[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Stop GPO loopback processing for one GPO

Posted on 2009-05-08
11
Medium Priority
?
675 Views
Last Modified: 2012-05-06
Hi,

How can I stop loopback processing from applying a single GPO? I have a Terminal Services environment with a number of GPOs I would like to apply but one which I would like to block - is this possible?

Michael
0
Comment
Question by:Barnardos_2LS
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 2
  • +1
11 Comments
 
LVL 85

Assisted Solution

by:oBdA
oBdA earned 100 total points
ID: 24334684
You can use security filtering to only apply a GPO to a group of users that should have that GPO; this works for user GPOs applied via loopback as well.
Security filtering using GPMC
http://technet.microsoft.com/en-us/library/cc781988.aspx
0
 
LVL 1

Author Comment

by:Barnardos_2LS
ID: 24335083
Hi,

I want the GPO to apply but not when the user logs onto the Terminal Services servers - can this be achieved?

Michael
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24335311
Could you explain what this GPO is doing?

Is it linked to users or the computer object?
Is it configuring user settings or computer settings?

Imagine if you mean you have some user settings, linked to users, that you don't want to apply to the user if they log on the the TS machine, then you would need to configure loopback in REPLACE mode, so that it completely  configures the user environment and ignores any GPOs linked to the users.
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 1

Author Comment

by:Barnardos_2LS
ID: 24335494
This GPO runs both a computer startup and user logon VBScript. It is linked to both the user and computer object. Loopback processing is set to REPLACE.
0
 
LVL 27

Accepted Solution

by:
bluntTony earned 1800 total points
ID: 24335642
I assume you still want the startup script to run? (obviously you couldn't stop this anyway because it's ran before the user logs in).

To exclude the user login script you would have to apply it to the users in another GPO. That way, the replace setting on the loopback GPO would exclude it, and just use the user settings defined in the GPO linked the computer.

If the OU contains both the user and the computer objects, ensure that the computer objects cannot read or apply the GPO with the user login script. You would use security filtering a oBdA has stated above. You could either create a group holding the computer accounts or the user accounts, and then either deny the computers with security filtering, or only allow the user group read and apply permissions.

This would mean that only the users can apply the policy, and only when they are not subject to loopback.

Hope this explains...
0
 
LVL 1

Author Comment

by:Barnardos_2LS
ID: 24336024
I've now created two GPOs - one for computer one for user. I have filtered the user GPO so that computer objects are denied access however the user GPO is still running when I log onto the TS server.
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24336157
OK, I think the problem must be that both the computer and user objects are in the same OU. Sorry, I may have confused myself! The process during loopback is:

1. Machine applies computer settings linked to itself during startup.
2. User applies user settings linked to the user objects during login.
3. User then applies user settings linked to the computer object (if mode is REPLACE, then these completely wipe away any user settings from 2.)

..so what I suggested wouldn't work as it's actually the user reading the login script GPO setting, not the computer. In order for this to work you'll have to separate the user and computer objects so they don't read the same GPOs. The login script setting would be applied to the user, and would be ignored when loopback is used. Otherwise, the user is always going to read the setting as it is linked to the computer object.

Sorry for the confusion.
0
 
LVL 1

Author Comment

by:Barnardos_2LS
ID: 24337432
Can security filtering be used rather than moving the objects?
0
 
LVL 1

Assisted Solution

by:etbservices_pete
etbservices_pete earned 100 total points
ID: 24337502
I have setup a few instances with loop back processing, make sure all GPO's are linked in the User's OU and the Computers Account OU. You can use security filtering to do what you want to do.

Are users and computer accounts in the same OU?
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24337733
If the users and computers are in the same OU, in your case, no, you can't use security filtering.

During loopback, it's the user that reads GPOs linked to the computers. As you have discovered, blocking the computers from reading it has no effect, because the users read it (that was my oversight). You can't block the users, as this would always block them whether they logged on the machine or not. See what I mean?

The only way for you to do what you want is to have two separate OUs. Apply the GPO with the login script to the OU holding the users. It can't be linked to an OU holding the computers as this will cause it to be applied through loopback.

So long as you have loopback in replace mode, the login script will not be applied when the user logs on to the machine, but it will in normal circumstances.

Hope this helps.

Tony
0
 
LVL 1

Expert Comment

by:etbservices_pete
ID: 24337759
Tony,

I agree users and computer objects should be in different OU's and for this scenerio to work need to be.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question