Stop GPO loopback processing for one GPO

Hi,

How can I stop loopback processing from applying a single GPO? I have a Terminal Services environment with a number of GPOs I would like to apply but one which I would like to block - is this possible?

Michael
LVL 1
Barnardos_2LSAsked:
Who is Participating?
 
bluntTonyConnect With a Mentor Commented:
I assume you still want the startup script to run? (obviously you couldn't stop this anyway because it's ran before the user logs in).

To exclude the user login script you would have to apply it to the users in another GPO. That way, the replace setting on the loopback GPO would exclude it, and just use the user settings defined in the GPO linked the computer.

If the OU contains both the user and the computer objects, ensure that the computer objects cannot read or apply the GPO with the user login script. You would use security filtering a oBdA has stated above. You could either create a group holding the computer accounts or the user accounts, and then either deny the computers with security filtering, or only allow the user group read and apply permissions.

This would mean that only the users can apply the policy, and only when they are not subject to loopback.

Hope this explains...
0
 
oBdAConnect With a Mentor Commented:
You can use security filtering to only apply a GPO to a group of users that should have that GPO; this works for user GPOs applied via loopback as well.
Security filtering using GPMC
http://technet.microsoft.com/en-us/library/cc781988.aspx
0
 
Barnardos_2LSAuthor Commented:
Hi,

I want the GPO to apply but not when the user logs onto the Terminal Services servers - can this be achieved?

Michael
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
bluntTonyCommented:
Could you explain what this GPO is doing?

Is it linked to users or the computer object?
Is it configuring user settings or computer settings?

Imagine if you mean you have some user settings, linked to users, that you don't want to apply to the user if they log on the the TS machine, then you would need to configure loopback in REPLACE mode, so that it completely  configures the user environment and ignores any GPOs linked to the users.
0
 
Barnardos_2LSAuthor Commented:
This GPO runs both a computer startup and user logon VBScript. It is linked to both the user and computer object. Loopback processing is set to REPLACE.
0
 
Barnardos_2LSAuthor Commented:
I've now created two GPOs - one for computer one for user. I have filtered the user GPO so that computer objects are denied access however the user GPO is still running when I log onto the TS server.
0
 
bluntTonyCommented:
OK, I think the problem must be that both the computer and user objects are in the same OU. Sorry, I may have confused myself! The process during loopback is:

1. Machine applies computer settings linked to itself during startup.
2. User applies user settings linked to the user objects during login.
3. User then applies user settings linked to the computer object (if mode is REPLACE, then these completely wipe away any user settings from 2.)

..so what I suggested wouldn't work as it's actually the user reading the login script GPO setting, not the computer. In order for this to work you'll have to separate the user and computer objects so they don't read the same GPOs. The login script setting would be applied to the user, and would be ignored when loopback is used. Otherwise, the user is always going to read the setting as it is linked to the computer object.

Sorry for the confusion.
0
 
Barnardos_2LSAuthor Commented:
Can security filtering be used rather than moving the objects?
0
 
etbservices_peteConnect With a Mentor Commented:
I have setup a few instances with loop back processing, make sure all GPO's are linked in the User's OU and the Computers Account OU. You can use security filtering to do what you want to do.

Are users and computer accounts in the same OU?
0
 
bluntTonyCommented:
If the users and computers are in the same OU, in your case, no, you can't use security filtering.

During loopback, it's the user that reads GPOs linked to the computers. As you have discovered, blocking the computers from reading it has no effect, because the users read it (that was my oversight). You can't block the users, as this would always block them whether they logged on the machine or not. See what I mean?

The only way for you to do what you want is to have two separate OUs. Apply the GPO with the login script to the OU holding the users. It can't be linked to an OU holding the computers as this will cause it to be applied through loopback.

So long as you have loopback in replace mode, the login script will not be applied when the user logs on to the machine, but it will in normal circumstances.

Hope this helps.

Tony
0
 
etbservices_peteCommented:
Tony,

I agree users and computer objects should be in different OU's and for this scenerio to work need to be.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.