dirtyike
asked on
AD GPO, Loopback processing, computer based security filtering fails
I'm trying to create a GPO with loopback processing to run a login script for all users per computer.
I have a GPO attached to a workstation OU and enabled loopback processing in replace mode. Under security filtering I have entered only the affected computers with Read/Apply. GPresult shows me it is attaching the computer security group but under user the policy shows Test_GPO Filtering: Denied (Security). If the user account that is logging in is then added to security filtering it works. Why? Doesn't this defeat the purpose of loopback? How can I attach it per computer?
Our directory is already separated in OUs so creating new containers is not a usable solution.
I have read m$ kb 260370 and method 2 appears to be exactly what i'm trying to do.
http://support.microsoft.com/?kbid=260370
"The computer account of the terminal server should be added to the security properties of the GPO being created for the loopback. To do this, follow these steps:
1. Select the GPO that is created for the loopback, and then click Properties.
2. Click the Security tab, and then click Add.
3. In the Select Users, Computers, or Groups box, select the computer account, and then click OK.
4. Click the computer account from the Group or user names box.
5. In the Permissions for computer name box, click to select the Read and Apply Group Policy check boxes in the Allow column.
6. Click OK two times to close and save the policy settings."
I have a GPO attached to a workstation OU and enabled loopback processing in replace mode. Under security filtering I have entered only the affected computers with Read/Apply. GPresult shows me it is attaching the computer security group but under user the policy shows Test_GPO Filtering: Denied (Security). If the user account that is logging in is then added to security filtering it works. Why? Doesn't this defeat the purpose of loopback? How can I attach it per computer?
Our directory is already separated in OUs so creating new containers is not a usable solution.
I have read m$ kb 260370 and method 2 appears to be exactly what i'm trying to do.
http://support.microsoft.com/?kbid=260370
"The computer account of the terminal server should be added to the security properties of the GPO being created for the loopback. To do this, follow these steps:
1. Select the GPO that is created for the loopback, and then click Properties.
2. Click the Security tab, and then click Add.
3. In the Select Users, Computers, or Groups box, select the computer account, and then click OK.
4. Click the computer account from the Group or user names box.
5. In the Permissions for computer name box, click to select the Read and Apply Group Policy check boxes in the Allow column.
6. Click OK two times to close and save the policy settings."
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
No.
Policies in the *Computer* configuration tree will only be applied to *computer* objects in or below the OU to which the GPO is linked.
Policies in the *User* configuration tree will only be applied to *user* objects in or below the OU to which the GPO is linked.
That means that by default, you can (try to) apply any user configuration policy to any number of machine accounts, and exactly nothing will happen.
*Only* when loopback processing is enabled for a *computer* will *user* policies linked to the *computer* OU be applied to users logging on to this computer.
Policies in the *Computer* configuration tree will only be applied to *computer* objects in or below the OU to which the GPO is linked.
Policies in the *User* configuration tree will only be applied to *user* objects in or below the OU to which the GPO is linked.
That means that by default, you can (try to) apply any user configuration policy to any number of machine accounts, and exactly nothing will happen.
*Only* when loopback processing is enabled for a *computer* will *user* policies linked to the *computer* OU be applied to users logging on to this computer.
>>"...GPresult shows me it is attaching the computer security group ..."
Security group - Microsoft's Definition
A group that can be listed in discretionary access control lists (DACLs) used to define permissions on resources and objects. A security group can also be used as an e-mail entity.
While we are able to make computer accounts members of security groups Microsoft has never really made it work right. Security group filtering with computer objects rarely works and even when it does implementation tends to be spotty. The only thing I've found that group membership for computers is any good for is nonGPO-based software deployment (SMS, Radia, Altiris, etc) where the application queries AD to see what groups a computer is a member of instead of the computer itself. Microsoft has always divided everything into resources and users of resources. Security groups are used to grant a common level of acces to resources. You grant users (and groups of users) permission to use resources not to resources to use themselves and other resources. I don't give the food in my refridgerator permission to be eaten or even the refridgerator permission to chill the food but I do give my friends and family permission to put food in and take food out so it can be eaten.
Security group - Microsoft's Definition
A group that can be listed in discretionary access control lists (DACLs) used to define permissions on resources and objects. A security group can also be used as an e-mail entity.
While we are able to make computer accounts members of security groups Microsoft has never really made it work right. Security group filtering with computer objects rarely works and even when it does implementation tends to be spotty. The only thing I've found that group membership for computers is any good for is nonGPO-based software deployment (SMS, Radia, Altiris, etc) where the application queries AD to see what groups a computer is a member of instead of the computer itself. Microsoft has always divided everything into resources and users of resources. Security groups are used to grant a common level of acces to resources. You grant users (and groups of users) permission to use resources not to resources to use themselves and other resources. I don't give the food in my refridgerator permission to be eaten or even the refridgerator permission to chill the food but I do give my friends and family permission to put food in and take food out so it can be eaten.
ASKER
Ahh I had it in my head that enabling loopback was per policy not per computer but that makes sense.
So I create one gpo with the affected computers in it that has loopback enabled. Then create another gpo with the login script and link it to the workstation ou. Can I use security filtering on the script gpo so you can use more then one login script in an ou?
So I create one gpo with the affected computers in it that has loopback enabled. Then create another gpo with the login script and link it to the workstation ou. Can I use security filtering on the script gpo so you can use more then one login script in an ou?
Yes, that's correct, and yes, you can filter the loopback GPOs just the same as any other GPO.
ASKER
Not the loopback but the other gpo containing the user policys linked to the computer gpo
All of them.
ASKER
Thank you for your help. I think this will over complicate the policys if I built what I was thinking. But at least now I know how loopback works and I may find another case where its more effective in the company.
Does the loopback GPO have to be linked to an OU? Can't I apply it to the entire domain and use Security Filtering to limit which computers?
ASKER
"Applies alternate user settings when a user logs on to a computer affected by this setting."
If I create a GPO that only has user policys then they would be applied to all computers that they would login to including our TS and Citrix farms which I wouldn't want.