Applying group policy loopback to any user on specific computers

windows-7 windows-server-2008-r2 group-policy

You'll need to create a new OU for those computers, then apply the GPO to that newly created OU.


There are five ways you can do this:

(OU Separating)

You can separate computers and users by diferent OUs and link a policy to computers' OU. To use loopback policy, both user and computer must have read and aplly permissions for policy, so, if you separate them, then you easily can set security to 'domain users' and 'domain computers' - the policy will be applied t all users who work on computers that in OUs which policy is linked to

(Flag-File Trick)

Alternatively you can make a trick - you can add a 'flag-file' on a computers you need to apply GPO: You should create a user-only non-loopback policy that sets screensaver and filter it with WMI filter checking existance of local flag-file like "Select * From CIM_Datafile Where Name = 'C:\\Windows\\spc.screensaver.flag'". You should set security to Domain Users - read and apply. Second, you should make an additional policy for those computers that will create this file (this can be done easilly, will not explain). This policy must not be loopback, and it must be computer-only. Security must be set to Special Screensaver Computers - read and apply

(Common Startup Script - Registry editing)

Alternatively you can make a script that you should put via policy to common startup folder for computers from Special Screensaver Computers group. When any user will log on this computer, this script will execute under user rights and change some HKCU registry keys etc. So, again, this is not loopback policy

(Hardcode computer names in WMI filter)

Alternatively, you can hardcode computers' names in WMI filters. Oh God.

(Use Item-Level Targeting - Registry Editing)

Alternatively you can set up screensaver with GPP (making a registry replace policy). This supports Item-Level targeting and you can make a rule to apply registry change only if 'Computer in security group Special Screensaver Computers' - in this case you should make a loopback policy with security set to Special Screensaver Computers and Domain users - read, apply, and make a registry fix under user configuration with enabling Item-Level targeting to check if computer is in security suitable group. Note that GPP is appliable to XP SP2\3 with KB943729 installed. Not sure if Item-Level Targeting is working on XP SP2

(---)

Because you need to make this setting per-computer, and the policy must be applied to all users on this computers, you have to set security to Domain Users for this policy. And when user logons, it reads all policies that assigned to OU where user is placed. Currently there are only three types of filtering supported by policies - OU separation (it usually butthurt), WMI filtering and Item-Level Targeting

Related

zpool import: volume FAULTED with corrupted data, is it possible to save some data?
Windows NTP Server A Stratum is 2, Windows NTP Server B Stratum is 15
Automatic power on after graceful shutdown on UPS
AWS Elastic Beanstalk File Upload Limit Issue
Does Active Directory's Kerberos implementation support per-user ticket lifetime settings?
Apache mod_proxy: Multiple virtual hosts disable each other
Securing the primary Ansible user
PHP FPM keeps hanging
GroupOfNames without members
Publicly routable IPv6 linux container
Child Domain Logons to Cross Forest Trust Domains
HBASE Space Used Started Climbing Rapidly