How to control which GPO runs USERS section depending on wha

[sweeneyt]

How to control which GPO runs the USERS section depending on what computer user logs into.


I have a need to create GPO for when users log into my Terminal Server and I want a more locked down desktop to protect that server. But when the users log into their own computer I don’t want that GPO Users section to run.

It seems like I can only have the User Object in one OU or the other.

Thanks for any tips. This one has me stumped!

[romath]

Seems to me that some ask that question here before, try doing a forum search for 'loopback'.

But in a nutshell, I think you would create an OU with your terminal server in it. Create and link a gpo to that OU with the user settings you want and make sure you turn on 'loopback processing' (either merge or replace mode depending on what you want for an end result).

You can also link any GPO to that OU with the machine settings you want to apply as well.

When the machine boots, it will get the machine settings. Then when the user logs in they will get their user settings, THEN the new GPO with your 'lock down' settings will run and apply those settings.

This way the new GPO won't apply to their own desktops, just to the server in that OU.

Hope that helps!

[sweeneyt]

I just got Jeremy's new book in the mail today and yes that is the right answer. Reference page 137.

Loopback, is a cool trick but funny name until you get the full explanation of how it works.

I am going to try to implement it this weekend. There was also a note how to restrict the GPO from applying to certain users or groups like administrators. Which is important as well.

Thanks.

[romath]

Let us know how it goes!