In a server 2008 R2 and Windows 7 environment, I have a GPO that specifies screen saver settings in the user settings policy for the entire domain. However, for specific computers, this is not ideal.
I created a separate GPO with higher precedence, enabled loopback with the replace setting, and specified the screensaver rules. In the security filter, there is only the specific computers the GPO should be applied to. However, as-is, this policy is never applied–gpresult /z indicates this under user settings for the GPO: "Filtering: Denied (Security)".
If I add the "domain users" to the security filter, then the GPO is applied to all users in the domain, regardless of which computer they are using.
How can I apply the GPO to any user who logs into only specific computers?
Applying the GPO to OUs are not an option, unfortunately, since the computers are already sorted into various OUs for other things.
[edit]: In the security filter, I tried:
- adding only the computer to the security filter; results in GPO denied under user settings.
- adding the computer to the security filter, and adding "domain users" to the security filter; results in the loopback GPO being applied to all users, regardless of which computer is used.
- adding the computer to a security group, adding that security group
to the security filter; results in GPO denied under user settings. - adding the computer and "domain users" to the same security group, and adding that security group to the security filter; results in the loopback GPO being applied to all users, regardless of which computer
is used. - adding the computer to a security group, adding that security group to the security filter, and adding "domain users" to the security filter; results in the loopback GPO being applied to all users, regardless of which computer is used.
What other options are there left to try?
Is there a way to specify whether the items in the security filter can be combined using "and" rather than "or"?
Best Answer
You'll need to create a new OU for those computers, then apply the GPO to that newly created OU.