Applying user object policy (filtering based on computer location)

  • Thread starter Thread starter jm
  • Start date Start date
J

jm

Hello Everyone.

I am trying to set a standard desktop background for certain users. I have
the part working....

What I can't see to get around is that I don't want this to happen to all my
users. Just to users how are visiting from a different branch office. Do I
need to use a WMI filter? If so, can anyone help me with Query design?

Basically, I do not want the policy to apply if IP Address begins with
172.22. -- make sense?

Thanks.
 
jm said:
Hello Everyone.

I am trying to set a standard desktop background for certain users. I have
the part working....

What I can't see to get around is that I don't want this to happen to all
my users. Just to users how are visiting from a different branch office.
Do I need to use a WMI filter? If so, can anyone help me with Query
design?

Basically, I do not want the policy to apply if IP Address begins with
172.22. -- make sense?
Click to expand...

No, I cannot really follow your statements.

If you want certain user policies to apply for a specific set of
user accounts but only when they are logging onto a particular
set of computers, then you would use a GPO set for loopback
processing. Such a GPO is linked so that the set of computers
is within its scope, and the security group filtering needs to be
such that only those computers and only the users you desire to
impact have read/apply of the GPO.
Search on GPO loopback

Roger
 
Roger,
Thank you very much for your response - Not sure why I did not think of
using Loopback mode.

Ok. So I have tried it but am running into some challenges.

I have a OU called "NY DESKTOPS" - I created a new policy and enabled
Loopback processing mode (Merge). In the same policy, I enabled Active
Desktop and set the path for the HTML page. I have this policy set to only
apply to users from LA - i.e. LA Employees.
In the "NY DESKTOPS" OU there is another policy linked that applies to
'AUTHENTICATED USERS" This is the standard gpo for my NY desktops.
So in total, there are two gpo's linked to this OU.
So when I log into a computer (i'm in the LA employee group), i do not get
the settings.... Any idea why?

Thanks again.
 
The security group filtering of the loopback GPO must also
allow the computers. In your example, as only LA Employees
should have the GPO applied via loopback when logging into
the computers in NY Desktops OU, you could add the group
Domain Computers (in addition to LA Employees) to the GPO's
security group filtering. In that way, only the LA Employees
will have the loopback GPO applied when they log into any
of the machines in that OU. If one wanted a loopback GPO to
apply to any user logging into any machine in the OU then one
could just leave the security group filtering at its default of
Authenticated Users. If only a subset of the machines in the
OU should do this, then one would need to either make a new
subOU or define a security group for use in filtering whose
members are the machines that should apply the loopback GPO.
 
Instead of using Loopback you can always put your GPO on site-level (if your
sites are correctly setup of course).
 
Alternatively, leave "authenticated users" with read and apply group policy
permissions and set deny on NY employees.

--
Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.
 
I wouldn't recommend to set deny since it will be harder for you to
troubleshoot if that's neccessary...

--
Regards G Johansson
(e-mail address removed)
http://GPfaq.se


Mark Renoden said:
Alternatively, leave "authenticated users" with read and apply group
policy permissions and set deny on NY employees.

--
Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no
rights.
Roger Abell said:
The security group filtering of the loopback GPO must also
allow the computers. In your example, as only LA Employees
should have the GPO applied via loopback when logging into
the computers in NY Desktops OU, you could add the group
Domain Computers (in addition to LA Employees) to the GPO's
security group filtering. In that way, only the LA Employees
will have the loopback GPO applied when they log into any
of the machines in that OU. If one wanted a loopback GPO to
apply to any user logging into any machine in the OU then one
could just leave the security group filtering at its default of
Authenticated Users. If only a subset of the machines in the
OU should do this, then one would need to either make a new
subOU or define a security group for use in filtering whose
members are the machines that should apply the loopback GPO.
Click to expand...
Click to expand...
 
Back
Top