Solved

AD GPO, Loopback processing, computer based security filtering fails

Posted on 2008-06-24
10
1,884 Views
Last Modified: 2010-04-21
I'm trying to create a GPO with loopback processing to run a login script for all users per computer.
I have a GPO attached to a workstation OU and enabled loopback processing in replace mode. Under security filtering I have entered only the affected computers with Read/Apply. GPresult shows me it is attaching the computer security group but under user the policy shows Test_GPO Filtering:  Denied (Security). If the user account that is logging in is then added to security filtering it works. Why? Doesn't this defeat the purpose of loopback? How can I attach it per computer?

Our directory is already separated in OUs so creating new containers is not a usable solution.

I have read m$ kb 260370 and method 2 appears to be exactly what i'm trying to do.
http://support.microsoft.com/?kbid=260370

"The computer account of the terminal server should be added to the security properties of the GPO being created for the loopback. To do this, follow these steps:
1.      Select the GPO that is created for the loopback, and then click Properties.
2.      Click the Security tab, and then click Add.
3.      In the Select Users, Computers, or Groups box, select the computer account, and then click OK.
4.      Click the computer account from the Group or user names box.
5.      In the Permissions for computer name box, click to select the Read and Apply Group Policy check boxes in the Allow column.
6.      Click OK two times to close and save the policy settings."
0
Comment
Question by:dirtyike
10 Comments
 
LVL 83

Accepted Solution

by:
oBdA earned 500 total points
ID: 21856851
The loopback policy is a *computer* configuration policy, it applies only to the computer object. This policy will change the GPO handling on this machine in such a way that *user* policies applied to the OU in which the *computer* object resides will be processed, regardless of where the *user* object in AD is.
The logon script is a *user* policy, and if the user doesn't have permissions to read this policy, it won't be applied.
It's technically possible to configure both the loopback and the user settings in the same GPO, but in the end, that's just confusing. So do yourself a favor, and create (at least) two GPOs for this:
- a "Loopback" GPO in which you only enable the loopback setting (and other *computer* configuration settings). Use groups with computers to filter the application.
- Additional GPOs in which you configure only *user* configuration policies. Use groups with users to filter the application.
There is no reason and no need to combine the user configuration policies with computer configuration policies.
0
 

Author Comment

by:dirtyike
ID: 21857039
Whats the benefit to enabling Loopback GPO where you only set computer settings?

"Applies alternate user settings when a user logs on to a computer affected by this setting."

If I create a GPO that only has user policys then they would be applied to all computers that they would login to including our TS and Citrix farms which I wouldn't want.
0
 
LVL 83

Expert Comment

by:oBdA
ID: 21857131
No.
Policies in the *Computer* configuration tree will only be applied to *computer* objects in or below the OU to which the GPO is linked.
Policies in the *User* configuration tree will only be applied to *user* objects in or below the OU to which the GPO is linked.
That means that by default, you can (try to) apply any user configuration policy to any number of machine accounts, and exactly nothing will happen.
*Only* when loopback processing is enabled for a *computer* will *user* policies linked to the *computer* OU be applied to users logging on to this computer.
0
 
LVL 6

Expert Comment

by:aces4all2008
ID: 21858218
>>"...GPresult shows me it is attaching the computer security group ..."

Security group   - Microsoft's Definition

A group that can be listed in discretionary access control lists (DACLs) used to define permissions on resources and objects. A security group can also be used as an e-mail entity.



While we are able to make computer accounts members of security groups Microsoft has never really made it work right.  Security group filtering with computer objects rarely works and even when it does implementation tends to be spotty.  The only thing I've found that group membership for computers is any good for is nonGPO-based software deployment (SMS, Radia, Altiris, etc) where the application queries AD to see what groups a computer is a member of instead of the computer itself.  Microsoft has always divided everything into resources and users of resources.  Security groups are used to grant a common level of acces to resources.  You grant users (and groups of users) permission to use resources not to resources to use themselves and other resources.  I don't give the food in my refridgerator permission to be eaten or even the refridgerator permission to chill the food but I do give my friends and family permission to put food in and take food out so it can be eaten.
0
 

Author Comment

by:dirtyike
ID: 21859043
Ahh I had it in my head that enabling loopback was per policy not per computer but that makes sense.

So I create one gpo with the affected computers in it that has loopback enabled. Then create another gpo with the login script and link it to the workstation ou. Can I use security filtering on the script gpo so you can use more then one login script in an ou?
0
 
LVL 83

Expert Comment

by:oBdA
ID: 21859107
Yes, that's correct, and yes, you can filter the loopback GPOs just the same as any other GPO.
0
 

Author Comment

by:dirtyike
ID: 21859614
Not the loopback but the other gpo containing the user policys linked to the computer gpo
0
 
LVL 83

Expert Comment

by:oBdA
ID: 21859628
All of them.
0
 

Author Closing Comment

by:dirtyike
ID: 31470173
Thank you for your help. I think this will over complicate the policys if I built what I was thinking. But at least now I know how loopback works and I may find another case where its more effective in the company.
0
 

Expert Comment

by:CrashResistant
ID: 22501038
Does the loopback  GPO have to be linked to an OU? Can't I apply it to the entire domain and use Security Filtering to limit which computers?
0

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now