Solved

Stop GPO loopback processing for one GPO

Posted on 2009-05-08
11
670 Views
Last Modified: 2012-05-06
Hi,

How can I stop loopback processing from applying a single GPO? I have a Terminal Services environment with a number of GPOs I would like to apply but one which I would like to block - is this possible?

Michael
0
Comment
Question by:Barnardos_2LS
  • 4
  • 4
  • 2
  • +1
11 Comments
 
LVL 84

Assisted Solution

by:oBdA
oBdA earned 25 total points
ID: 24334684
You can use security filtering to only apply a GPO to a group of users that should have that GPO; this works for user GPOs applied via loopback as well.
Security filtering using GPMC
http://technet.microsoft.com/en-us/library/cc781988.aspx
0
 
LVL 1

Author Comment

by:Barnardos_2LS
ID: 24335083
Hi,

I want the GPO to apply but not when the user logs onto the Terminal Services servers - can this be achieved?

Michael
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24335311
Could you explain what this GPO is doing?

Is it linked to users or the computer object?
Is it configuring user settings or computer settings?

Imagine if you mean you have some user settings, linked to users, that you don't want to apply to the user if they log on the the TS machine, then you would need to configure loopback in REPLACE mode, so that it completely  configures the user environment and ignores any GPOs linked to the users.
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 1

Author Comment

by:Barnardos_2LS
ID: 24335494
This GPO runs both a computer startup and user logon VBScript. It is linked to both the user and computer object. Loopback processing is set to REPLACE.
0
 
LVL 27

Accepted Solution

by:
bluntTony earned 450 total points
ID: 24335642
I assume you still want the startup script to run? (obviously you couldn't stop this anyway because it's ran before the user logs in).

To exclude the user login script you would have to apply it to the users in another GPO. That way, the replace setting on the loopback GPO would exclude it, and just use the user settings defined in the GPO linked the computer.

If the OU contains both the user and the computer objects, ensure that the computer objects cannot read or apply the GPO with the user login script. You would use security filtering a oBdA has stated above. You could either create a group holding the computer accounts or the user accounts, and then either deny the computers with security filtering, or only allow the user group read and apply permissions.

This would mean that only the users can apply the policy, and only when they are not subject to loopback.

Hope this explains...
0
 
LVL 1

Author Comment

by:Barnardos_2LS
ID: 24336024
I've now created two GPOs - one for computer one for user. I have filtered the user GPO so that computer objects are denied access however the user GPO is still running when I log onto the TS server.
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24336157
OK, I think the problem must be that both the computer and user objects are in the same OU. Sorry, I may have confused myself! The process during loopback is:

1. Machine applies computer settings linked to itself during startup.
2. User applies user settings linked to the user objects during login.
3. User then applies user settings linked to the computer object (if mode is REPLACE, then these completely wipe away any user settings from 2.)

..so what I suggested wouldn't work as it's actually the user reading the login script GPO setting, not the computer. In order for this to work you'll have to separate the user and computer objects so they don't read the same GPOs. The login script setting would be applied to the user, and would be ignored when loopback is used. Otherwise, the user is always going to read the setting as it is linked to the computer object.

Sorry for the confusion.
0
 
LVL 1

Author Comment

by:Barnardos_2LS
ID: 24337432
Can security filtering be used rather than moving the objects?
0
 
LVL 1

Assisted Solution

by:etbservices_pete
etbservices_pete earned 25 total points
ID: 24337502
I have setup a few instances with loop back processing, make sure all GPO's are linked in the User's OU and the Computers Account OU. You can use security filtering to do what you want to do.

Are users and computer accounts in the same OU?
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24337733
If the users and computers are in the same OU, in your case, no, you can't use security filtering.

During loopback, it's the user that reads GPOs linked to the computers. As you have discovered, blocking the computers from reading it has no effect, because the users read it (that was my oversight). You can't block the users, as this would always block them whether they logged on the machine or not. See what I mean?

The only way for you to do what you want is to have two separate OUs. Apply the GPO with the login script to the OU holding the users. It can't be linked to an OU holding the computers as this will cause it to be applied through loopback.

So long as you have loopback in replace mode, the login script will not be applied when the user logs on to the machine, but it will in normal circumstances.

Hope this helps.

Tony
0
 
LVL 1

Expert Comment

by:etbservices_pete
ID: 24337759
Tony,

I agree users and computer objects should be in different OU's and for this scenerio to work need to be.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question