computers,OU=Nevada,DC=thisschools,DC=edu
Last time Group Policy was applied: 4/3/2004 at 5:33:01 PM
Group Policy was applied from: server1.thisschool.edu
Group Policy slow link threshold: 500 kbps
Domain Name: SCHOOL1
Domain Type: Windows 2000

Applied Group Policy Objects
-----------------------------
Default Domain Policy

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)

PLATO Lab GPO
Filtering: Not Applied (Empty)

The computer is a part of the following security groups
-------------------------------------------------------
BUILTIN\Administrators
Everyone
BUILTIN\Users
PO01A$
Domain Computers
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users


USER SETTINGS
--------------
CN=Administrator,CN=Users,DC=thisschools,DC=edu
Last time Group Policy was applied: 4/3/2004 at 5:29:34 PM
Group Policy was applied from: server1.thisschool.edu
Group Policy slow link threshold: 500 kbps
Domain Name: SCHOOL1
Domain Type: Windows 2000

Applied Group Policy Objects
-----------------------------
Default Domain Policy

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)

The user is a part of the following security groups
---------------------------------------------------
Domain Users
Everyone
BUILTIN\Users
BUILTIN\Administrators
Schema Admins
Domain Admins
Group Policy Creator Owners
Enterprise Admins
LOCAL
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users

C:\Documents and Settings\Administrator>

----------------------------------------------------------------------------

The result, at least to me, is saying that the GPO is empty, yet it
isn't. Is this the reason that I am not seeing the GPO take affect,
because it hasn't been applied... and for what reasons would I get
this result?

Thanks for the help.



"Steven L Umbach" <[email protected]> wrote in message

Loopback processing could possibly work for you. Loopback processing is part of
"computer configuration" and when applied to a computer the user policy in the OU
that the computer is located in will apply to users logging onto the computer in
either a replace or merge mode. See the link below for more information. -- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;231287

Ok, we are a school, we have two computer labs. I have setup an OU
for all of our Students, and I have setup an OU for computers with OUs
underneath it for the two labs; Lab1 and Lab2. It looks like this:

-------------------------
Domain
|
|-Students
|
|-Computers
| |
| |-Lab1
| |
| |-Lab2
| |
--------------------------

Now what I want to accomplish is to setup a standard basic GPO for
students, but then I want to have a GPO for the Lab computers that
gives the user different access based on which lab they are in. If
they are in lab1, they will not have access to local drives or my
computer, while if they are in Lab2, they will have access to the
floppy and cdrom, but not the c drive. I have the user gpo being
applied, but I can't seem to get gpos applied for a user based on the
machine they are logged into. Where do I create the GPO for the
machines, what rights do I apply to it, etc??

Any ideas would be GREATLY appreciated.

 

[Steven L Umbach]

It should work. You might try adding an individual user to the deny rights to see if
that makes a different being sure not top use "domain local" groups as per KB below.
I tested out filtering a GPO for a user that was applied via loopback processing,
while the user account existed in in a different container and it worked fine. See
the paste of my gpresult for that user below and note that I had two policies applied
via loopback processing to the OU that the computer was in [laptops] and I applied
deny permissions to one of them - Lap2-b for user "Steve" which is reflected in the
user settings of gpresult. Remember on an XP machine, it may take a couple
logon/logoffs to reflect new user policy. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;[LN];309172


Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 4/3/2004 at 9:09:15 PM

RSOP results for UMBACH1\steve on STEVE-XP : Logging Mode
----------------------------------------------------------

OS Type: Microsoft Windows XP Professional
OS Configuration: Member Workstation
OS Version: 5.1.2600
Domain Name: UMBACH1
Domain Type: Windows 2000
Site Name: Default-First-Site-Name
Roaming Profile:
Local Profile: D:\Documents and Settings\steve.UMBACH1
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
CN=steve-xp,OU=laptops,DC=umbach1,DC=com
Last time Group Policy was applied: 4/3/2004 at 9:06:16 PM
Group Policy was applied from: server1-2000.umbach1.com
Group Policy slow link threshold: 500 kbps

Applied Group Policy Objects
-----------------------------
Lap2
Lap2-b
Default Domain Policy
Domain Main 1
Local Group Policy

The computer is a part of the following security groups:
--------------------------------------------------------
BUILTIN\Administrators
Everyone
BUILTIN\Users
STEVE-XP$
Domain Computers
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users


USER SETTINGS
--------------
CN=steve,CN=Users,DC=umbach1,DC=com
Last time Group Policy was applied: 4/3/2004 at 9:07:04 PM
Group Policy was applied from: server1-2000.umbach1.com
Group Policy slow link threshold: 500 kbps

Applied Group Policy Objects
-----------------------------
Lap2
Default Domain Policy
Domain Main 1
Local Group Policy

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Lap2-b
Filtering: Denied (Security)

The user is a part of the following security groups:
----------------------------------------------------
Domain Users
Everyone
BUILTIN\Users
BUILTIN\Administrators
Schema Admins
Domain Admins
Enterprise Admins
LOCAL
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users

Steven,

Thanks for the continued information. I did attempt to get the
Loopback processing working, and it does in fact have the computer GPO
applying, however I don't seem to be able to filter the security
groups that I want. I have applied the Deny rights to the GPO for the
security groups that I don't want to have use the GPO, but when I run
gpresult for the user and computer, they still have the GPO in
question applied. Should gpresult not pick up on this right away? (I
did do a gpupdate on the server as well)

Thanks.




"Steven L Umbach" <[email protected]> wrote in message

I believe you can use loopback processing and "filter" it - in other words for the
GPO in the OU where the computer resides you would give deny apply permissions to the
administrators and teachers. See the link below on GPO and how to filter.

http://support.microsoft.com/default.aspx?scid=kb;en-us;322176

Your gpresult does indicate that the GPO's are empty for associated user and computer
policy. Possibly the changes have not propagated yet. It helps to use secedit
/refreshpolicy user_policy /enforce on a domain controller after implementing changes
to user policy and on a XP Pro machine you will probably have to logon a couple of
times before user policy will be propagated. You ran gpresult as the administrator
which exists in the default users container in which case user policy will only be
applied from the domain and local policies assuming loopback processing has not been
enabled in the Plato OU. A user must be within the scope of influence of a user
configuration policy before policy will apply to them. So if you configure user
configuration in the Plato OU and loopback processing is not enabled, then the user
account that you want the policy to apply to must be in the Plato OU. --- Steve

I read your post and the link... it seems like that would only be used
in a situation where you want the policy for the computer object to be
applied to ALL users who use this computer. In our situation we only
want it applied to the students and not the teachers or other staff.
I did a gpresult for the computer in the Lab OU and this is what I
get....


----------------------------------------------------------------------------
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\Administrator>gpresult /S PO01A

Microsoft (R) Windows (R) Operating System Group Policy Result tool
v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 4/3/2004 at 5:35:14 PM


RSOP data for SCHOOL1\Administrator on PO01A : Logging Mode
-----------------------------------------------------------------

OS Type: Microsoft Windows XP Professional
OS Configuration: Member Workstation
OS Version: 5.1.2600
Terminal Server Mode: Remote Administration
Site Name: Nevada
Roaming Profile:
Local Profile: C:\Documents and
Settings\administrator.SCHOOL1
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
CN=PO01A,OU=PLATO Lab,OU=Computers,OU=Nevada,DC=thisschools,DC=edu
Last time Group Policy was applied: 4/3/2004 at 5:33:01 PM
Group Policy was applied from: server1.thisschool.edu
Group Policy slow link threshold: 500 kbps
Domain Name: SCHOOL1
Domain Type: Windows 2000

Applied Group Policy Objects
-----------------------------
Default Domain Policy

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)

PLATO Lab GPO
Filtering: Not Applied (Empty)

The computer is a part of the following security groups
-------------------------------------------------------
BUILTIN\Administrators
Everyone
BUILTIN\Users
PO01A$
Domain Computers
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users


USER SETTINGS
--------------
CN=Administrator,CN=Users,DC=thisschools,DC=edu
Last time Group Policy was applied: 4/3/2004 at 5:29:34 PM
Group Policy was applied from: server1.thisschool.edu
Group Policy slow link threshold: 500 kbps
Domain Name: SCHOOL1
Domain Type: Windows 2000

Applied Group Policy Objects
-----------------------------
Default Domain Policy

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)

The user is a part of the following security groups
---------------------------------------------------
Domain Users
Everyone
BUILTIN\Users
BUILTIN\Administrators
Schema Admins
Domain Admins
Group Policy Creator Owners
Enterprise Admins
LOCAL
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users

C:\Documents and Settings\Administrator>

----------------------------------------------------------------------------

The result, at least to me, is saying that the GPO is empty, yet it
isn't. Is this the reason that I am not seeing the GPO take affect,
because it hasn't been applied... and for what reasons would I get
this result?

Thanks for the help.



"Steven L Umbach" <[email protected]> wrote in message

Loopback processing could possibly work for you. Loopback processing is part of
"computer configuration" and when applied to a computer the user policy in the OU
that the computer is located in will apply to users logging onto the computer in
either a replace or merge mode. See the link below for more information. -- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;231287

Ok, we are a school, we have two computer labs. I have setup an OU
for all of our Students, and I have setup an OU for computers with OUs
underneath it for the two labs; Lab1 and Lab2. It looks like this:

-------------------------
Domain
|
|-Students
|
|-Computers
| |
| |-Lab1
| |
| |-Lab2
| |
--------------------------

Now what I want to accomplish is to setup a standard basic GPO for
students, but then I want to have a GPO for the Lab computers that
gives the user different access based on which lab they are in. If
they are in lab1, they will not have access to local drives or my
computer, while if they are in Lab2, they will have access to the
floppy and cdrom, but not the c drive. I have the user gpo being
applied, but I can't seem to get gpos applied for a user based on the
machine they are logged into. Where do I create the GPO for the
machines, what rights do I apply to it, etc??

Any ideas would be GREATLY appreciated.

 

[Sean]

Thank you!! The loopback processing and deny apply works... this is
great! Thanks for all the info you have provided.

I have noticed that it defintely is tough to test the policies with
the fact that XP doesn't seem to refresh on every log on, even after
running gpupdate at the local machine.

One other quick question, gpresult, when it runs it's query, is it
only really pulling the data from the last successful login of the
user & machine? Or is is mimmicking the log in of the user & machine?
It seems to me it is the first, that it is pulling from the last
successful result, but I want to make sure.

Also, do you have any "best method" to ensure that a policy is being
refreshed in an XP Client / 2003 Server environment? My greatest
frustration seems to be the fact that testing is difficult because you
don't know for sure whether there is actually something wrong with the
policy, or that maybe the policy simply hasn't been refreshed yet.

Thanks again for everything!

Cheers,
Sean

 

[Steven L Umbach]

Glad you are making good progress. I am not sure about the gpresult testing but tend
to believe what you do that it is based on the last logon unless policy has since
refreshed in the background possibly. You can change the behavior for the user
configuration not being applied right away if you want - maybe at least for testing
purposes. See the KB below for that option. That option is not available on a W2K
domain controller, however you should be able to enable it for XP computers on a
domain/OU by managing the Group Policy from an XP domain computer. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;305293