Solved

How do I apply security filtering to Group Policy Objects with Loopback Processing is enabled?

Posted on 2008-06-25
3
979 Views
Last Modified: 2009-12-16
I have a test OU that has a GPO where loopback processing is enabled in computer settings.  I have another GPO (user settings) that locks down the system whenever someone logs into a workstation that is in this test OU.  I wish to be able to have a certain few individuals, or a group or users, that don't get locked down when they log into these workstations.  I currently have Authenticated Users in the security filtering settings of both GPOs.  I've tried to create a global security group that contains all users that should receive the locked down desktop, the few users that I don't want to receive the locked down desktop are absent from this security group.  I've tried replacing Authenticated users with this group in the hopes that certain people won't receive the locked down desktop, but it isn't working.  Can someone please point me in the right direction?
0
Comment
Question by:CousinDupree
3 Comments
 
LVL 31

Assisted Solution

by:Henrik Johansson
Henrik Johansson earned 100 total points
ID: 21870693
Add the users that shall not have the policy to a group.
Set the Apply Group Policy permission to Deny for the group on the GPO with user settings.
Set the Apply Group Policy permission to Allow for the Authenticated Users on the GPO with user settings.

This will apply the GPO to all users except of the group with deny permission.
0
 
LVL 84

Accepted Solution

by:
oBdA earned 400 total points
ID: 21873040
Actually, you seem to be pretty close already. For this to work, replace the "Authenticated Users" group only in the GPO with the user settings, *not* in the GPO with the Loopback setting, then your setup should work just fine (I've implemented it like this several times).
0
 

Author Comment

by:CousinDupree
ID: 21877164
I split the points because while oBda's solution worked best for me, henjoh09's solution did give me some useful info.  I was under the impression that loopback processing of user settings couldn't be denied through permissions.  Microsoft states that you cannot deny loopback processing by denying the Apply Group Policy and Read permissions on the computer object, but they don't mention the user object.

http://support.microsoft.com/kb/231287

Thanks!

0

Featured Post

PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article runs through the process of deploying a single EXE application selectively to a group of user.
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question