Apply a GPO to a single computer? Win2K8 R2

Monopoly money comes in many flavors: 7, Vista, XP, 2K, ME, 98, etc.

Moderators: Flying Fox, Ryu Connor

Apply a GPO to a single computer? Win2K8 R2

Postposted on Tue May 14, 2013 2:05 pm

My brain hurts. Ok, so I can apply GPOs to individual users just fine. I can even apply them to security groups so I can hit entire departments. What I can't get working is applying a GPO to a single computer regardless of user.

This is for deploying printers. I got a computer named FRONTDESK with a printer attached to it and a rotating staff who handles that system. I think maybe it's because I have computers in a different OU than users and thus the users don't get the GPO? But it should be per-computer so that shouldn't matter, right? Here's the meat of what I have:

Code: Select all
DOMAIN
 +WORKSTATIONS (OU)
 |  +FRONT (OU)
 |      +FRONTDESK (computer)
 |      +GPO for FRONTDESK linked to WORKSTATIONS (I've tried linking the computer and security group)
 +DEPARTMENTS (OU) (all the users and regular printer GPOs are linked in here)
 +SECURITY GROUPS
    +Security Group for FRONTDESK (of which only the computer FRONTDESK is a member)


I actually redid our GPO setup recently due to someone in one department wanting to float to another and I had most printer GPOs linked to sub-OUs within DEPARTMENTS. I ended up using Security Filtering to set up proper departmental SGs (which we already had and were using anyway) and individuals when needed.

For a per-computer setup, I don't know if it's appropriate to deploy a printer via COMPUTER CONFIGURATION or USER CONFIGURATION. I think COMPUTER but I've put it as a CREATE printer (Preferences, Control Panel Settings, Printers...) under both out of desperation. In theory the COMPUTER settings override USER ones, right? I've been "gpupdate /force"ing like crazy with no results.

I've looked at various "here's how you do it" things via the web and either I'm not getting it or I'm doing something wrong.
Last edited by Scrotos on Tue May 14, 2013 3:44 pm, edited 4 times in total.
Scrotos
Graphmaster Gerbil
 
Posts: 1043
Joined: Tue Oct 02, 2007 12:57 pm
Location: Denver, CO.

Re: Apply a GPO to a single computer? Win2K8 R2

Postposted on Tue May 14, 2013 3:03 pm

You can't apply GPOs to the Computers container (which is what I think you are doing, but I may be misinterpreting what you wrote).

What I have always done is created separate containers for computers and users. This isn't completely necessary, but it seems to make my life easier. I typically then break computers into OUs based on OS and then function (if necessary).

So I might do something like this if I were you:
1. Create an OU called Workstations. I have no idea how big your domain is, but it seems small. So this should be sufficient.
2. Link your FrontDesk GPO to the Workstations container (and unlink from other containers)
3. Move the FrontDesk computer to the Workstations container
4. This should be enough, unless you have filtered the FrontDesk GPO, in which case you'll need to make sure the filter is correct

If you are using groups for filtering it doesn't matter where the group object is, it just needs to be in the same domain, not the same container.

There are other ways to accomplish this, but I won't bore you with endless scenarios :).

As for computer vs user GPO, it depends. Since the users float in this scenario, and the settings stick based on the computer, Computer GPO seems most appropriate. If a user GPO and computer GPO conflict, btw, the computer GPO setting takes precedence.
mattshwink
Gerbil
 
Posts: 93
Joined: Wed Jul 16, 2008 7:54 am
Location: Alexandria, VA

Re: Apply a GPO to a single computer? Win2K8 R2

Postposted on Tue May 14, 2013 3:37 pm

I do it this way too.

Break the single Workstation into a new OU and apply that OU with links to the GPO's that it needed from the original OU, as well as your new poiicy

I'd have to dig out my MCSE notes to remember how subcontainer GP heirarchy applies to GPOs but the easy, lazy way is to just stick a new OU at the same level in the tree as the computer's current OU.
I hear rig lists are all the rage, and I <3 the rage! Workstation = Black tower thing; HTPC = Shhhh!; Laptop - AMAZING FOLDING PC!
Chrispy_
Minister of Gerbil Affairs
Gold subscriber
 
 
Posts: 2178
Joined: Fri Apr 09, 2004 3:49 pm

Re: Apply a GPO to a single computer? Win2K8 R2

Postposted on Tue May 14, 2013 3:41 pm

We already use a Workstations OU. I've updated my original post to use "Workstations" instead of "Computers". Poor choice of description on my part.

And actually I have most of the workstations in the WORKSTATIONS OU already and a sub OU called "FRONT" which has only one member, FRONTDESK.

I tried linking the GPO at the domain level, WORKSTATION OU, and FRONT OU, and no dice. Just setting it to Authenticated Users in the Security Filters should suffice, shouldn't it?

I am not aware of using filters. No idea how to do so. You mean WMI Filters? No, ain't got none o' those.

The worst part is that I already have a per-computer setting for some directory permissions that's already made and working! That guy ain't been here for a few years, though, so I'm on my own. I tried replicating the settings but no dice.
Last edited by Scrotos on Tue May 14, 2013 3:46 pm, edited 1 time in total.
Scrotos
Graphmaster Gerbil
 
Posts: 1043
Joined: Tue Oct 02, 2007 12:57 pm
Location: Denver, CO.

Re: Apply a GPO to a single computer? Win2K8 R2

Postposted on Tue May 14, 2013 3:46 pm

Chrispy_ wrote:I do it this way too.

Break the single Workstation into a new OU and apply that OU with links to the GPO's that it needed from the original OU, as well as your new poiicy

I'd have to dig out my MCSE notes to remember how subcontainer GP heirarchy applies to GPOs but the easy, lazy way is to just stick a new OU at the same level in the tree as the computer's current OU.


Hierarchy is pretty easy, once you get used to it. These days they even show it to you in the GPMC (Click an OU then the Group Policy Inheritance tab). You can also use GPResult to see all GPOs and settings applied to specific objects (also shows things that were filtered out).

Hierarchy Rules:
1. Policies set to enforced (unless container is blocked, though no override gets through the block)
2. Policy in the OU the object is in (follows link order)
3. Descend from the object applying GPOs in order as you go. If a setting conflicts with a setting that has already been applied, discard it (since it will be lower precedence).
4. Computer policies supercede user policies if settings conflict
mattshwink
Gerbil
 
Posts: 93
Joined: Wed Jul 16, 2008 7:54 am
Location: Alexandria, VA

Re: Apply a GPO to a single computer? Win2K8 R2

Postposted on Tue May 14, 2013 3:48 pm

Aye, and I did check and this is precedence #1 for the printer policy I'm trying to apply to this OU. ARGH. I just checked and when it was working I think it was just applying it as a User policy to everyone in the domain when I had that GPO up there. It didn't seem to apply to everyone though, I tested for that? So who knows.
Scrotos
Graphmaster Gerbil
 
Posts: 1043
Joined: Tue Oct 02, 2007 12:57 pm
Location: Denver, CO.

Re: Apply a GPO to a single computer? Win2K8 R2

Postposted on Tue May 14, 2013 3:59 pm

Yes, Authenticated Users should suffice (that is the default). Alternatively you could leave it in the Workstations OU. Then create a group called FrontDesk and add the FrontDesk PC to it. Change Authenticated Users to FrontDesk. Then link the FrontDesk GPO to the Workstations OU (this would be a filtered GPO). Personally, I like the OU approach better, but either works.

So the FrontDesk OU has the FrontDesk PC and the FrontDesk GPO applies to the FrontDesk OU? That should work. Make sure you reboot the PC once it is moved to ensure the policy applies. Not all policies refresh even on a gpupdate /force.

If that doesn't work then logon to FrontDesk and run a gpresult /scope computer /r. That should give us general information about GPOs applying. If you don't see FrontDesk listed, that is the problem. If it is, then you can run gpresult /scope computer /v (may need to use /h <filename> to send to an html file for viewing if you have a lot of settings). This should show the settings applied from the GPO.

Just be sure the settings you are setting are under the Computer node in the GPO, otherwise they won't apply in this scenario.
mattshwink
Gerbil
 
Posts: 93
Joined: Wed Jul 16, 2008 7:54 am
Location: Alexandria, VA

Re: Apply a GPO to a single computer? Win2K8 R2

Postposted on Tue May 14, 2013 5:00 pm

Mattshwink has this right.

You don't need a separate OU. Just remove Authenticated Users from the Policy and add in a Custom Global Group for this one user.
"Welcome back my friends to the show that never ends. We're so glad you could attend. Come inside! Come inside!"
Ryu Connor
Global Moderator
Gold subscriber
 
 
Posts: 3598
Joined: Thu Dec 27, 2001 7:00 pm
Location: Marietta, GA

Re: Apply a GPO to a single computer? Win2K8 R2

Postposted on Tue May 14, 2013 5:29 pm

XP workstation, /r and /h don't work. I assumed /z for verbose. It's not a user, it's a computer. I have the users workin' fine. Annnndddd it's not listing the printer GPO anywhere being applied. I mean, I got this:

Applied Group Policy Objects
-----------------------------
Printers Front Desk
Power Users
Settings Universal Computer
Settings Services
Default Domain Policy

...but I don't see "Printers Front Desk" in any of the resulting applied settings. I'm actually not sure in what category the printer would show up.
Scrotos
Graphmaster Gerbil
 
Posts: 1043
Joined: Tue Oct 02, 2007 12:57 pm
Location: Denver, CO.

Re: Apply a GPO to a single computer? Win2K8 R2

Postposted on Tue May 14, 2013 8:48 pm

Hm, I'll chime in, but I think XP might be your limiting factor. I believe to have the GPO applied correctly on XP, you'll need to install the client-side extensions on the workstation. You ran gpresult on the workstation and it didn't show anything?

For WS2K8R2 deployed printers show up in the print manager and you deployed by per user or per computer?
Calm seas never made a skilled mariner.
drsauced
Graphmaster Gerbil
 
Posts: 1477
Joined: Mon Apr 21, 2003 1:38 pm
Location: Here!

Re: Apply a GPO to a single computer? Win2K8 R2

Postposted on Tue May 14, 2013 8:58 pm

I am not a real admin and have no schooling at all; all my PC stuff is self taught and learned on the job.

With that being said, I have a few of these exact cases: computer with a printer attached to it and a rotating staff who handles that system.

In cases like this, I try not to make it any harder then it needs to be to get the job done.

I log in to the PC as a local admin, hard code the printer with IP if it doesnt have one already, and install it, and then whoever logs in with any credentials, on any of our domains, has the printer ready to go.

Not sure if its the right way to do it, but its worked fine for years, until the printer or PC die :)

Anyone else can still connect to that printer via the print server, but for that PC, each user doesnt have to install it; its already there.
Dposcorp
Minister of Gerbil Affairs
Silver subscriber
 
 
Posts: 2419
Joined: Thu Dec 27, 2001 7:00 pm
Location: Detroit, Michigan

Re: Apply a GPO to a single computer? Win2K8 R2

Postposted on Tue May 14, 2013 9:19 pm

Scrotos wrote:I got a computer named FRONTDESK with a printer attached to it and a rotating staff who handles that system.


I think this may be what we need more information on. What type off printer is it and how is it attached to the workstation? If you are attempting to get it to work for only the users on that system then Dposcorp looks to have the the right fix. Install it locally as an admin and it should show up for everyone. If you want the rest of your company to be able to print to it then you will need to check the pathing of the GPO and make sure the sharing and printing permissions on the front desk computer allow other computers on your domain to print to it.
LaChupacabra
Gerbil First Class
Gold subscriber
 
 
Posts: 138
Joined: Tue Dec 30, 2008 10:59 pm

Re: Apply a GPO to a single computer? Win2K8 R2

Postposted on Wed May 15, 2013 9:34 am

Dposcorp wrote:I log in to the PC as a local admin, hard code the printer with IP if it doesnt have one already, and install it, and then whoever logs in with any credentials, on any of our domains, has the printer ready to go.


That was my initial inclination but I figured, dangit, I'll try to do this right, know what I mean? I still have that as a fallback in case GPO defeats me.
Scrotos
Graphmaster Gerbil
 
Posts: 1043
Joined: Tue Oct 02, 2007 12:57 pm
Location: Denver, CO.

Re: Apply a GPO to a single computer? Win2K8 R2

Postposted on Wed May 15, 2013 9:51 am

XP!

OK, now I may understand what is going on.....drsauced made a good point, XP does not handle Group Policy Preferences (GPP) without some help.

GPPs are located under Computer Configuration|Preferences. If your setting(s) are under that node, then yes, we have to do more things to get it to work.

I have a linked an MS blog post, you can read for more details. The following conditions must be met for GPPs to process on XP:
1. XP SP2 or SP3
2. Installed XP CSE extensions
3. If IE7 or 8 is not installed, XMLlite must be installed.

This link provides where to get the CSEs and XMLlite: http://blogs.technet.com/b/grouppolicy/ ... llite.aspx
mattshwink
Gerbil
 
Posts: 93
Joined: Wed Jul 16, 2008 7:54 am
Location: Alexandria, VA

Re: Apply a GPO to a single computer? Win2K8 R2

Postposted on Wed May 15, 2013 9:54 am

drsauced wrote:Hm, I'll chime in, but I think XP might be your limiting factor. I believe to have the GPO applied correctly on XP, you'll need to install the client-side extensions on the workstation. You ran gpresult on the workstation and it didn't show anything?

For WS2K8R2 deployed printers show up in the print manager and you deployed by per user or per computer?


Client-side extensions are deployed on all XP workstations. SP3, IE8, fully patched XP workstations. They get the per-user GPOs just fine and all the other per-computer GPOs just fine. Just... not this printer one.

GPOs are being applied, it enumerates them like thus:

Code: Select all
        Account Policies
        ----------------
            GPO: Default Domain Policy
                Policy:            MinimumPasswordAge
                Computer Setting:  5


However, while it says "Printers Front Desk" is an applied group policy object, I don't see it listed under any of the Resultant Set Of Polices for Computer.

We never used Print Management to deploy any printers. Ergo, nothing's there when I look. It's all via GPO create printer policies. Are we doing this horribly wrong? We switched from Netware 6.5 to Win2K8 R2 because auditors couldn't find any tools that would show vulnerabilities in Netware and DANGIT they knew there had to be some but they couldn't write us up for them so just wrote us up repeatedly for our choice of server OS. Consequently, we had consultants set up this network initially. We've come to find out that they were idiots. So if this is doing something stupid and you want to throw a link with "hey you idiot RTFM" it wouldn't hurt my feelings!
Scrotos
Graphmaster Gerbil
 
Posts: 1043
Joined: Tue Oct 02, 2007 12:57 pm
Location: Denver, CO.

Re: Apply a GPO to a single computer? Win2K8 R2

Postposted on Wed May 15, 2013 10:02 am

We primarily deploy HP printers using the universal print driver 5.2. I'm thinking I need to update that. A new twist is that when logging into the AD servers I get a ton of "interactive screens" needing attention and its all these @#$@$ printer properties boxes. I'm guessing it's trying to install drivers for redirected local printers over RDP or something. Why it's happening now, I dunno, but I changed GPO stuff so why not.

And I get printer isolation CPU usage high and crashing:

http://h30434.www3.hp.com/t5/Printer-Ne ... d-p/267766

I don't think it's related to why FRONTDESK isn't getting the GPO but it's yet another printer-related issue. Sigh.

The people logging into FRONTDESK get their user GPOs just fine so have access to departmental printers using a mix of HP, Savin/Ricoh, and Xerox drivers depending on their department. The front desk printer is an HP using the same universal driver so that driver's already loaded and working on the local machine.
Scrotos
Graphmaster Gerbil
 
Posts: 1043
Joined: Tue Oct 02, 2007 12:57 pm
Location: Denver, CO.

Re: Apply a GPO to a single computer? Win2K8 R2

Postposted on Wed May 15, 2013 10:07 am

Well, at least we see the GPO and client side extensions shouldn't be the issue.

As to how you should be doing it, I need to know what settings you are trying to use (though I don't necessarily care what they are set to)...

Can you post what setting(s) you are trying to set through the GPO?
mattshwink
Gerbil
 
Posts: 93
Joined: Wed Jul 16, 2008 7:54 am
Location: Alexandria, VA

Re: Apply a GPO to a single computer? Win2K8 R2

Postposted on Wed May 15, 2013 10:24 am

You are most likely getting the issues on the AD servers because you are using user GPPs and they are applying on logon.

There are two ways to fix that:
Easy Way:
If you use separate accounts for your admin user accounts (and you should) then simply move these users to a different OU so the GPP doesn't apply (in fact, these users shouldn't need many user GPO settings at all, unless they are security related). You could also use security filtering and deny them access.

"Hard" Way
In group policy preferences you can use item level targeting (Common tab on the GPP setting) to specify specify users or computers to target. Using this you could exclude your admin users (if you have them) or you can specify specific users or computers to apply the GPP to. In this way when you logon to a server the GPP should not be applied.
mattshwink
Gerbil
 
Posts: 93
Joined: Wed Jul 16, 2008 7:54 am
Location: Alexandria, VA

Re: Apply a GPO to a single computer? Win2K8 R2

Postposted on Wed May 15, 2013 10:33 am

So if this is doing something stupid and you want to throw a link with "hey you idiot RTFM" it wouldn't hurt my feelings!


GPO is a topic that sees many hours of classroom lecture. Hence the difficulty within this topic. This is not a good topic for forums due to too many competing voices. It's not a good topic due to complexities. It's not a good topic as you're tackling something worth hundreds of dollars of billable time. There are too many links/resources to even pull the RTFM gag you mention above.

Mattshwink is making a commendable effort and may get you across the finish line. Dposcorp probably has the more cost and time solution for everyone. Not to appear a complete ass, I am willing to help, but I'd rather discuss this on Ventrilo than in text.
"Welcome back my friends to the show that never ends. We're so glad you could attend. Come inside! Come inside!"
Ryu Connor
Global Moderator
Gold subscriber
 
 
Posts: 3598
Joined: Thu Dec 27, 2001 7:00 pm
Location: Marietta, GA

Re: Apply a GPO to a single computer? Win2K8 R2

Postposted on Wed May 15, 2013 10:40 am

mattshwink wrote:You are most likely getting the issues on the AD servers because you are using user GPPs and they are applying on logon.

There are two ways to fix that:
Easy Way:
If you use separate accounts for your admin user accounts (and you should) then simply move these users to a different OU so the GPP doesn't apply (in fact, these users shouldn't need many user GPO settings at all, unless they are security related). You could also use security filtering and deny them access.

"Hard" Way
In group policy preferences you can use item level targeting (Common tab on the GPP setting) to specify specify users or computers to target. Using this you could exclude your admin users (if you have them) or you can specify specific users or computers to apply the GPP to. In this way when you logon to a server the GPP should not be applied.


We do have separate admin logins but when I RDP over to AD from a Win7 box on my normal login, it tries to install all 24 printers my normal admin has. I'm the only one set up like that because I inheirited the "printer admin" job and figured I'd like to have access to all of them. Wheee!

The admin logins used to have individuals set up for one or two printers, i.e. in Security Filtering they were specifically named. The only change I did was to use the "admin logins" security group instead of explicitly having our users listed. I figured there was no functional change.

Here's the relevant settings:
Code: Select all
Printers Front Desk

Computer Configuration (Enabled)
Preferences
Control Panel Settings
Printers
Local Printer (Name: Front Desk Printer)
Front Desk Printer (Order: 1)
General
Action Create
Properties
Name Front Desk Printer
Port LPT1:
Shared printer path \\SERVER\p2055dn-front
Location Front Desk

Common
Options
Stop processing items on this extension if an error occurs on this item No
Remove this item when it is no longer applied No
Apply once and do not reapply No

User Configuration (Enabled)
No settings defined.
Scrotos
Graphmaster Gerbil
 
Posts: 1043
Joined: Tue Oct 02, 2007 12:57 pm
Location: Denver, CO.

Re: Apply a GPO to a single computer? Win2K8 R2

Postposted on Wed May 15, 2013 10:46 am

Ryu Connor wrote:
So if this is doing something stupid and you want to throw a link with "hey you idiot RTFM" it wouldn't hurt my feelings!


GPO is a topic that sees many hours of classroom lecture. Hence the difficulty within this topic. This is not a good topic for forums due to too many competing voices. It's not a good topic due to complexities. It's not a good topic as you're tackling something worth hundreds of dollars of billable time. There are too many links/resources to even pull the RTFM gag you mention above.

Mattshwink is making a commendable effort and may get you across the finish line. Dposcorp probably has the more cost and time solution for everyone. Not to appear a complete ass, I am willing to help, but I'd rather discuss this on Ventrilo than in text.


Aye, though I figure manually creating a GPO versus using the Printer Deployment feature would be something there'd be consensus on at least, no? If I'm not using it and I should, I'd think that'd raise a red flag for people.

The main thing that gets me is that I think I'm doing it correctly and am unsure as to why it's not workin'. I certainly don't want to waste anyone's time here. I figure if I can't get it workin' today I'll go the classroom route and see if that helps.
Scrotos
Graphmaster Gerbil
 
Posts: 1043
Joined: Tue Oct 02, 2007 12:57 pm
Location: Denver, CO.

Re: Apply a GPO to a single computer? Win2K8 R2

Postposted on Wed May 15, 2013 12:24 pm

Try changing your action to update (instead of create). Again, reboot the workstation to ensure the GPO change takes affect.

In my opinion nothing should be automatically installed on an admin logon. Admin logons should be only for performing admin tasks, and nothing else. I'm a bit of a zealot about that.....

That being said, you could use item level targeting on the setting and only target workstations, not servers, and that should solve your issue.
mattshwink
Gerbil
 
Posts: 93
Joined: Wed Jul 16, 2008 7:54 am
Location: Alexandria, VA

Re: Apply a GPO to a single computer? Win2K8 R2

Postposted on Wed May 15, 2013 4:22 pm

Oi, just got back from offsite firmware updating and am aboot to go on vacation for the next 2 weeks. I'll pick this up again afterward and see if update versus create gets me a breakthrough. Thanks again for the help!
Scrotos
Graphmaster Gerbil
 
Posts: 1043
Joined: Tue Oct 02, 2007 12:57 pm
Location: Denver, CO.

Re: Apply a GPO to a single computer? Win2K8 R2

Postposted on Wed May 15, 2013 11:21 pm

Hehe, cool, have a great vacation.

Huh, now that I think about it, I'm wondering if the GPO is getting applied, but the XP workstation isn't getting the 32-bits printer driver for some reason? Seems unlikely though, given what you've already done.

Wait, you are using the Print Management console? If you're not, but I highly recommend it for deploying printers with GPO. Just right click the printer you want, click deploy and yer done. Well, pick the GPO you want, per user or per computer and then yer done. Well... it's pretty easy anyway.

I don't use the Universal Print Driver, the thing drives me nuts. I always use the specific driver(s) for the printer being installed on the server. In a few cases, with our Xerox Phasers, I've had to install two printers, one for XP (or 32-bit machines) and the second for Win7 (64-bits).

I say hook the printer up via IP (or DNS name if the printer is DHCP) locally to the workstation with an admin login and don't use GPO for it :)

RDP, as a service to the user, will attempt to install 'links' for your printing needs. Not sure if proper drivers or just sockets to your local printers. It's pretty handy at times, so I haven't bothered trying to disable the feature. They're temporary, though, and usually get removed when the RDP session is done. Which is never, since almost everything I'm doing is RDP so I leave the sessions open and minimized. If I could RDP my morning shower, I would!
Calm seas never made a skilled mariner.
drsauced
Graphmaster Gerbil
 
Posts: 1477
Joined: Mon Apr 21, 2003 1:38 pm
Location: Here!

Re: Apply a GPO to a single computer? Win2K8 R2

Postposted on Thu May 16, 2013 8:44 am

Ryu Connor wrote: Dposcorp probably has the more cost and time solution for everyone.



Me? Cool. For someone with no real training, who has not been to even ONE IT training class, nice to see that I am not completely wrong.
(I gotta figure out a way to make that look better on my resume when I get ready to leave here and find a new job :)


A lot of the stuff we do here is probably not "best practice," but we do what we have to make sure the users can do their job.

We run AD with more then one domain, and run a print server, with probably 5+ brands of printers, and a lot of remote locations.
Sometimes, network / AD issues keep a user from simply printing a document, and the direct IP connect eliminates a lot of issues.
Dposcorp
Minister of Gerbil Affairs
Silver subscriber
 
 
Posts: 2419
Joined: Thu Dec 27, 2001 7:00 pm
Location: Detroit, Michigan


Return to Windows

Who is online

Users browsing this forum: No registered users and 3 guests