Delegation in GPOs without "Authenticated User" group

Question

Hi folks.

In my organization, we are located in 2 cities, where we currently run Horizon VDI, non-presistent.
We will run FSLogix to handle OneDrive, mail and more.
We have 2 storage, 1 in each city, where the VHDX files for the users will be located.
City1: \server1\share
City2: \server2\share
Where users in City1 should have their VHDX files on server1 and the same for users in City2 on server2, determined by the GPO.

I have created 2 GPOs, which point to each server, but since all users run machines across the cities, the gpo must hit correctly, and the GPOs are under machine OU.
I have removed "Authenticated users" from both GPOs, and added "Domain Computers" with apply policy.
I also added Security Group: "City 1 Users" and "City 2 Users", one to each of the Apply policy GPOs to filter out who gets which policies.

But I suspect that as long as I have applied policy on "Domain Computers" it is a bit random which of these actually runs and determines where I end up, but if I do note apply policy it will not run? and that the filtering on Security group "City 1 user" or "City 2 users" does not plays any role.

Answer 1

Hello Stian-3593,

Thank you for posting in our Q&A forum.

Based on the description, you configure the computer group policy settings and link the GPO to computer OU.

I assume:

OU1 with server1 and link GPO1
OU1 with server2 and link GPO2

For GPO1, we can try one of the following two options.

Remove the Authenticated Users.
Add the server1 machine account or the group with server1 machine account.
Give "read and apply GPO" permissions to the server1 machine account or the group with server1 machine account.

Or

Keep the Authenticated Users, but make Authenticated users have only read permission, no apply GPO permission.
Add the server1 machine account or the group with server1 machine account.
Give "read and apply GPO" permissions to the server1 machine account or the group with server1 machine account.

For GPO2, we can try one of the following two options.

Remove the Authenticated Users.
Add the server2 machine account or the group with server2 machine account.
Give "read and apply GPO" permissions to the server2 machine account or the group with server2 machine account.

Or

Keep the Authenticated Users, but make Authenticated users have only read permission, no apply GPO permission.
Add the server2 machine account or the group with server2 machine account.
Give "read and apply GPO" permissions to the server2 machine account or the group with server2 machine account.

Hope the information above is helpful.

Best Regards,
Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.

Answer 2

Hi DaisyZhou-MSFT.

I do not think this will work, because we are using global entitlements to our desktops.
So users in city 1 can actually get a desktop in city 2, if city 1 cluster is full. And then they will, as far as I understand, generate a new VHDX file on server 2.

I have created a view in AD, like the one we have in production, this is where the desktops are located:

Our OU struckture is a bit bigger in, with several OUs under each city, depending on the service each desktops will have. So we need to push most of our GPOs to these OUs where the desktops are located. We are also using block inheritance, with different GPOs as described above.