• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 995
  • Last Modified:

How do I apply security filtering to Group Policy Objects with Loopback Processing is enabled?

I have a test OU that has a GPO where loopback processing is enabled in computer settings.  I have another GPO (user settings) that locks down the system whenever someone logs into a workstation that is in this test OU.  I wish to be able to have a certain few individuals, or a group or users, that don't get locked down when they log into these workstations.  I currently have Authenticated Users in the security filtering settings of both GPOs.  I've tried to create a global security group that contains all users that should receive the locked down desktop, the few users that I don't want to receive the locked down desktop are absent from this security group.  I've tried replacing Authenticated users with this group in the hopes that certain people won't receive the locked down desktop, but it isn't working.  Can someone please point me in the right direction?
0
CousinDupree
Asked:
CousinDupree
2 Solutions
 
Henrik JohanssonSystems engineerCommented:
Add the users that shall not have the policy to a group.
Set the Apply Group Policy permission to Deny for the group on the GPO with user settings.
Set the Apply Group Policy permission to Allow for the Authenticated Users on the GPO with user settings.

This will apply the GPO to all users except of the group with deny permission.
0
 
oBdACommented:
Actually, you seem to be pretty close already. For this to work, replace the "Authenticated Users" group only in the GPO with the user settings, *not* in the GPO with the Loopback setting, then your setup should work just fine (I've implemented it like this several times).
0
 
CousinDupreeAuthor Commented:
I split the points because while oBda's solution worked best for me, henjoh09's solution did give me some useful info.  I was under the impression that loopback processing of user settings couldn't be denied through permissions.  Microsoft states that you cannot deny loopback processing by denying the Apply Group Policy and Read permissions on the computer object, but they don't mention the user object.

http://support.microsoft.com/kb/231287

Thanks!

0

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now