Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

AD GPO, Loopback processing, computer based security filtering fails

Posted on 2008-06-24
10
Medium Priority
?
1,952 Views
Last Modified: 2010-04-21
I'm trying to create a GPO with loopback processing to run a login script for all users per computer.
I have a GPO attached to a workstation OU and enabled loopback processing in replace mode. Under security filtering I have entered only the affected computers with Read/Apply. GPresult shows me it is attaching the computer security group but under user the policy shows Test_GPO Filtering:  Denied (Security). If the user account that is logging in is then added to security filtering it works. Why? Doesn't this defeat the purpose of loopback? How can I attach it per computer?

Our directory is already separated in OUs so creating new containers is not a usable solution.

I have read m$ kb 260370 and method 2 appears to be exactly what i'm trying to do.
http://support.microsoft.com/?kbid=260370

"The computer account of the terminal server should be added to the security properties of the GPO being created for the loopback. To do this, follow these steps:
1.      Select the GPO that is created for the loopback, and then click Properties.
2.      Click the Security tab, and then click Add.
3.      In the Select Users, Computers, or Groups box, select the computer account, and then click OK.
4.      Click the computer account from the Group or user names box.
5.      In the Permissions for computer name box, click to select the Read and Apply Group Policy check boxes in the Allow column.
6.      Click OK two times to close and save the policy settings."
0
Comment
Question by:dirtyike
10 Comments
 
LVL 85

Accepted Solution

by:
oBdA earned 1500 total points
ID: 21856851
The loopback policy is a *computer* configuration policy, it applies only to the computer object. This policy will change the GPO handling on this machine in such a way that *user* policies applied to the OU in which the *computer* object resides will be processed, regardless of where the *user* object in AD is.
The logon script is a *user* policy, and if the user doesn't have permissions to read this policy, it won't be applied.
It's technically possible to configure both the loopback and the user settings in the same GPO, but in the end, that's just confusing. So do yourself a favor, and create (at least) two GPOs for this:
- a "Loopback" GPO in which you only enable the loopback setting (and other *computer* configuration settings). Use groups with computers to filter the application.
- Additional GPOs in which you configure only *user* configuration policies. Use groups with users to filter the application.
There is no reason and no need to combine the user configuration policies with computer configuration policies.
0
 

Author Comment

by:dirtyike
ID: 21857039
Whats the benefit to enabling Loopback GPO where you only set computer settings?

"Applies alternate user settings when a user logs on to a computer affected by this setting."

If I create a GPO that only has user policys then they would be applied to all computers that they would login to including our TS and Citrix farms which I wouldn't want.
0
 
LVL 85

Expert Comment

by:oBdA
ID: 21857131
No.
Policies in the *Computer* configuration tree will only be applied to *computer* objects in or below the OU to which the GPO is linked.
Policies in the *User* configuration tree will only be applied to *user* objects in or below the OU to which the GPO is linked.
That means that by default, you can (try to) apply any user configuration policy to any number of machine accounts, and exactly nothing will happen.
*Only* when loopback processing is enabled for a *computer* will *user* policies linked to the *computer* OU be applied to users logging on to this computer.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 6

Expert Comment

by:aces4all2008
ID: 21858218
>>"...GPresult shows me it is attaching the computer security group ..."

Security group   - Microsoft's Definition

A group that can be listed in discretionary access control lists (DACLs) used to define permissions on resources and objects. A security group can also be used as an e-mail entity.



While we are able to make computer accounts members of security groups Microsoft has never really made it work right.  Security group filtering with computer objects rarely works and even when it does implementation tends to be spotty.  The only thing I've found that group membership for computers is any good for is nonGPO-based software deployment (SMS, Radia, Altiris, etc) where the application queries AD to see what groups a computer is a member of instead of the computer itself.  Microsoft has always divided everything into resources and users of resources.  Security groups are used to grant a common level of acces to resources.  You grant users (and groups of users) permission to use resources not to resources to use themselves and other resources.  I don't give the food in my refridgerator permission to be eaten or even the refridgerator permission to chill the food but I do give my friends and family permission to put food in and take food out so it can be eaten.
0
 

Author Comment

by:dirtyike
ID: 21859043
Ahh I had it in my head that enabling loopback was per policy not per computer but that makes sense.

So I create one gpo with the affected computers in it that has loopback enabled. Then create another gpo with the login script and link it to the workstation ou. Can I use security filtering on the script gpo so you can use more then one login script in an ou?
0
 
LVL 85

Expert Comment

by:oBdA
ID: 21859107
Yes, that's correct, and yes, you can filter the loopback GPOs just the same as any other GPO.
0
 

Author Comment

by:dirtyike
ID: 21859614
Not the loopback but the other gpo containing the user policys linked to the computer gpo
0
 
LVL 85

Expert Comment

by:oBdA
ID: 21859628
All of them.
0
 

Author Closing Comment

by:dirtyike
ID: 31470173
Thank you for your help. I think this will over complicate the policys if I built what I was thinking. But at least now I know how loopback works and I may find another case where its more effective in the company.
0
 

Expert Comment

by:CrashResistant
ID: 22501038
Does the loopback  GPO have to be linked to an OU? Can't I apply it to the entire domain and use Security Filtering to limit which computers?
0

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is about my experience upgrading my consulting machine to Windows 10 Version 1709 (The Fall 2017 Creator Update)
It’s a season to be thankful, and we’re thankful for users like you who engage on site, solve technology problems, and network with others in the industry. What tech are we most thankful for? Keep reading.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question