One Group of Users, Two Terminal Servers, and Two GPO’s in one Group Policy Container

JamesNT Active Directory, Windows Client and Server

Imagine you have the following situation:  You have a group of users who need to access two different terminal servers.  If both machines required the same settings, that would be a no-brainer, but this isn’t the case.  One terminal server requires a certain set of Group Policy Settings and the other terminal server requires different settings (in my case, the settings in question were the start-up application).  And both servers are members of the same GPO.  How do we handle this situation?

Although there are probably a few solutions to this problem, the one I used was implementing a WMI – Windows Management Instrumentation – filter. 

Open the Group Policy Management Console and go to Forest | Domains | Domain Name | WMI Filters and create a new filter.

image

The two filters I created are called WMI Legacy Terminal Server and WMI New Terminal Server.  Edit the WMI filter you just made and enter the following WMI Query statement:

SELECT * FROM Win32_ComputerSystem WHERE Name = “servername” and Name <> “servername”

Your screen should show something like this (don’t forget to replace “servername” with the names of your servers):

image

The statement should give away what we are doing.  We are going to apply a filter to each of the two GPO’s so it will process only for a computer matching the name of the server we want.  Therefore, for one Group Policy Container, we are going to have two terminal servers and two GPO’s that are all members of that one container but only a certain GPO will execute for a certain terminal server.  After you have made your two filters, click on the Group Policy Objects in question and apply the correct filter.  Your screen should look something like this:

image

So when User A logs on to the Legacy Terminal Server, one GPO will be applied (in my case start up application X), but when logging into the New Terminal Server, another GPO will be applied (in my case starting up application Y). 

One significant drawback to this approach is that each GPO can have only one filter.  Make certain this isn’t of significance to you before using this approach.

James

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s