Group Policy - HKCU Registry Update (via GPP) For All Users, Only on RDP Server
-
@dbeato said in Group Policy - HKCU Registry Update (via GPP) For All Users, Only on RDP Server:
@wrx7m said in Group Policy - HKCU Registry Update (via GPP) For All Users, Only on RDP Server:
@flaxking said in Group Policy - HKCU Registry Update (via GPP) For All Users, Only on RDP Server:
You have to enable loopback processing for the server and then it will process user configuration linked to it
Where would I do this? In the same GPO that I am setting the GPP?
In the same GPO.
https://support.microsoft.com/en-us/help/231287/loopback-processing-of-group-policy
https://www.jorgebernhardt.com/how-to-enable-group-policy-loopback-processing/It doesn't have to be same GPO. Once it is set for a computer, it then 'loops back' around and processes all the user settings in the GPOs that are linked/inherited
-
@flaxking You are correct, however for my own sanity I place it on the GPO that needs it otherwise it is harder to track down which one is adding it.
-
@dbeato said in Group Policy - HKCU Registry Update (via GPP) For All Users, Only on RDP Server:
@wrx7m said in Group Policy - HKCU Registry Update (via GPP) For All Users, Only on RDP Server:
I ran into an issue with Adobe Reader preventing users on my RDS server from printing PDFs that is solved by disabling protected mode.
I created a GPO with a User configuration GPP update for the corresponding DWORD value. The only way I have gotten it to work, is if I apply the GPO to the OU that contains the AD user object and have the Security filtering set to a group of users or a single user. I have tried item-level targeting to only apply to the RDS server, but it applies to any system that the user logs into.
I also tried the opposite- Linking the GPO to the server OU and setting the Security Filtering to only the computer account for the RDS server and item-level targeting to a specific group of AD users. This didn't do anything.
How can I set it to update HKCU only for users on the RDS server?
You can do a item level target based on the RDS server instead as well.
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn789189(v%3Dws.11)Tried this already (sans loopback) but didn't work.
-
@dbeato said in Group Policy - HKCU Registry Update (via GPP) For All Users, Only on RDP Server:
@flaxking You are correct, however for my own sanity I place it on the GPO that needs it otherwise it is harder to track down which one is adding it.
GP can fall into insanity pretty fast
-
@wrx7m said in Group Policy - HKCU Registry Update (via GPP) For All Users, Only on RDP Server:
@dbeato said in Group Policy - HKCU Registry Update (via GPP) For All Users, Only on RDP Server:
@wrx7m said in Group Policy - HKCU Registry Update (via GPP) For All Users, Only on RDP Server:
I ran into an issue with Adobe Reader preventing users on my RDS server from printing PDFs that is solved by disabling protected mode.
I created a GPO with a User configuration GPP update for the corresponding DWORD value. The only way I have gotten it to work, is if I apply the GPO to the OU that contains the AD user object and have the Security filtering set to a group of users or a single user. I have tried item-level targeting to only apply to the RDS server, but it applies to any system that the user logs into.
I also tried the opposite- Linking the GPO to the server OU and setting the Security Filtering to only the computer account for the RDS server and item-level targeting to a specific group of AD users. This didn't do anything.
How can I set it to update HKCU only for users on the RDS server?
You can do a item level target based on the RDS server instead as well.
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn789189(v%3Dws.11)Tried this already (sans loopback) but didn't work.
You mentioned that you have a server OU. Do you have your RDS servers in their own OU?
Is loopback mode setup for replace or merge? (if merge, then another GPO somewhere else could be creating issues.)
You setup a test. If RDS servers are in own OU, loopback in replace mode, then just set one policy (other than loopback) and check the registry for the one user to see if the change had been made
-
@pmoncho said in Group Policy - HKCU Registry Update (via GPP) For All Users, Only on RDP Server:
@wrx7m said in Group Policy - HKCU Registry Update (via GPP) For All Users, Only on RDP Server:
@dbeato said in Group Policy - HKCU Registry Update (via GPP) For All Users, Only on RDP Server:
@wrx7m said in Group Policy - HKCU Registry Update (via GPP) For All Users, Only on RDP Server:
I ran into an issue with Adobe Reader preventing users on my RDS server from printing PDFs that is solved by disabling protected mode.
I created a GPO with a User configuration GPP update for the corresponding DWORD value. The only way I have gotten it to work, is if I apply the GPO to the OU that contains the AD user object and have the Security filtering set to a group of users or a single user. I have tried item-level targeting to only apply to the RDS server, but it applies to any system that the user logs into.
I also tried the opposite- Linking the GPO to the server OU and setting the Security Filtering to only the computer account for the RDS server and item-level targeting to a specific group of AD users. This didn't do anything.
How can I set it to update HKCU only for users on the RDS server?
You can do a item level target based on the RDS server instead as well.
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn789189(v%3Dws.11)Tried this already (sans loopback) but didn't work.
You mentioned that you have a server OU. Do you have your RDS servers in their own OU?
Is loopback mode setup for replace or merge? (if merge, then another GPO somewhere else could be creating issues.)
You setup a test. If RDS servers are in own OU, loopback in replace mode, then just set one policy (other than loopback) and check the registry for the one user to see if the change had been made
Servers are in the same OU at this point. Going to be trying the loopback in merge mode to see if it will target the correct server.
-
Still in the same boat. It only applies the setting when linked to the OU of the user and have a user or group specified in the security filtering, but it applies it to all systems, not just the RDS server.
-
@wrx7m said in Group Policy - HKCU Registry Update (via GPP) For All Users, Only on RDP Server:
t only applies the setting when linked to the OU of the user
We'll according to that screenshot, it IS a user setting.
-
@wrx7m said in Group Policy - HKCU Registry Update (via GPP) For All Users, Only on RDP Server:
Still in the same boat. It only applies the setting when linked to the OU of the user and have a user or group specified in the security filtering, but it applies it to all systems, not just the RDS server.
Question, if you want to target users why is your item-level target a computer name. Why not a Security Group with specific users?
As a side note, normally, if I use loopback processing for specific settings, I put those servers in their own OU so as not to effect all servers.
-
@Obsolesce said in Group Policy - HKCU Registry Update (via GPP) For All Users, Only on RDP Server:
@wrx7m said in Group Policy - HKCU Registry Update (via GPP) For All Users, Only on RDP Server:
t only applies the setting when linked to the OU of the user
We'll according to that screenshot, it IS a user setting.
Yeah. I want all users or a group of users who login to the RD00 server (and only this server) to have this GPP modifying HKCU to apply. Is it even possible?
-
@pmoncho said in Group Policy - HKCU Registry Update (via GPP) For All Users, Only on RDP Server:
@wrx7m said in Group Policy - HKCU Registry Update (via GPP) For All Users, Only on RDP Server:
Still in the same boat. It only applies the setting when linked to the OU of the user and have a user or group specified in the security filtering, but it applies it to all systems, not just the RDS server.
Question, if you want to target users why is your item-level target a computer name. Why not a Security Group with specific users?
As a side note, normally, if I use loopback processing for specific settings, I put those servers in their own OU so as not to effect all servers.
I want to apply it only to users logging into a specific computer. In this case, it is RD00.
-
@wrx7m said in Group Policy - HKCU Registry Update (via GPP) For All Users, Only on RDP Server:
@pmoncho said in Group Policy - HKCU Registry Update (via GPP) For All Users, Only on RDP Server:
@wrx7m said in Group Policy - HKCU Registry Update (via GPP) For All Users, Only on RDP Server:
Still in the same boat. It only applies the setting when linked to the OU of the user and have a user or group specified in the security filtering, but it applies it to all systems, not just the RDS server.
Question, if you want to target users why is your item-level target a computer name. Why not a Security Group with specific users?
As a side note, normally, if I use loopback processing for specific settings, I put those servers in their own OU so as not to effect all servers.
I want to apply it only to users logging into a specific computer. In this case, it is RD00.
I would scrap the item level targeting and just put the RD00 in a new sub-OU of your servers OU and link the GPO their. Then you have no worries about it hitting other systems. Other than this, I don't have a clue what would be stopping it.
-
@wrx7m said in Group Policy - HKCU Registry Update (via GPP) For All Users, Only on RDP Server:
@Obsolesce said in Group Policy - HKCU Registry Update (via GPP) For All Users, Only on RDP Server:
@wrx7m said in Group Policy - HKCU Registry Update (via GPP) For All Users, Only on RDP Server:
t only applies the setting when linked to the OU of the user
We'll according to that screenshot, it IS a user setting.
Yeah. I want all users or a group of users who login to the RD00 server (and only this server) to have this GPP modifying HKCU to apply. Is it even possible?
Yes, it's possible.
Ensure the GPO is applying to the user. For example, if User1 is in the
Company > Users
OU, then make sure that GPO is either in Company or Users OU and the Users OU is inheriting the GPO. Verify with RSOP and gpresult that user is getting the policy.I think, but it's been awhile since I did much with AD GP... (like you are in the screenshot) use item-level targeting to the server name.
Test it by having one of the in-scope users log on to a difference server, run gpresult and see if it's applying, then try it on the targeted server and see if it applies then.