ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Group Policy - HKCU Registry Update (via GPP) For All Users, Only on RDP Server

    IT Discussion
    gpo group policy gpp ou windows security filtering
    5
    19
    2.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      flaxking @dbeato
      last edited by

      @dbeato said in Group Policy - HKCU Registry Update (via GPP) For All Users, Only on RDP Server:

      @wrx7m said in Group Policy - HKCU Registry Update (via GPP) For All Users, Only on RDP Server:

      @flaxking said in Group Policy - HKCU Registry Update (via GPP) For All Users, Only on RDP Server:

      You have to enable loopback processing for the server and then it will process user configuration linked to it

      Where would I do this? In the same GPO that I am setting the GPP?

      In the same GPO.
      https://support.microsoft.com/en-us/help/231287/loopback-processing-of-group-policy
      https://www.jorgebernhardt.com/how-to-enable-group-policy-loopback-processing/

      It doesn't have to be same GPO. Once it is set for a computer, it then 'loops back' around and processes all the user settings in the GPOs that are linked/inherited

      dbeatoD 1 Reply Last reply Reply Quote 1
      • dbeatoD
        dbeato @flaxking
        last edited by

        @flaxking You are correct, however for my own sanity I place it on the GPO that needs it otherwise it is harder to track down which one is adding it.

        F 1 Reply Last reply Reply Quote 0
        • wrx7mW
          wrx7m @dbeato
          last edited by

          @dbeato said in Group Policy - HKCU Registry Update (via GPP) For All Users, Only on RDP Server:

          @wrx7m said in Group Policy - HKCU Registry Update (via GPP) For All Users, Only on RDP Server:

          I ran into an issue with Adobe Reader preventing users on my RDS server from printing PDFs that is solved by disabling protected mode.

          I created a GPO with a User configuration GPP update for the corresponding DWORD value. The only way I have gotten it to work, is if I apply the GPO to the OU that contains the AD user object and have the Security filtering set to a group of users or a single user. I have tried item-level targeting to only apply to the RDS server, but it applies to any system that the user logs into.

          I also tried the opposite- Linking the GPO to the server OU and setting the Security Filtering to only the computer account for the RDS server and item-level targeting to a specific group of AD users. This didn't do anything.

          How can I set it to update HKCU only for users on the RDS server?

          You can do a item level target based on the RDS server instead as well.
          https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn789189(v%3Dws.11)

          Tried this already (sans loopback) but didn't work.

          pmonchoP 1 Reply Last reply Reply Quote 0
          • F
            flaxking @dbeato
            last edited by

            @dbeato said in Group Policy - HKCU Registry Update (via GPP) For All Users, Only on RDP Server:

            @flaxking You are correct, however for my own sanity I place it on the GPO that needs it otherwise it is harder to track down which one is adding it.

            GP can fall into insanity pretty fast

            1 Reply Last reply Reply Quote 0
            • pmonchoP
              pmoncho @wrx7m
              last edited by

              @wrx7m said in Group Policy - HKCU Registry Update (via GPP) For All Users, Only on RDP Server:

              @dbeato said in Group Policy - HKCU Registry Update (via GPP) For All Users, Only on RDP Server:

              @wrx7m said in Group Policy - HKCU Registry Update (via GPP) For All Users, Only on RDP Server:

              I ran into an issue with Adobe Reader preventing users on my RDS server from printing PDFs that is solved by disabling protected mode.

              I created a GPO with a User configuration GPP update for the corresponding DWORD value. The only way I have gotten it to work, is if I apply the GPO to the OU that contains the AD user object and have the Security filtering set to a group of users or a single user. I have tried item-level targeting to only apply to the RDS server, but it applies to any system that the user logs into.

              I also tried the opposite- Linking the GPO to the server OU and setting the Security Filtering to only the computer account for the RDS server and item-level targeting to a specific group of AD users. This didn't do anything.

              How can I set it to update HKCU only for users on the RDS server?

              You can do a item level target based on the RDS server instead as well.
              https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn789189(v%3Dws.11)

              Tried this already (sans loopback) but didn't work.

              You mentioned that you have a server OU. Do you have your RDS servers in their own OU?

              Is loopback mode setup for replace or merge? (if merge, then another GPO somewhere else could be creating issues.)

              You setup a test. If RDS servers are in own OU, loopback in replace mode, then just set one policy (other than loopback) and check the registry for the one user to see if the change had been made

              wrx7mW 1 Reply Last reply Reply Quote 0
              • wrx7mW
                wrx7m @pmoncho
                last edited by

                @pmoncho said in Group Policy - HKCU Registry Update (via GPP) For All Users, Only on RDP Server:

                @wrx7m said in Group Policy - HKCU Registry Update (via GPP) For All Users, Only on RDP Server:

                @dbeato said in Group Policy - HKCU Registry Update (via GPP) For All Users, Only on RDP Server:

                @wrx7m said in Group Policy - HKCU Registry Update (via GPP) For All Users, Only on RDP Server:

                I ran into an issue with Adobe Reader preventing users on my RDS server from printing PDFs that is solved by disabling protected mode.

                I created a GPO with a User configuration GPP update for the corresponding DWORD value. The only way I have gotten it to work, is if I apply the GPO to the OU that contains the AD user object and have the Security filtering set to a group of users or a single user. I have tried item-level targeting to only apply to the RDS server, but it applies to any system that the user logs into.

                I also tried the opposite- Linking the GPO to the server OU and setting the Security Filtering to only the computer account for the RDS server and item-level targeting to a specific group of AD users. This didn't do anything.

                How can I set it to update HKCU only for users on the RDS server?

                You can do a item level target based on the RDS server instead as well.
                https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn789189(v%3Dws.11)

                Tried this already (sans loopback) but didn't work.

                You mentioned that you have a server OU. Do you have your RDS servers in their own OU?

                Is loopback mode setup for replace or merge? (if merge, then another GPO somewhere else could be creating issues.)

                You setup a test. If RDS servers are in own OU, loopback in replace mode, then just set one policy (other than loopback) and check the registry for the one user to see if the change had been made

                Servers are in the same OU at this point. Going to be trying the loopback in merge mode to see if it will target the correct server.

                1 Reply Last reply Reply Quote 0
                • wrx7mW
                  wrx7m
                  last edited by

                  Still in the same boat. It only applies the setting when linked to the OU of the user and have a user or group specified in the security filtering, but it applies it to all systems, not just the RDS server.
                  718082e4-99c6-48db-9901-01b8e6513774-image.png

                  ObsolesceO pmonchoP 2 Replies Last reply Reply Quote 0
                  • ObsolesceO
                    Obsolesce @wrx7m
                    last edited by

                    @wrx7m said in Group Policy - HKCU Registry Update (via GPP) For All Users, Only on RDP Server:

                    t only applies the setting when linked to the OU of the user

                    We'll according to that screenshot, it IS a user setting.

                    wrx7mW 1 Reply Last reply Reply Quote 1
                    • pmonchoP
                      pmoncho @wrx7m
                      last edited by

                      @wrx7m said in Group Policy - HKCU Registry Update (via GPP) For All Users, Only on RDP Server:

                      Still in the same boat. It only applies the setting when linked to the OU of the user and have a user or group specified in the security filtering, but it applies it to all systems, not just the RDS server.
                      718082e4-99c6-48db-9901-01b8e6513774-image.png

                      Question, if you want to target users why is your item-level target a computer name. Why not a Security Group with specific users?

                      As a side note, normally, if I use loopback processing for specific settings, I put those servers in their own OU so as not to effect all servers.

                      wrx7mW 1 Reply Last reply Reply Quote 0
                      • wrx7mW
                        wrx7m @Obsolesce
                        last edited by wrx7m

                        @Obsolesce said in Group Policy - HKCU Registry Update (via GPP) For All Users, Only on RDP Server:

                        @wrx7m said in Group Policy - HKCU Registry Update (via GPP) For All Users, Only on RDP Server:

                        t only applies the setting when linked to the OU of the user

                        We'll according to that screenshot, it IS a user setting.

                        Yeah. I want all users or a group of users who login to the RD00 server (and only this server) to have this GPP modifying HKCU to apply. Is it even possible?

                        ObsolesceO 1 Reply Last reply Reply Quote 0
                        • wrx7mW
                          wrx7m @pmoncho
                          last edited by

                          @pmoncho said in Group Policy - HKCU Registry Update (via GPP) For All Users, Only on RDP Server:

                          @wrx7m said in Group Policy - HKCU Registry Update (via GPP) For All Users, Only on RDP Server:

                          Still in the same boat. It only applies the setting when linked to the OU of the user and have a user or group specified in the security filtering, but it applies it to all systems, not just the RDS server.
                          718082e4-99c6-48db-9901-01b8e6513774-image.png

                          Question, if you want to target users why is your item-level target a computer name. Why not a Security Group with specific users?

                          As a side note, normally, if I use loopback processing for specific settings, I put those servers in their own OU so as not to effect all servers.

                          I want to apply it only to users logging into a specific computer. In this case, it is RD00.

                          pmonchoP 1 Reply Last reply Reply Quote 0
                          • pmonchoP
                            pmoncho @wrx7m
                            last edited by pmoncho

                            @wrx7m said in Group Policy - HKCU Registry Update (via GPP) For All Users, Only on RDP Server:

                            @pmoncho said in Group Policy - HKCU Registry Update (via GPP) For All Users, Only on RDP Server:

                            @wrx7m said in Group Policy - HKCU Registry Update (via GPP) For All Users, Only on RDP Server:

                            Still in the same boat. It only applies the setting when linked to the OU of the user and have a user or group specified in the security filtering, but it applies it to all systems, not just the RDS server.
                            718082e4-99c6-48db-9901-01b8e6513774-image.png

                            Question, if you want to target users why is your item-level target a computer name. Why not a Security Group with specific users?

                            As a side note, normally, if I use loopback processing for specific settings, I put those servers in their own OU so as not to effect all servers.

                            I want to apply it only to users logging into a specific computer. In this case, it is RD00.

                            I would scrap the item level targeting and just put the RD00 in a new sub-OU of your servers OU and link the GPO their. Then you have no worries about it hitting other systems. Other than this, I don't have a clue what would be stopping it.

                            1 Reply Last reply Reply Quote 1
                            • ObsolesceO
                              Obsolesce @wrx7m
                              last edited by Obsolesce

                              @wrx7m said in Group Policy - HKCU Registry Update (via GPP) For All Users, Only on RDP Server:

                              @Obsolesce said in Group Policy - HKCU Registry Update (via GPP) For All Users, Only on RDP Server:

                              @wrx7m said in Group Policy - HKCU Registry Update (via GPP) For All Users, Only on RDP Server:

                              t only applies the setting when linked to the OU of the user

                              We'll according to that screenshot, it IS a user setting.

                              Yeah. I want all users or a group of users who login to the RD00 server (and only this server) to have this GPP modifying HKCU to apply. Is it even possible?

                              Yes, it's possible.

                              Ensure the GPO is applying to the user. For example, if User1 is in the Company > Users OU, then make sure that GPO is either in Company or Users OU and the Users OU is inheriting the GPO. Verify with RSOP and gpresult that user is getting the policy.

                              I think, but it's been awhile since I did much with AD GP... (like you are in the screenshot) use item-level targeting to the server name.

                              Test it by having one of the in-scope users log on to a difference server, run gpresult and see if it's applying, then try it on the targeted server and see if it applies then.

                              1 Reply Last reply Reply Quote 0
                              • 1 / 1
                              • First post
                                Last post