Solved

AD GPO, Loopback processing, computer based security filtering fails

Posted on 2008-06-24
10
1,917 Views
Last Modified: 2010-04-21
I'm trying to create a GPO with loopback processing to run a login script for all users per computer.
I have a GPO attached to a workstation OU and enabled loopback processing in replace mode. Under security filtering I have entered only the affected computers with Read/Apply. GPresult shows me it is attaching the computer security group but under user the policy shows Test_GPO Filtering:  Denied (Security). If the user account that is logging in is then added to security filtering it works. Why? Doesn't this defeat the purpose of loopback? How can I attach it per computer?

Our directory is already separated in OUs so creating new containers is not a usable solution.

I have read m$ kb 260370 and method 2 appears to be exactly what i'm trying to do.
http://support.microsoft.com/?kbid=260370

"The computer account of the terminal server should be added to the security properties of the GPO being created for the loopback. To do this, follow these steps:
1.      Select the GPO that is created for the loopback, and then click Properties.
2.      Click the Security tab, and then click Add.
3.      In the Select Users, Computers, or Groups box, select the computer account, and then click OK.
4.      Click the computer account from the Group or user names box.
5.      In the Permissions for computer name box, click to select the Read and Apply Group Policy check boxes in the Allow column.
6.      Click OK two times to close and save the policy settings."
0
Comment
Question by:dirtyike
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 84

Accepted Solution

by:
oBdA earned 500 total points
ID: 21856851
The loopback policy is a *computer* configuration policy, it applies only to the computer object. This policy will change the GPO handling on this machine in such a way that *user* policies applied to the OU in which the *computer* object resides will be processed, regardless of where the *user* object in AD is.
The logon script is a *user* policy, and if the user doesn't have permissions to read this policy, it won't be applied.
It's technically possible to configure both the loopback and the user settings in the same GPO, but in the end, that's just confusing. So do yourself a favor, and create (at least) two GPOs for this:
- a "Loopback" GPO in which you only enable the loopback setting (and other *computer* configuration settings). Use groups with computers to filter the application.
- Additional GPOs in which you configure only *user* configuration policies. Use groups with users to filter the application.
There is no reason and no need to combine the user configuration policies with computer configuration policies.
0
 

Author Comment

by:dirtyike
ID: 21857039
Whats the benefit to enabling Loopback GPO where you only set computer settings?

"Applies alternate user settings when a user logs on to a computer affected by this setting."

If I create a GPO that only has user policys then they would be applied to all computers that they would login to including our TS and Citrix farms which I wouldn't want.
0
 
LVL 84

Expert Comment

by:oBdA
ID: 21857131
No.
Policies in the *Computer* configuration tree will only be applied to *computer* objects in or below the OU to which the GPO is linked.
Policies in the *User* configuration tree will only be applied to *user* objects in or below the OU to which the GPO is linked.
That means that by default, you can (try to) apply any user configuration policy to any number of machine accounts, and exactly nothing will happen.
*Only* when loopback processing is enabled for a *computer* will *user* policies linked to the *computer* OU be applied to users logging on to this computer.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 6

Expert Comment

by:aces4all2008
ID: 21858218
>>"...GPresult shows me it is attaching the computer security group ..."

Security group   - Microsoft's Definition

A group that can be listed in discretionary access control lists (DACLs) used to define permissions on resources and objects. A security group can also be used as an e-mail entity.



While we are able to make computer accounts members of security groups Microsoft has never really made it work right.  Security group filtering with computer objects rarely works and even when it does implementation tends to be spotty.  The only thing I've found that group membership for computers is any good for is nonGPO-based software deployment (SMS, Radia, Altiris, etc) where the application queries AD to see what groups a computer is a member of instead of the computer itself.  Microsoft has always divided everything into resources and users of resources.  Security groups are used to grant a common level of acces to resources.  You grant users (and groups of users) permission to use resources not to resources to use themselves and other resources.  I don't give the food in my refridgerator permission to be eaten or even the refridgerator permission to chill the food but I do give my friends and family permission to put food in and take food out so it can be eaten.
0
 

Author Comment

by:dirtyike
ID: 21859043
Ahh I had it in my head that enabling loopback was per policy not per computer but that makes sense.

So I create one gpo with the affected computers in it that has loopback enabled. Then create another gpo with the login script and link it to the workstation ou. Can I use security filtering on the script gpo so you can use more then one login script in an ou?
0
 
LVL 84

Expert Comment

by:oBdA
ID: 21859107
Yes, that's correct, and yes, you can filter the loopback GPOs just the same as any other GPO.
0
 

Author Comment

by:dirtyike
ID: 21859614
Not the loopback but the other gpo containing the user policys linked to the computer gpo
0
 
LVL 84

Expert Comment

by:oBdA
ID: 21859628
All of them.
0
 

Author Closing Comment

by:dirtyike
ID: 31470173
Thank you for your help. I think this will over complicate the policys if I built what I was thinking. But at least now I know how loopback works and I may find another case where its more effective in the company.
0
 

Expert Comment

by:CrashResistant
ID: 22501038
Does the loopback  GPO have to be linked to an OU? Can't I apply it to the entire domain and use Security Filtering to limit which computers?
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many old projects have bad code, but the budget doesn't exist to rewrite the codebase. You can update this code to be safer by introducing contemporary input validation, sanitation, and safer database queries.
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question