Applying user object policy (filtering based on computer location)

J

jm

Hello Everyone.

I am trying to set a standard desktop background for certain users. I have
the part working....

What I can't see to get around is that I don't want this to happen to all my
users. Just to users how are visiting from a different branch office. Do I
need to use a WMI filter? If so, can anyone help me with Query design?

Basically, I do not want the policy to apply if IP Address begins with
172.22. -- make sense?

Thanks.
 
R

Roger Abell [MVP]

jm said:
Hello Everyone.

I am trying to set a standard desktop background for certain users. I have
the part working....

What I can't see to get around is that I don't want this to happen to all
my users. Just to users how are visiting from a different branch office.
Do I need to use a WMI filter? If so, can anyone help me with Query
design?

Basically, I do not want the policy to apply if IP Address begins with
172.22. -- make sense?
Click to expand...

No, I cannot really follow your statements.

If you want certain user policies to apply for a specific set of
user accounts but only when they are logging onto a particular
set of computers, then you would use a GPO set for loopback
processing. Such a GPO is linked so that the set of computers
is within its scope, and the security group filtering needs to be
such that only those computers and only the users you desire to
impact have read/apply of the GPO.
Search on GPO loopback

Roger
 
J

jm

Roger,
Thank you very much for your response - Not sure why I did not think of
using Loopback mode.

Ok. So I have tried it but am running into some challenges.

I have a OU called "NY DESKTOPS" - I created a new policy and enabled
Loopback processing mode (Merge). In the same policy, I enabled Active
Desktop and set the path for the HTML page. I have this policy set to only
apply to users from LA - i.e. LA Employees.
In the "NY DESKTOPS" OU there is another policy linked that applies to
'AUTHENTICATED USERS" This is the standard gpo for my NY desktops.
So in total, there are two gpo's linked to this OU.
So when I log into a computer (i'm in the LA employee group), i do not get
the settings.... Any idea why?

Thanks again.
 
R

Roger Abell [MVP]

The security group filtering of the loopback GPO must also
allow the computers. In your example, as only LA Employees
should have the GPO applied via loopback when logging into
the computers in NY Desktops OU, you could add the group
Domain Computers (in addition to LA Employees) to the GPO's
security group filtering. In that way, only the LA Employees
will have the loopback GPO applied when they log into any
of the machines in that OU. If one wanted a loopback GPO to
apply to any user logging into any machine in the OU then one
could just leave the security group filtering at its default of
Authenticated Users. If only a subset of the machines in the
OU should do this, then one would need to either make a new
subOU or define a security group for use in filtering whose
members are the machines that should apply the loopback GPO.
 
G

G Johansson

Instead of using Loopback you can always put your GPO on site-level (if your
sites are correctly setup of course).
 
M

Mark Renoden [MSFT]

Alternatively, leave "authenticated users" with read and apply group policy
permissions and set deny on NY employees.

--
Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.
 
G

G Johansson

I wouldn't recommend to set deny since it will be harder for you to
troubleshoot if that's neccessary...

--
Regards G Johansson
(e-mail address removed)
http://GPfaq.se


Mark Renoden said:
Alternatively, leave "authenticated users" with read and apply group
policy permissions and set deny on NY employees.

--
Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no
rights.
Roger Abell said:
The security group filtering of the loopback GPO must also
allow the computers. In your example, as only LA Employees
should have the GPO applied via loopback when logging into
the computers in NY Desktops OU, you could add the group
Domain Computers (in addition to LA Employees) to the GPO's
security group filtering. In that way, only the LA Employees
will have the loopback GPO applied when they log into any
of the machines in that OU. If one wanted a loopback GPO to
apply to any user logging into any machine in the OU then one
could just leave the security group filtering at its default of
Authenticated Users. If only a subset of the machines in the
OU should do this, then one would need to either make a new
subOU or define a security group for use in filtering whose
members are the machines that should apply the loopback GPO.
Click to expand...
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Applying User Policy to specific computers... 1
Applying a group policy only when user logs into Terminal server 1
Applying GPO to a workstation group using Loopback not working 2
group policy,OU with group not applying 2
Computer policy vs. User policy 1
Block Group Policy Settings Based on Group Membership 9
GPO - User Configuration Does NOT Apply 3
Do Not Execute Group Policy for Admins Group 1

Top