Group Policy

Discussion in 'Business & Enterprise Computing' started by Multiplexer, Feb 17, 2020.

  1. Multiplexer

    Multiplexer Member

    Joined:
    Feb 26, 2002
    Messages:
    2,093
    Location:
    Home
    I want to setup a GPO where notepad.exe will open on logon.

    Below screenshot is what I have and it works for all user. Now, I want the policy to only target 1 user on any machine.

    How can I go about achieving this? I tired WMI filter but that did not work (maybe I am doing it wrong). The only way I can do this is in the Security Filtering, I remove Authenticated Users, add the 1 users and add all the machine but I want something cleaner.

    [​IMG]
    [​IMG]
     
  2. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    13,885
    Cleaner how?

    WMI Filtering was my first thought, what Filter were you using. and how wasn't it working?

    My second thought was to use Group Policy Preferences to create a shortcut to notepad.exe in the users startup folder, and use Item level Targetting to limit to your subset of users.

    but, as with most things... xyproblem.info - you don't really want to create a notepad.exe shortcut for a single user, so if you tell us what X actually is, we are in a better position to provide advice.
     
    freaky_beeky likes this.
  3. DonutKing

    DonutKing Member

    Joined:
    Mar 21, 2004
    Messages:
    1,322
    Location:
    Tweed/Gold Coast
    Remove Authenticated Users from security filtering, add the relevant user and Domain Computers group. Disable Computer settings on the GPO.
     
  4. OP
    OP
    Multiplexer

    Multiplexer Member

    Joined:
    Feb 26, 2002
    Messages:
    2,093
    Location:
    Home
    I created a filer "Select * from win32_userAccount where Name='Multiplex'" but notepad still open for all.

    The application I want to open varies, dsa.msc, powershell, Studio Manager, etc. Just want to make my logon much faster...

    I dont want to use domain computer group in security filter because the group will require maintenance and in a large infrastructure it becomes a pain to maintain.
     
  5. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    13,885
    Is your startup folder broken?
     
  6. OP
    OP
    Multiplexer

    Multiplexer Member

    Joined:
    Feb 26, 2002
    Messages:
    2,093
    Location:
    Home
    I am not using a start up folder. I want a solution where I can easily apply to other domain with minimum change. So a solution where I need to copy a batch file to a folder or where I need to edit security filter based on domain/environment is not acceptable.
     
  7. OP
    OP
    Multiplexer

    Multiplexer Member

    Joined:
    Feb 26, 2002
    Messages:
    2,093
    Location:
    Home
  8. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    13,885
    I'm struggling to get my head around the problem you're trying to solve.

    It looks like you've got your "Run On Logon" policy linked to a Computers OU... but its a user policy.

    If one of my techs was using group policy to add autoruns to single user accounts, I'd be seriously asking why, Just because you 'Can' doesn't mean you should.


    And this is somehow "Cleaner"?
     
  9. OP
    OP
    Multiplexer

    Multiplexer Member

    Joined:
    Feb 26, 2002
    Messages:
    2,093
    Location:
    Home
    I am trying to achieve where If database admin logon to database server then SQL Studio Management will open.

    I want a solution where I can quickly deploy and change at a whim. The solution need to have minimum maintenance. I think this is the fastest in term of deployment but I am open to suggestion and welcome anyone able to provide an improve method of execution.
     
  10. power

    power Member

    Joined:
    Apr 20, 2002
    Messages:
    62,126
    Location:
    brisbane
    you could just create a scheduled task gp object. machine based and have it run at logon of any user.

    that might work?
     
  11. chip

    chip Member

    Joined:
    Dec 24, 2001
    Messages:
    3,837
    Location:
    Pooraka Maccas drivethrough
    Why are DBAs logging into DB servers interactively, and frequently enough for this sort of automation have a business case?
     
  12. DonutKing

    DonutKing Member

    Joined:
    Mar 21, 2004
    Messages:
    1,322
    Location:
    Tweed/Gold Coast
    That’s not how it works.
    The computer account always needs security permissions to read the GPO, however as you are adding settings under the user policy section, it will only apply to user accounts with permissions to read and apply the GPO. If you added settings under the computer policy section, then yes it would apply to all users of the computer.

    You can of course add specific computer objects or even a group of computers to your GPO instead of the domain computers group, if you can’t restrict its scope by applying it to a specific OU.

    Unless you are using loopback policy processing, then it’s a bit different.
     
    Last edited: Feb 17, 2020
  13. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    17,865
    Location:
    Canberra
    Why are people installing management tools and allowing generic logon to business critical servers....

    Baby millsy cried
     
    Last edited: Feb 18, 2020
  14. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    13,885
    Because I don't have time to do it properly.
    But somehow, I'll find time to do it again.
     
    looktall, NSanity and freaky_beeky like this.
  15. chip

    chip Member

    Joined:
    Dec 24, 2001
    Messages:
    3,837
    Location:
    Pooraka Maccas drivethrough
    devops
     
  16. freaky_beeky

    freaky_beeky Member

    Joined:
    Dec 2, 2004
    Messages:
    1,169
    Location:
    Brisbane
    DevOps should have the server built as IAC, the management tools should never be part of the installation.
    The server might come up with all default names, unpatched, and no security, but I wouldn't blame DevOps for installing management tools on production servers.
     
  17. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    40,413
    Location:
    Brisbane
    mjpop.gif
     
    Fred Nurk likes this.
  18. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    17,865
    Location:
    Canberra
    No.
     
  19. tensop

    tensop Member

    Joined:
    Mar 26, 2002
    Messages:
    1,515
    its 2020, i thought the devops term was dead already
     
  20. chip

    chip Member

    Joined:
    Dec 24, 2001
    Messages:
    3,837
    Location:
    Pooraka Maccas drivethrough
    agile!
    waterfall!
    agilefall!
     

Share This Page

Advertisement: