my main question is this:
Is the security filtering for a GPO calculated using AND logic or with OR logic to apply the filters?
Here is the context of my situation for a background on why I am asking:
OU Structure:
-- Biz-Computers
---- Site1-Computers
---- Site2-Computers
-- Biz-Users
---- Management
---- Operations (GPO Applied here: "OperationsGPO")
I have the "OperationsGPO" applied to the "Biz-Users/Operations" OU
This GPO is a User based GPO but it only applies to a single group of users within the Operations OU, and I ONLY want to apply the GPO to the user if they are logging into a computer in "Site2-Computers" OU
Therefore I have added the required Operations users (not all of them) to a group "OpsUsers" and added the Site2 computers to a group called "Site2Comps" and I added those groups to the "Security Filtering" field of the GPO
Since there are 2 groups defined in the Security filtering ("OpsUsers" and "Site2Comps") I am not clear on how they are applied — do BOTH parameters need to match (AND logic) or does ANY of the objects need to match (OR logic)?
Thanks!
Best Answer
ANSWER TO THE QUESTION: Logical 'OR' -- the GPO will apply if any of the Security Filters match.
SOLUTION TO SITUATION: Configure user Group Policy Loopback Processing Mode
Edit the new GPO and browse to:
Computer Configuration/Administrative Templates/System/Group Policy
Enable "Configure user Group Policy Loopback Processing Mode" and set it to "Merge"
Add any USER policies you want to enable to this same COMPUTER policy (loopback makes this legal)
Ensure the new GPO has security filters to validate the users you want, and the computer(s) you're applying to.
The loopback basically applies a "user" policy to a specific computer.