Applying a GPO to one user on one computer only

active-directory group-policy

My suggestion is similar to inhabitant's..

Create a sub-OU just for that single computer, create a GPO in it and set it to loopback merge mode. Use security filtering on the GPO so that only DumbGuy have permissions to apply it. I don't see any reason for using two different GPO's.

Mucho importante! Don't filter the "read" rights from the authenticated users, as the group policy subsystem needs to read the GPO before it applies to the user


I would look at Group Policy Loopback Processing in conjunction with Security Filtering. You can use the Group Policy loopback feature to apply Group Policy Objects (GPOs) that depend only on which computer the user logs on to.

This is an example of how it can be implemented.

Actually, how would I implement this:

Create two different GPO and assign them to DOMAIN\DumbGuysComputer$.

Configure first GPO with Loopback Processing set in Replace Mode and configure Security Filtering to apply only to DOMAIN\DumbGuy user.

Configure second GPO without Loopback Processing and configure Security Filtering to apply only to DOMAIN\NiceReceptionist users.


I would probably just link the GPO to the OU that the user is in and use security filtering or WMI to make sure that it only applies to that one user, then wrap the whole script in a if($ENV:computername -eq whatever){} block.

Related

Why does my CentOS logrotate run at random times?
Amplified reflected attack on DNS servers
Why are only 16 GB of memory usable on our server?
Suddenly, shutdown command can't be found anymore
Why is FileZilla so much faster than PSFTP?
Bad ssh config on remote server. Cannot login in
disable maximum password length on Windows Server [closed]
Changing A record and CNAME records
What is the best way to find Conficker infected PCs in company networks remotely?
What to check if 'pinging' doesn't work?
How can I prevent a scheduled task from running if the same task is already running?
How does Microsoft enforce licenses?