When on our W2k8-R2 DC I create a new GPO and configure
"Computer Configuration/Policies/Windows Settings/Administrative Templates/System/Logon/run these programs at user logon"
to
"c:\windows\system32\notepad.exe" (just for testing) it won't take effect on Win 7 SP1, no matter what the Security Filtering options are.
It seems other settings (in the very same GPO) become active but "run these programs at user login" from the computer policies section doesn't. I configure the very same setting in the section "user policies" instead and add "Authenticated Users" to Security Filtering, the program will be started. But that's not what I need.
I can reproduce the issue, here are the exact steps:
- create a new group "group-a" for later security filtering
- create a new GPO
- set "Computer Configuration/Policies/Windows Settings/Administrative Templates/System/Logon/run these programs at user logon" to "c:\windows\system32\notepad.exe"
- for setting the scope remove "authenticated users" from Security Filtering and add "group-a" instead
- link the GPO to the domain root
- make "test computer" a member of "group-a"
- on "test computer" run "gpupdate /force", reboot, log in
Issue: notepad is not being started.
What I'm aiming for is obvious:
Depending on the membership of group-a I want to configure certain programs that should be started whenever a user logs in.
gpresult /R returns that it would be applying the GPO. (It actually is but the setting "run these programs at user login" is not being applied.)
For debugging I started MMC / RSoP on one of the machines on which the GPO should have been applied and found that "run these programs at user login" is not set (which seems to be the reason why the GPO won't work on the machines).
Searching the web I found similar reports on technet but no solution was found and the user used a workaround instead.
If I change the GPO so that I use the very same setting in "user configuration" instead of "computer configuration" it works as long as I add "authenticated users" to the Security Filtering. But then the GPO is applied to all users and not only to the ones using computers which are members of group-a. According to "www.grouppolicy.biz/2010/05/how-to-apply-a-group-policy-object-to-individual-users-or-computer/" I should not remove "authenticated users" but alter the security setting instead, but under Win2k8 I cannot find security settings "apply" for "authenticated users" so I cannot remove that setting, there's only "read" or "read and modify".
So two questions:
1. Why doesn't it work when using "computer settings"
2. What about that Security Filtering with removing "authenticated users" and using group-a instead?
T.
Best Answer
I agree that loopback processing is the answer, but my understanding is it is a PER GPO setting so only the GPO in question applies that way.
I know in my environment that is how it works.
'This policy directs the system to apply the set of GPOs for the computer to any user who logs on to a computer affected by this policy. This policy is intended for special-use computers where you must modify the user policy based on the computer that is being used. For example, computers in public areas, in laboratories, and in classrooms.'
Same link as above.
https://support.microsoft.com/en-us/help/231287/loopback-processing-of-group-policy
Add this setting to your existing GPO.