Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

How do I apply security filtering to Group Policy Objects with Loopback Processing is enabled?

Posted on 2008-06-25
3
Medium Priority
?
993 Views
Last Modified: 2009-12-16
I have a test OU that has a GPO where loopback processing is enabled in computer settings.  I have another GPO (user settings) that locks down the system whenever someone logs into a workstation that is in this test OU.  I wish to be able to have a certain few individuals, or a group or users, that don't get locked down when they log into these workstations.  I currently have Authenticated Users in the security filtering settings of both GPOs.  I've tried to create a global security group that contains all users that should receive the locked down desktop, the few users that I don't want to receive the locked down desktop are absent from this security group.  I've tried replacing Authenticated users with this group in the hopes that certain people won't receive the locked down desktop, but it isn't working.  Can someone please point me in the right direction?
0
Comment
Question by:CousinDupree
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 31

Assisted Solution

by:Henrik Johansson
Henrik Johansson earned 400 total points
ID: 21870693
Add the users that shall not have the policy to a group.
Set the Apply Group Policy permission to Deny for the group on the GPO with user settings.
Set the Apply Group Policy permission to Allow for the Authenticated Users on the GPO with user settings.

This will apply the GPO to all users except of the group with deny permission.
0
 
LVL 85

Accepted Solution

by:
oBdA earned 1600 total points
ID: 21873040
Actually, you seem to be pretty close already. For this to work, replace the "Authenticated Users" group only in the GPO with the user settings, *not* in the GPO with the Loopback setting, then your setup should work just fine (I've implemented it like this several times).
0
 

Author Comment

by:CousinDupree
ID: 21877164
I split the points because while oBda's solution worked best for me, henjoh09's solution did give me some useful info.  I was under the impression that loopback processing of user settings couldn't be denied through permissions.  Microsoft states that you cannot deny loopback processing by denying the Apply Group Policy and Read permissions on the computer object, but they don't mention the user object.

http://support.microsoft.com/kb/231287

Thanks!

0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question