Solved

How do I apply security filtering to Group Policy Objects with Loopback Processing is enabled?

Posted on 2008-06-25
3
984 Views
Last Modified: 2009-12-16
I have a test OU that has a GPO where loopback processing is enabled in computer settings.  I have another GPO (user settings) that locks down the system whenever someone logs into a workstation that is in this test OU.  I wish to be able to have a certain few individuals, or a group or users, that don't get locked down when they log into these workstations.  I currently have Authenticated Users in the security filtering settings of both GPOs.  I've tried to create a global security group that contains all users that should receive the locked down desktop, the few users that I don't want to receive the locked down desktop are absent from this security group.  I've tried replacing Authenticated users with this group in the hopes that certain people won't receive the locked down desktop, but it isn't working.  Can someone please point me in the right direction?
0
Comment
Question by:CousinDupree
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 31

Assisted Solution

by:Henrik Johansson
Henrik Johansson earned 100 total points
ID: 21870693
Add the users that shall not have the policy to a group.
Set the Apply Group Policy permission to Deny for the group on the GPO with user settings.
Set the Apply Group Policy permission to Allow for the Authenticated Users on the GPO with user settings.

This will apply the GPO to all users except of the group with deny permission.
0
 
LVL 85

Accepted Solution

by:
oBdA earned 400 total points
ID: 21873040
Actually, you seem to be pretty close already. For this to work, replace the "Authenticated Users" group only in the GPO with the user settings, *not* in the GPO with the Loopback setting, then your setup should work just fine (I've implemented it like this several times).
0
 

Author Comment

by:CousinDupree
ID: 21877164
I split the points because while oBda's solution worked best for me, henjoh09's solution did give me some useful info.  I was under the impression that loopback processing of user settings couldn't be denied through permissions.  Microsoft states that you cannot deny loopback processing by denying the Apply Group Policy and Read permissions on the computer object, but they don't mention the user object.

http://support.microsoft.com/kb/231287

Thanks!

0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question