# Trying to apply Group Policy to certain computers.



## ScottPon (Sep 23, 2011)

I'm followed these two threads but I haven't gotton it to work yet. Hopefully you can help:

Apply group policy to specific computers only

Apply Group policy to only certain users on certain computers

Background:
Server: Windows 2008 R2
Clients: Win2000, winXP, Win7
I also have 1 Win95 and 2 Win98 machines that run machines but this question isn't about them.

Originally I have my "Default Domain Policy" setting the Screensaver and password when activated from Screensaver. This worked but I discovered that some production computers need this turned off.

So I now have 2 groups of computers: Office Computers and Production computers. I would like to require the office computers to have a screensaver with password when woken. this should happen after 15 minutes. The Production computers need screensavers but don't really need the password when woken. Lets say 4 hours.

So following the instructions from the 2 links above:
1) Open AD Users and computers
2) Make an organizational unit "Office Computers Group". 
3) Assign a computer to the OU "Office Computers Group"; For test purposes, i'm using my computer.
5) Open Group Policy Manager. navigate to the OU.
6) Right click, select "Create a GPO in this domain and link it here", name = "Office_Computers_GPO", Source Starter GPO = "none"
7) Make my modifications to the GPO:
User Configuration->Policies->Admin Templates->Control Panel/Personalization:
Enable Screen Saver = Enabled
Password Protect the Screen Saver = Enabled
Number of Seconds to wait to enable Screen Saver: 900 (15 min)
8) restart the computer in the "Office_Computer_Group"

However, when I check my computer, the screensaver is not configure the way the GPO. When I do a "GPresult" it does not list "Office_Computers_GPO" as applied.

Am I missing something? What else should I be checking?

Thanks in advance


----------



## cluberti (Aug 26, 2010)

Well, probably because you're putting computer objects in an OU and then attempting to apply *user policies* to them (pay attention to where the policy lies in the tree - it will tell you if you need to apply it to *computer* objects, or to *user* objects; this is group policy processing 101 :wink.

The only way to apply a *user* policy to a user when logging onto a specific PC is to use loopback processing.


----------



## LitZ (Sep 22, 2011)

It would be far more effective to simply image the certain computers, which need to adjustment. Don't apply through GP.

I would always use a separate image when dealing with client from production!!

LitZ


----------



## cluberti (Aug 26, 2010)

Given it's a user-mode setting, re-imaging machines won't help if the user accounts don't exist and/or you want to manage it centrally (which is what group policy is for). You're hitting a square peg into a round hole doing it the way you recommend - will it work? Maybe. Is it a reasonable use of someone's time? No.


----------



## LitZ (Sep 22, 2011)

cluberti said:


> Given it's a user-mode setting, re-imaging machines won't help if the user accounts don't exist and/or you want to manage it centrally (which is what group policy is for). You're hitting a square peg into a round hole doing it the way you recommend - will it work? Maybe. Is it a reasonable use of someone's time? No.


It does take more time from the beginning; however, in the long run it has proven to me more effective (in my case) to have separate images.

I do not have the same workers on both production and office. For centralizing it we have a windows deployment server.

LitZ


----------



## ScottPon (Sep 23, 2011)

cluberti said:


> Well, probably because you're putting computer objects in an OU and then attempting to apply *user policies* to them (pay attention to where the policy lies in the tree - it will tell you if you need to apply it to *computer* objects, or to *user* objects; this is group policy processing 101 :wink.
> 
> The only way to apply a *user* policy to a user when logging onto a specific PC is to use loopback processing.



Cluberti, 

I see what you are telling me. I'm relatively new to GPO so yeah I should have gotten the whole computer vs user settings. I understand Domain Policy, but now that I'm tinkering with OUs, it's a new area so I'm unsure and learning.

Possible solution: divide up the user accounts: Production Users and Office Users (aka everyone else). Production Users will be given one GPO setting and the Office users will be given another GPO setting. 

Do you think that will do the trick?

Thanks.


----------



## cluberti (Aug 26, 2010)

That would be sufficient, yes - you can use security group filtering at that point to make that happen.


----------



## ScottPon (Sep 23, 2011)

Sorry I haven't gotten back. I got pulled into a higher priority project. I still plan on getting back to this. But at least I have a direction to go.

Any instructions on how to setup Security Group Filtering? Links appreciated. 

Thanks for all your help. Sorry again for being slow on responses...


----------



## cluberti (Aug 26, 2010)

You create groups containing the users you want the policy to apply to, and then you use group filtering (found when looking at the object in GPMC) to apply the policy to only those groups you want to apply it to (thus only hitting the users that are members of those groups).


----------

