[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Apply Group Policy depending on group membership?

Posted on 2008-06-10
11
Medium Priority
?
267 Views
Last Modified: 2013-12-04
I have some people who normally have very restricted access to things, locked down desktops, etc., for most of their work day.  I am locking the desktop down through the use of User based group policy settings, not Computer based group policy settings.  Is it possible to prevent the desktop from being locked down if the user logs into a particular workstation or group of workstations?
0
Comment
Question by:CousinDupree
  • 5
  • 4
  • 2
11 Comments
 
LVL 85

Accepted Solution

by:
oBdA earned 2000 total points
ID: 21755415
Yes; put these machines into their own OU, and enable the Loopback policy for this OU; set the Loopback setting to Replace (reboot the machines after this). New *user* policies linked to this OU will now apply to all users logging no to these machines, regardless of where their accounts are. Check here for details:
Loopback Processing of Group Policy
http://support.microsoft.com/?kbid=231287
0
 
LVL 70

Expert Comment

by:KCTS
ID: 21755481
I'm confused by the title of the question - the solution given by oBdA will certainly work but quite what your question has to do with the title has me perplexed
>> Apply Group Policy depending on group membership << 

This is possible with security filtering http://technet2.microsoft.com/windowsserver/en/library/65424a58-aff3-4e1e-a3a1-59878cbcf0051033.mspx
0
 

Author Comment

by:CousinDupree
ID: 21755600
I had initially thought I would try to apply a group policy based on a combination of the OU of user and if they were a member of a particular AD security group or not.  As I wrote the question, I thought I might be attempting to do something that was either impossible, or could be solved more easily through a method toher than the one I was proposing.  So, I decided to make my goal more generic and see what was suggested.  I neglected to change my title....
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
LVL 70

Expert Comment

by:KCTS
ID: 21755626
... It happens :-)
0
 

Author Comment

by:CousinDupree
ID: 21814943
If I enable loopback processing, is it possible to not apply a user based policy for administrators?  Since I am locking down the desktop, I would like to have the workstation be open if an administrator logs on to it.  I suppose I could move the workstation to an OU that didn't have loopback processing enabled if I needed to, but it would be nice to not need to.
0
 
LVL 85

Expert Comment

by:oBdA
ID: 21815107
You can use security group filtering for this: create a group "GPO-RestrictedUsers" or whatever, add the users that should be restricted, and replace the default "Authenticated Users" in the permissions for the GPO with this group. That way, only members of this group will be restricted.
Another possibility would be to open the Advanced permissions in the Delegation tab of the GPMC, and Deny the "Apply" permission to the Administrators group.
0
 

Author Comment

by:CousinDupree
ID: 21815667
Is it possible to enable loopback processing, and implement security filtering on the user policy that is being applied through the loopback processing?
0
 
LVL 85

Expert Comment

by:oBdA
ID: 21815878
Yes, that's why I suggested it.
For your own convenience, do as I (well, after a fashion) suggested in my first post: create a policy *only* for loopback (and other *computer* configuration settings), add/link *new* GPOs for *user* configuration policies (and configure permissions on these user GPOs).
The loopback policy does *NOT* have to be in the same GPO as the user policies you want to implement!
0
 

Author Comment

by:CousinDupree
ID: 21823121
I hate to ask, but in your first post, you say to create an OU for the machines in question, and enable the loopback processing option for the OU.  Is this done by enabling the loopback processing option in a policy linked to that OU?  And in your last post you mention that the loopback policy does not have to be in the same GPO as the user policies I wish to implement, are you saying that any user GPOs that are linked to an OU, that has a policy linked to it that has loopback processing enabled, will apply all the user settings contained within those linked policy objects?

I guess I am confused about how I am to enable loopback processing on an OU...
0
 
LVL 85

Expert Comment

by:oBdA
ID: 21823302
Yes, the loopback policy is a computer policy and will be applied to all computer objects in or under the OU to which it is linked (unless you combine it with a security filtering group, which will work for computer accounts as well - note that if you add a computer account to a group, the machine needs to be restarted for the group membership change to be applied!).
And yes, as I said, once a Loopback is applied to a machine, all user configuration policies applied to this machine will be applied to all users logging on to this machine, regardless of where the user account resides in AD (again, unless the GPO is combined with a security filtering group).
Yes, loopback processing can be somewhat confusing until you get the hang of it.
0
 

Author Closing Comment

by:CousinDupree
ID: 31465945
Thank you for your patience and thoroughness.
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question