Applying a GPO to one user on one computer only

Question

I have a GPO that I need to apply to the user DOMAIN\DumbGuy, but only when he logs on to DOMAIN\DumbGuysComputer$. When DOMAIN\NiceReceptionist logs on to DOMAIN\DumbGuysComputer$ it should not apply. When DOMAIN\DumbGuy logs on to DOMAIN\ReceptionstsComputer$ it should not apply.

It needs to only only apply to one person on one computer.

If I apply the GPO to the User object, it will apply to all his computers. If I apply the GPO to the Computer object, it will apply to all users on that computer. If I apply it to both, it spreads even wider.

How can I apply a GPO to just one user on just one computer?

Are these just user settings? – pauska Nov 15 '12 at 07:17 — pauska, Nov 15 '12 at 07:17
Yes, it's a logon script – Mark Henderson Nov 15 '12 at 07:37 — Mark Henderson, Nov 15 '12 at 07:37

score 12 · Accepted Answer · answered Nov 15 '12 at 09:42

12

My suggestion is similar to inhabitant's..

Create a sub-OU just for that single computer, create a GPO in it and set it to loopback merge mode. Use security filtering on the GPO so that only DumbGuy have permissions to apply it. I don't see any reason for using two different GPO's.

Mucho importante! Don't filter the "read" rights from the authenticated users, as the group policy subsystem needs to read the GPO before it applies to the user

answered Nov 15 '12 at 09:42

pauska

19,620
5
57
75

I've done this this morning and it worked well. Created a Sub-OU, put his computer in it, put the GPO on the OU and filtered it to his username. Perfecto. – Mark Henderson Nov 15 '12 at 20:37
+1 - Exactly how I'd do it, too. – Evan Anderson Nov 15 '12 at 21:07
1

P.S. Thanks for that last tip as well; I always forget that removing "Authenticated Users" from the security filtering removes their delegation permissions as well. – Mark Henderson Nov 18 '12 at 21:14

Volodymyr Molodets · Answer 2 · 2012-11-15T07:04:26.453

I would look at Group Policy Loopback Processing in conjunction with Security Filtering. You can use the Group Policy loopback feature to apply Group Policy Objects (GPOs) that depend only on which computer the user logs on to.

This is an example of how it can be implemented.

Actually, how would I implement this:

Create two different GPO and assign them to DOMAIN\DumbGuysComputer$.

Configure first GPO with Loopback Processing set in Replace Mode and configure Security Filtering to apply only to DOMAIN\DumbGuy user.

Configure second GPO without Loopback Processing and configure Security Filtering to apply only to DOMAIN\NiceReceptionist users.

MDMarra · Answer 3 · 2012-11-15T20:37:49.110

5

I would probably just link the GPO to the OU that the user is in and use security filtering or WMI to make sure that it only applies to that one user, then wrap the whole script in a if($ENV:computername -eq whatever){} block.

edited Nov 15 '12 at 20:37

answered Nov 15 '12 at 12:49

MDMarra

100,734
32
197
329

This is very clever! Pauska's solution was a bit neater, but if I ever can't move the computer's OU I will do this. – Mark Henderson Nov 15 '12 at 20:37

Winter Faulk · Answer 4 · 2012-11-15T05:50:12.803

0

GPO apply to ether the user object, computer object or both objects in a OU and you can't make the GPO apply only to a computer object only if a certain user logs in to that computer or apply to a user object only if that user logs into a certain computer.

edited Nov 15 '12 at 05:50

answered Nov 15 '12 at 05:33

Winter Faulk

471
2
14

It would appear you can't do this with standard filtering, but there are workarounds for it – Mark Henderson Nov 15 '12 at 20:36

score 0 · Answer 5 · edited Feb 20 '15 at 19:31

0

I created a WMI filter that seems to work:

Select * from WIN32_OperatingSystem where NOT CSName="PCName"

You can test WMI queries in powershell using:

gwmi -Query 'Select * from WIN32_OperatingSystem...'

edited Feb 20 '15 at 19:31

ThoriumBR

5,302
2
24
34

answered Feb 20 '15 at 18:41

Mark

1

Applying a GPO to one user on one computer only

5 Answers5