?
Solved

How do I apply security filtering to Group Policy Objects with Loopback Processing is enabled?

Posted on 2008-06-25
3
Medium Priority
?
990 Views
Last Modified: 2009-12-16
I have a test OU that has a GPO where loopback processing is enabled in computer settings.  I have another GPO (user settings) that locks down the system whenever someone logs into a workstation that is in this test OU.  I wish to be able to have a certain few individuals, or a group or users, that don't get locked down when they log into these workstations.  I currently have Authenticated Users in the security filtering settings of both GPOs.  I've tried to create a global security group that contains all users that should receive the locked down desktop, the few users that I don't want to receive the locked down desktop are absent from this security group.  I've tried replacing Authenticated users with this group in the hopes that certain people won't receive the locked down desktop, but it isn't working.  Can someone please point me in the right direction?
0
Comment
Question by:CousinDupree
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 31

Assisted Solution

by:Henrik Johansson
Henrik Johansson earned 400 total points
ID: 21870693
Add the users that shall not have the policy to a group.
Set the Apply Group Policy permission to Deny for the group on the GPO with user settings.
Set the Apply Group Policy permission to Allow for the Authenticated Users on the GPO with user settings.

This will apply the GPO to all users except of the group with deny permission.
0
 
LVL 85

Accepted Solution

by:
oBdA earned 1600 total points
ID: 21873040
Actually, you seem to be pretty close already. For this to work, replace the "Authenticated Users" group only in the GPO with the user settings, *not* in the GPO with the Loopback setting, then your setup should work just fine (I've implemented it like this several times).
0
 

Author Comment

by:CousinDupree
ID: 21877164
I split the points because while oBda's solution worked best for me, henjoh09's solution did give me some useful info.  I was under the impression that loopback processing of user settings couldn't be denied through permissions.  Microsoft states that you cannot deny loopback processing by denying the Apply Group Policy and Read permissions on the computer object, but they don't mention the user object.

http://support.microsoft.com/kb/231287

Thanks!

0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Suggested Courses

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question