Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

GPO for Only Computers

Status
Not open for further replies.
PU36

PU36

MIS
Mar 16, 2005
202
US
I have created a GPO titled, "IE_LockDown" and only want the settings to apply to a list of computers. It is NOT possible to put them in the same OU as they are scattered in differnt locations (logically and physically). Using ADUC I created a Security Group and put the computers in that group. Using GPMC I removed "Authenitated Users" and added the Security Group that I created.

I then links that GPO at the Domain Level. However, for some unknown reason, the policy doesn't apply to anyone/anything. When I run the GP Result under the GPMC it shows as being denied through "Security Filtering".

It WORKS if I add back the Authenitcated Users group. But I don't want it to apply to everyone...just the computers.

Any help would be great.

Thanks
 
Sort by date Sort by votes
The loopback is enabled on the GPO.

I have tried Replace adn Merge, neither work.
 
Upvote 0 Downvote
You may want to use Loopback feature. This how to may help,

group policy
How to Enable Group Policy Loopback · How to setup Folder Redirection · How to Setup TS Group Policy Objects for Windows 2003 and XP ...


Bob Lin, MS-MVP, MCSE & CNE
How to Setup Windows, Network, VPN & Remote Access on
 
Upvote 0 Downvote
When I ReRun the GPREesult query on the User and Computer the "IE-Lockdown" GPO is being applied to the Comptuer but is being Denied under the user settings with the reason as "Inaccessible
 
Upvote 0 Downvote
If I give Authenitcated Users permissions, how do I tell it not to apply to all authenticated users and just to the computers.

Here is what I get when I change the GP Security Filtering on the GPO and run gpupdate /force then gpresult

First Attempt


"Computer Group" = Read/Apply GP
"Authentiated Users" = Read

Applied Group Policies - Computer
---------------------------------
IE_Lockdown

Denied Group Policies - User
----------------------------
IE_Lockdown - Filtered (Denied Security)


Second Attempt


"Computer Group" = Read/Apply GP
"Authentiated Users" = Read/Apply GP

Applied Group Policies - Computer
---------------------------------
IE_Lockdown

Applied Group Policies - User
----------------------------
IE_Lockdown


HOWEVER, this effects every single computer in the network. I just want it to apply to "Computer Group" list.

Third Attempt


"Computer Group" = Read/Apply GP
"Authentiated Users" = Removed From Security

Applied Group Policies - Computer
---------------------------------
IE_Lockdown

Denied Group Policies - User
----------------------------
IE_Lockdown - Filtered (Denied Security)


Fourth Attempt


"Computer Group" = Read/Apply GP
"Authentiated Users" = Read/Denied GP

Applied Group Policies - Computer
---------------------------------
IE_Lockdown

Denied Group Policies - User
----------------------------
IE_Lockdown - Filtered (Denied Security)


Any help is appreciated. Thanks
 
Upvote 0 Downvote
Right click on the policy and choose properties. From there you can assign read rights to the Authenticated Users. You can Uncheck the Apply for that group. this gives the users the ability to see the policy.

You need to be aware too that there are policies which are User policies and although you may want to apply them only to certain computers, those policies need to be applied to the users using those computers. It is for this reason the loopback will help you, but hte users have to be able to read the policy for it to be applied.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at
 
Upvote 0 Downvote
Ok here is what I currently have.

GPO - "IE_Lockdown"
Permissions:
"Computer Group" = Read & Apply GP
"Authenticated Users" = Read


When I log into a computer within the "Computer Group" and run the "gpupdate /force" and "gpresult" I get the following;


COMPUTER SETTINGS

APPLIED GROUP POLICY OBJECTS
----------------------------
Default Domain Policy
IE_Lockdown

The Computer is part of the following Security Groups
-----------------------------------------------------
Computer Group

USER SETTINGS

APPLIED GROUP POLICY OBJECTS
----------------------------
Default Domain Policy

The Following GPOs were NOT applied because they were filtered out.
----------------------------------------------------------------

IE_Lockdown
Filtering: Denied (Security)

The User is part of the following groups
----------------------------------------
Domain Users


Here is where it gets interesting (not that it isn't already) I can UNC to \\Domain\sysvol\domain\policies\{GUID} and read everything inside just fine. I can open up the GPT.ini and see the version number and Policy Name.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Abdullah Al Maruf
  • Locked
  • Question
Telnet help for
Replies
2
Views
768
gbaughma
gbaughma
ADB100
  • Locked
  • Question
Single Windows 7 Ultimate workstation not applying Registry, Drive Map or Printers GPO settings
Replies
1
Views
411
technome
technome
mangentle
  • Locked
  • Question
What are the key advantages of using Microsoft Windows Servers for businesses?
Replies
1
Views
1K
gbaughma
gbaughma
nukeinfer
  • Locked
  • Question
Internet restrictions for isolated PCs in the Network
Replies
1
Views
622
mangentle
mangentle
andyferris
  • Locked
  • Question
DC Event logs auditing cannot be set by GPO
Replies
1
Views
335
RRankin355
RRankin355

Part and Inventory Search

Sponsor

Back
Top