You're saying that you have user settings that you want to apply to users only when they logon to certain computers? Sounds difficult, eh? It's not difficult at all. It sounds like a job for loopback group policy processing!
Assume the following:
[Domain] mydomain.com.org.net.local
|
|--[OU] Special Computers
| |
| |-- [Computer] COMPUTER 1
| |
| |-- [Computer] COMPUTER 2
| ...
|
|--[OU] User Accounts
|
|--[User] Bob
|
|--[User] Alice
...
You would like to apply a user setting (such as running a logon script, or applying other types of GPO user settings) for all users who logon to computers in the "Special Computers" OU. When they logon to computers located in other OUs, though, you do not want these special settings to apply.
Create and link a GPO to the "Special Computers" OU. Specify in that GPO all the user-related settings you want to apply.
("But wait, Evan! The user's account objects aren't in the 'Special Computers' OU!" Yes. I know that. Stay w/ me here. Most AD admins I've met don't understand loopback policy processing and get scared. I've seen horrible hacks like creating secondary user accounts for users to logon with when using "special computers", etc... >shudder<)
In the GPO you created, go into the COMPUTER "Administrative Templates", "System", "Group Policy", and locate the setting "User Group Policy loopback processing mode". Enable this setting. In the "Mode" box, choose "Replace" if you want all the user's "normal" group policy settings to be ignored and only the user policy settings in this new GPO to apply. Choose "Merge" if you want the user settings in the GPO to apply after all their normal user settings have applied.
My opinion is that this is a lot cleaner than "hacks" involving "If computer == blah" in logon scripts.
My advice to you would be to do what you're doing with a Group Policy Preference (GPP)registry settings, rather than with a logon script. It will apply one time, leaving default settings in the users' registry, but the user will be able to change the settings freely in the future without having them "smashed" each time they logon.
If these are Windows Server 2008 machines, like your tag says, then there's really no excuse not to use GPP registry settings. Have a look at the articles below for some more details. This is a really nice feature of W2K8, and something you should be taking advantage of.
http://www.microsoft.com/downloads/details.aspx?FamilyID=42e30e3f-6f01-4610-9d6e-f6e0fb7a0790&DisplayLang=en
http://blogs.technet.com/grouppolicy/archive/2008/03/04/gp-policy-vs-preference-vs-gp-preferences.aspx
In order to remove the Folder Redirection settings from a GPO properly, you need to:
- As mentioned by other people here, remove the
Documents and Settings
folder under \\domain\sysvol\Policies\{GPO GUID}\User
and the fdeploy.ini
and fdeploy1.ini
files contained within.
However, on its own, this will confuse the GPO Editor as it still thinks there's a Folder Redirection policy attached to the GPO. To solve this, you need to remove the association between the GPO and the Folder Redirection Group Policy Extensions (there are two, one which activates Folder Redirection editing in the GPO Editor, the other activates the actual Folder Redirection policy processing):
Open AD Users and Computers. Turn on Advanced Features
(View->Advanced Features)
. Navigate to System->Policies->{GPO GUID}
. Right click on {GPO GUID}
, choose Properties
. In the dialog that pops up, switch to Attribute Editor
. Scroll down to gPCUserExtensionNames
, and double click it.
This will pop up a dialog with a long text entry box, and a bunch of GUIDs. This attribute defines the list of GP Extensions associated with this GPO in the User context. Immediately above it you'll see the related attribute gPCMachineExtensionNames
which defines the associated GP extensions in the Machine context of the GPO.
Delete the following entry from gPCUserExtensionNames
: [{25537BA6-77A8-11D2-9B6C-0000F8080861}{88E729D6-BDC1-11D1-BD2A-00C04FB9603F}]
Note that associated GP Extensions are grouped by square brackets []
.
Do not touch any other entries in the attribute, or you will break other functionality in the GPO.
Click OK, and you're done.
If you're interested in what GP Extension is associated with each GUID, simply use regedit to search the registry for that GUID - e.g. try searching for 25537BA6-77A8
or 88E729D6-BDC1
.
Best Answer
For this problem regarding Windows Firewall settings...
It turned out that settings made in Windows Settings were messing with the ADM(X) templates.
Here, configuring Windows Firewall Properties for Private and Public Profile to Not configured removed everything else but
Software\Policies\Microsoft\WindowsFirewall\PolicyVersion
from the Extra Registry Settings. (Now, it's of course possible to set them as wanted from here, too.)This is good, as I checked the
windowsfirewall.admx
in all Administrative Templates through Windows Vista, Windows 7 and Windows 10; there weren't any settings for the Private and Public profile: just for the Domain Profile and Standard Profile. If I didn't find this solution, it would have required using the methods explained below.Removing Extra Registry Settings from Default Domain Policy in general
Easiest way to solve this would be to remove the GPO involved and re-create it with only the necessary settings. For Default Domain Policy this needs some extra steps:
Recreate the default Group Policy Object using Dcgpofix (for the domain only, not for DC):
Edit your policy manually to contain all the settings in the report.
Other way is to manually create a new Administrative Template containing settings for these registry keys;
.admx
files are XML and easy to edit with a text editor.In this case for Windows Firewall it would have been possible to edit the
windowsfirewall.admx
:Create two new categories. (I hard-coded the
displayName
s to avoid modifying any.adml
s.)Copy all (or just the required) child
policy
objects ofWF_Profile_Standard
.Replace contents as required:
Standard
withPublic
/Private
:<parentCategory ref="WF_Profile_Public" />
key="SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\...
displayName
s,explainText
s orpresentation
s as they are already the same for both of the existing categories.I'd recommend using this new template only temporarily & from a client computer having the Remote Server Administration Tools installed, instead using it directly on a DC. This way, it wouldn't cause the very problems you are trying to solve with it!