Applying a GPO to one user on one computer only

active-directorygroup-policy

I have a GPO that I need to apply to the user DOMAIN\DumbGuy, but only when he logs on to DOMAIN\DumbGuysComputer$. When DOMAIN\NiceReceptionist logs on to DOMAIN\DumbGuysComputer$ it should not apply. When DOMAIN\DumbGuy logs on to DOMAIN\ReceptionstsComputer$ it should not apply.

It needs to only only apply to one person on one computer.

If I apply the GPO to the User object, it will apply to all his computers. If I apply the GPO to the Computer object, it will apply to all users on that computer. If I apply it to both, it spreads even wider.

How can I apply a GPO to just one user on just one computer?

Best Answer

My suggestion is similar to inhabitant's..

Create a sub-OU just for that single computer, create a GPO in it and set it to loopback merge mode. Use security filtering on the GPO so that only DumbGuy have permissions to apply it. I don't see any reason for using two different GPO's.

Mucho importante! Don't filter the "read" rights from the authenticated users, as the group policy subsystem needs to read the GPO before it applies to the user

Related Solutions

Difference between Computer config and User config in GPO

Lets say I have two OU's one to store computer objects and the other to store User accounts. If I create a GPO in the "Computers" OU, and set user configurations, will they take effect?

No. I mean, unless you stored User account objects in the OU named Computers, which is weird...

User settings of a GPO will only affect user accounts that reside in the OU(s) that are in the scope of where that GPO is linked.

Computer settings will only affect computer accounts that reside in the OU(s) that are in the scope of where that GPO is linked.

You can turn off either the computer settings or user settings portion of a GPO if you wish to optimize GPO processing... but I don't see that practice often in the wild.

You could do something like:

Toronto (OU)
   |
   +- Users (OU)
   |
   +- Computers (OU)

At the Toronto OU, you could link a GPO that contains both user and computer settings that are meant to apply to all user and computer objects in Toronto. You could then link a GPO to the Users OU that contains only User settings, and another GPO to the Computers OU that contains only computer settings. (Of course the assumption is you store only user account objects in the Users OU, and only computer account objects in the Computers OU.)

That is of course only an example. There are a hundred other ways to design your group policy and OU layout.

Edit: Greg Askew brings up a good point, (thank you,) and that is that you might now want to know about Group Policy lookback processing. Simply stated by Microsoft:

You can use the Group Policy loopback feature to apply Group Policy Objects (GPOs) that depend only on which computer the user logs on to. ... This policy directs the system to apply the set of GPOs for the computer to any user who logs on to a computer affected by this policy. This policy is intended for special-use computers where you must modify the user policy based on the computer that is being used. For example, computers in public areas, in laboratories, and in classrooms.

GPO not applying to user

Have you double checked the Desktops GPO to see if Loopback Policy Processing is enabled? It sounds like it's enabled in Replace mode. If that's the case then the user settings in your IT GPO are being replaced by the user settings in your Desktop GPO.

Best Answer

Related Solutions

Difference between Computer config and User config in GPO

GPO not applying to user

Related Topic