Apply Registry or ADM to Group Policy for Login to Specific Servers
Solution 1:
You're saying that you have user settings that you want to apply to users only when they logon to certain computers? Sounds difficult, eh? It's not difficult at all. It sounds like a job for loopback group policy processing!
Assume the following:
[Domain] mydomain.com.org.net.local
|
|--[OU] Special Computers
| |
| |-- [Computer] COMPUTER 1
| |
| |-- [Computer] COMPUTER 2
| ...
|
|--[OU] User Accounts
|
|--[User] Bob
|
|--[User] Alice
...
You would like to apply a user setting (such as running a logon script, or applying other types of GPO user settings) for all users who logon to computers in the "Special Computers" OU. When they logon to computers located in other OUs, though, you do not want these special settings to apply.
Create and link a GPO to the "Special Computers" OU. Specify in that GPO all the user-related settings you want to apply.
("But wait, Evan! The user's account objects aren't in the 'Special Computers' OU!" Yes. I know that. Stay w/ me here. Most AD admins I've met don't understand loopback policy processing and get scared. I've seen horrible hacks like creating secondary user accounts for users to logon with when using "special computers", etc... >shudder<)
In the GPO you created, go into the COMPUTER "Administrative Templates", "System", "Group Policy", and locate the setting "User Group Policy loopback processing mode". Enable this setting. In the "Mode" box, choose "Replace" if you want all the user's "normal" group policy settings to be ignored and only the user policy settings in this new GPO to apply. Choose "Merge" if you want the user settings in the GPO to apply after all their normal user settings have applied.
My opinion is that this is a lot cleaner than "hacks" involving "If computer == blah" in logon scripts.
My advice to you would be to do what you're doing with a Group Policy Preference (GPP)registry settings, rather than with a logon script. It will apply one time, leaving default settings in the users' registry, but the user will be able to change the settings freely in the future without having them "smashed" each time they logon.
If these are Windows Server 2008 machines, like your tag says, then there's really no excuse not to use GPP registry settings. Have a look at the articles below for some more details. This is a really nice feature of W2K8, and something you should be taking advantage of.
http://www.microsoft.com/downloads/details.aspx?FamilyID=42e30e3f-6f01-4610-9d6e-f6e0fb7a0790&DisplayLang=en
http://blogs.technet.com/grouppolicy/archive/2008/03/04/gp-policy-vs-preference-vs-gp-preferences.aspx
Solution 2:
You need to decide which route you wan to go down - ADM or Registry.
You can set custom registry settings through GPO. Edit the GPO, then browse to this section:
Computer Config -- Policies -- Windows Settings -- Security Settings -- Registry
Whatever combination of keys you define in here will be applied to the machines in that OU.
Furthermore, you should change the Scope filtering of the GPO to apply to the objects in AD you're interested in. It may have defaulted to Authenticated Users. If that's right, then leave it. I suspect you will need to change it though so it applied to Domain Computers. Don't fret, it will only apply to the domain computers in that OU, and all sub OUs
EDIT:
Edited to provide how-to for batch file registry importing and Login Scripts in GPO.
So, first you're going to need to create a batch file that will import the registry keys you want.
Create a batch file, and give it any name you like, eg import_reg_keys.bat
-
Edit the batch file, and in its most basic form, use the following command(s):
reg.exe add HKCU\blah\blah\blah /v MyNewSetting /t REG_SZ /d 1 /f
Replace the blah\blah\blah with subkey you're interested in, replace MyNewSetting with the value, replace REG_SZ with the type of value (REG_SZ, REG_MULTI_SZ, REG_EXPAND_SZ, REG_DWORD, REG_BINARY, REG_NONE), and replace the 1 with whatever data you want in your new reg value.
Save the batch file, and copy it to the domain NETLOGON share (\\yourdomain.loc\netlogon) - you will need Domain Admin rights to do this.
Edit the GPO you already created, and navigate to User Config -- Policies -- Windows Settings -- Scripts
Double click the LOGON item on the right, click ADD, click BROWSE, in the address bar at the top enter \\mydomain.loc\netlogon and press enter, then select your batch file from the list
Click Open, click OK, click OK, close the GPO editor
Go back to the GPO Management MMC, double click your new GPO, and then on the right select the SCOPE tab.
Where it says Filtering at the bottom, ensure that you only have Domain Computers (yourdomain\Domain Computers) and Authenticated Users. If you want to lock this down even further in the future, this is how you filer who or what must apply this policy.
Buy me a beer
The nice thing about having the batch file in the netlogon share (as opposed to setting it directly in a GPO) is that it's much quicker to edit.
PS. Move the servers in question to that OU (should be a sub-OU of your Member Servers OU)
Solution 3:
Here's an alternative method:
Do you already have a login script for your users? (Defined in the User object in AD under Profile). If you do, then add these lines to that script:
if "%computername%"=="MyServer001" reg.exe add HKCU\blah\blah\blah /v MyNewSetting /t REG_SZ /d 1 /f
if "%computername%"=="MyServer002" reg.exe add HKCU\blah\blah\blah /v MyNewSetting /t REG_SZ /d 1 /f
Add as many of these lines for each server that needs this key when the user logs in. This way, each time a user logs in, the script will look at the machine name they are logging into, and only apply the registry change if that machine matches one of the listed ones. If they log into their own workstation, the machine name will not be in the list, and it won`t get the key