[Workspace] How to assign Group Policy to specific OU or User/Group?



I have a customer that want to control 'clipboard redirection' function using Simple AD, Workspace. They have already disabled 'clipboard redirection' for the entire user in directory through Group Policy. (https://docs.aws.amazon.com/workspaces/latest/adminguide/group_policy.html#gp_clipboard)

But they want to disable only certain users in the directory.

So I tested Group Policy to assign it to OU or User/Group, but it didn't work as I intended.

  1. Create 'dev' Organization Unit under Domain Name (Active Directory Users and Computers)
  2. Create 'dev1' accounts within 'dev' OU
  3. Create 'GPO' within 'dev' OU (Group Policy Management)
  4. Clipboard redirection disable (Group Policy Management Editor) from the generated GPO

Actually, I don't have much experience with AD.

Questions are :

  1. Is there something wrong with the way I tested it?
  2. Is there a way to set the GPO so that it can be applied only to a specific user or group? (Or create a new directory and manage it separately..)

Could you help me?

1 Answer
Accepted Answer

The approach you are following is not mistaken. However, group policies can be applied to users/groups or to computers. If you apply a group policy that affects computer settings to an OU in which you have users (or viceversa), that GPO won't have any effect (that's what's happening in your case).

in this case the GPO affects the computer resource: "Computer Configuration, Policies, Administrative Templates,Classic Administrative Templates, PCoIP Session Variables, and Overridable Administrator Defaults."

So in order to apply to different computers located in different OU's, you need to put the computers (AD resource) in different OUs.

Amazon Workspaces allow you to put the different workspaces in different OUs :

Q: Can I select the Organizational Unit (OU) where computer accounts for my WorkSpaces will be created in my Active Directory?

Yes. You can set a default Organizational Unit (OU) in which computer accounts for your WorkSpaces are created in your Active Directory. This OU can be part of the domain to which your users belong, or part of a domain that has a trust relationship with the domain to which your users belong, or part of a child domain in your directory. Please see our documentation for more details.

Unfortunately, won't work for your use case (having multiple OUs for different types of users), as Amazon Workspaces allows you to choose only one OU per directory.

Luckily, you can workaround this, by putting all the computers (workspaces) in the same OU and create different security groups for those computers (dev, prod, etc) and use the "Security filtering" feature of the GPOs to only apply the GPO to computers that belong to certain security group.

Hope this helps

answered 4 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions