You can do a GPO for a user or group. Remove "authenticated users" and add the user or group instead to associations within an OU.
>>> Ben Scott <[email protected]> 8/3/2009 5:26 PM >>> Hey list, To the best of my knowledge, there is no way to create a GPO for a particular user account. You can, of course, create a GPO linked to the OU containing that user account, and then set "permissions" on the GPO such that only that user has the "Apply Group Policy" permission for that GPO. But ultimately, it's still a GPO associated with an OU. We have occasional "one-off" GPOs. They get applied to a single role account used for automation that needs a logoff script custom to the application. (We could detect the user name in a more global logoff script, I suppose, but that's even less elegant.) I was thinking an individual user GPO would be a convenient feature to have. It would be somewhat analogous to the "machine local GPO" that currently exists for computers. You can edit that GPO by logging into the computer and running GPEDIT.MSC. It applies to the local machine only. It would be nice if user accounts had something like like that. Maybe a "User GPO" button on the "Account" tab or whatever. If someone knows of a better way with existing tools, please feel free to hit me with a cluebat. Anyone know how one would submit this as a suggestion to Microsoft? Last I went looking, [email protected] had been shut down. There was a sort-of replacement at <http://connect.microsoft.com ( http://connect.microsoft.com/ )>, but it was aimed at focus groups and beta tests, and didn't have a mechanism to provide feedback for stuff Microsoft hadn't thought of yet. (How typical.) -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ Confidentiality Notice: This e-mail message, including attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
