Solved

Stop GPO loopback processing for one GPO

Posted on 2009-05-08
11
667 Views
Last Modified: 2012-05-06
Hi,

How can I stop loopback processing from applying a single GPO? I have a Terminal Services environment with a number of GPOs I would like to apply but one which I would like to block - is this possible?

Michael
0
Comment
Question by:Barnardos_2LS
  • 4
  • 4
  • 2
  • +1
11 Comments
 
LVL 82

Assisted Solution

by:oBdA
oBdA earned 25 total points
Comment Utility
You can use security filtering to only apply a GPO to a group of users that should have that GPO; this works for user GPOs applied via loopback as well.
Security filtering using GPMC
http://technet.microsoft.com/en-us/library/cc781988.aspx
0
 
LVL 1

Author Comment

by:Barnardos_2LS
Comment Utility
Hi,

I want the GPO to apply but not when the user logs onto the Terminal Services servers - can this be achieved?

Michael
0
 
LVL 27

Expert Comment

by:bluntTony
Comment Utility
Could you explain what this GPO is doing?

Is it linked to users or the computer object?
Is it configuring user settings or computer settings?

Imagine if you mean you have some user settings, linked to users, that you don't want to apply to the user if they log on the the TS machine, then you would need to configure loopback in REPLACE mode, so that it completely  configures the user environment and ignores any GPOs linked to the users.
0
 
LVL 1

Author Comment

by:Barnardos_2LS
Comment Utility
This GPO runs both a computer startup and user logon VBScript. It is linked to both the user and computer object. Loopback processing is set to REPLACE.
0
 
LVL 27

Accepted Solution

by:
bluntTony earned 450 total points
Comment Utility
I assume you still want the startup script to run? (obviously you couldn't stop this anyway because it's ran before the user logs in).

To exclude the user login script you would have to apply it to the users in another GPO. That way, the replace setting on the loopback GPO would exclude it, and just use the user settings defined in the GPO linked the computer.

If the OU contains both the user and the computer objects, ensure that the computer objects cannot read or apply the GPO with the user login script. You would use security filtering a oBdA has stated above. You could either create a group holding the computer accounts or the user accounts, and then either deny the computers with security filtering, or only allow the user group read and apply permissions.

This would mean that only the users can apply the policy, and only when they are not subject to loopback.

Hope this explains...
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 1

Author Comment

by:Barnardos_2LS
Comment Utility
I've now created two GPOs - one for computer one for user. I have filtered the user GPO so that computer objects are denied access however the user GPO is still running when I log onto the TS server.
0
 
LVL 27

Expert Comment

by:bluntTony
Comment Utility
OK, I think the problem must be that both the computer and user objects are in the same OU. Sorry, I may have confused myself! The process during loopback is:

1. Machine applies computer settings linked to itself during startup.
2. User applies user settings linked to the user objects during login.
3. User then applies user settings linked to the computer object (if mode is REPLACE, then these completely wipe away any user settings from 2.)

..so what I suggested wouldn't work as it's actually the user reading the login script GPO setting, not the computer. In order for this to work you'll have to separate the user and computer objects so they don't read the same GPOs. The login script setting would be applied to the user, and would be ignored when loopback is used. Otherwise, the user is always going to read the setting as it is linked to the computer object.

Sorry for the confusion.
0
 
LVL 1

Author Comment

by:Barnardos_2LS
Comment Utility
Can security filtering be used rather than moving the objects?
0
 
LVL 1

Assisted Solution

by:etbservices_pete
etbservices_pete earned 25 total points
Comment Utility
I have setup a few instances with loop back processing, make sure all GPO's are linked in the User's OU and the Computers Account OU. You can use security filtering to do what you want to do.

Are users and computer accounts in the same OU?
0
 
LVL 27

Expert Comment

by:bluntTony
Comment Utility
If the users and computers are in the same OU, in your case, no, you can't use security filtering.

During loopback, it's the user that reads GPOs linked to the computers. As you have discovered, blocking the computers from reading it has no effect, because the users read it (that was my oversight). You can't block the users, as this would always block them whether they logged on the machine or not. See what I mean?

The only way for you to do what you want is to have two separate OUs. Apply the GPO with the login script to the OU holding the users. It can't be linked to an OU holding the computers as this will cause it to be applied through loopback.

So long as you have loopback in replace mode, the login script will not be applied when the user logs on to the machine, but it will in normal circumstances.

Hope this helps.

Tony
0
 
LVL 1

Expert Comment

by:etbservices_pete
Comment Utility
Tony,

I agree users and computer objects should be in different OU's and for this scenerio to work need to be.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now