Apply group policy to specific users (in an OU) on specific computers (not in an OU)

This has been bugging me for a while. Here's the setup:

We have ~20 Win2k8r2 servers. They are separated into various OUs that I can't change. I have created a security group "DevHostsSG" that contain the computers where this policy should apply.
We have ~40 users. There's a specific OU "DevUsersOU" that contains a dozen users that I want to apply a policy to. I've also created a security group DevUsersSG that contains the same users.

I need a specific folder redirect GPO applied to only the users in the DevUsersOU and only on the servers in the DevHostsSG security group. The users in DevUsersOU should not have the redirect policy apply on any other servers, and no other users should have redirection when they log onto a server in the DevHostsSG security group.

My progress so far:

I have the loopback processing set so the redirection should apply
When I set the policy to the DevUsersOU and then add the DevHostsSG to security filtering (with read and apply) it doesn't work anywhere (which I'm assuming is because there aren't any computers in that OU..?)
When I set the policy to the domain and then use security filtering to include DevUsersSG and DevHostsSG, the policy applies even when DevUsers log into non-DevHosts
When I apply the group policy to only the DevHostsSG it doesn't seem to work at all (which makes me wonder if loopback processing isn't working)
When I create a security group that contains the specified users and computers it appears to apply to all hosts

At this point I'm running out of ideas and partly just guessing at stuff and it seems to be getting worse, for some reason I have one host in the DevHostsSG where redirect is working, two hosts where it's not working, and one host that's not in the DevHostsSG where redirect is enabled.. I've done several gpupdate /force along with logoffs and gpresult /R every time I make a change and I'm not really getting anywhere.

Any help would be greatly appreciated!

—- Further testing —-

In an attempt to simplify the situation, I've tried the following:

Cleared the groups in the security filters
Added one specific user to the security filter
Added one specific host to the security filter
Ran gpupdate on that host as that user: redirect enabled (OK)
Ran gpupdate on that host as another user: redirect not enabled (OK)
Ran gpupdate on another host as that user: redirect enabled (NOT OK)
Turning off loopback processing didn't make a difference

—- Responses —-

joequerty:

Basically I've been running gpupdate on four hosts after each time I make a change in Group Policy Management: two hosts in the DevHostsSG group and two not in the group, and on each one I log in as a user in the DevUsersOU and as a user not in the OU.
Needing a reboot sounds strange to me.. I'm just referring to the "members"/"member of" tab under AD properties (for example, in the DevHostsSG the members are DevHost1, DevHost2, etc)
It would be great if the policy wasn't linked to the whole domain but I don't know what else to do
That's the issue.. I can't seem to get the GPO security filter to do an "AND", the security filters always do "OR" (ie DevUser1 OR DevHost1 rather than DevUser1 AND DevHost1)

The current configuration is back to bullet 1 above, which is to have the GP apply to the DevUsersOU with the security group set to the list of hosts where the GP should apply. I've rebooted one of the hosts since the last change and folder redirection is now no longer working (it was last time I checked yesterday). When I run a gpresult /R I don't see the GP listed at all under COMPUTER SETTINGS but I do see the following under USER SETTINGS:

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
    Local Group Policy
        Filtering:  Not Applied (Empty)

    Default Domain Policy
        Filtering:  Not Applied (Empty)

    Folder Redirect
        Filtering:  Denied (Security)

I assume that this failed because I don't explicitly include the DevUsersSG either as a separate entry in the GP security filtering section or include them in the security group that the hosts are in, but from my tests it seems that if I do either of those, the GP applies to all hosts that those users log into… So I'm pretty much back where I started..

Best Answer

Where did you run gpupdate? Loopback policy processing is a Computer Configuration setting, so in order for it to be applied to the servers in question those servers need to have Group Policy refreshed.
A change to a computer account's group membership requires a reboot of that computer AFAIK.
It's not recommended to use Loopback policy processing at the Domain level.
If you must use it at the Domain level then make sure your security filtering has only the specific user and computer groups that you created.

I don't see any reason why Loopback policy processing in a GPO linked to the domain with the appropriate security filtering wouldn't work, but I've only ever used it on specific OU's, never at the domain level. That being said, I suspect your problem is with item number 2.

Best Answer

Related Solutions

Windows AD: Is loopback processing absolutely necessary in order to apply a user policy to users logging into computers in the OU

Applying group policy loopback to any user on specific computers

Related Topic