Solved

Restrict a loopback GPO to a user group

Posted on 2011-03-01
10
1,360 Views
Last Modified: 2012-06-22
We have a loopback GPO that is set to Merge. The GPO works fine on the target server. However, we also want to restrict the GPO to a specific security group. So far, it doesn't seem like this is possible.

I read a related note on this:
http://www.howtonetworking.com/security/gp4ts4.htm

This seems to indicate the same thing.

Specifically, that using loopback processing on a user GPO so that it is server specific means you can't use the delegation rights to restrict to a specific user or security group.

But I would like to be able to do just that.

Am I mistaken? Is this possible? And if so, how can I do ti?
0
Comment
Question by:puryear-it
  • 4
  • 4
  • 2
10 Comments
 
LVL 84

Expert Comment

by:oBdA
ID: 35011899
Yes, you can still filter the user settings by security groups.
The best thing to achieve this is to separate GPOs with Computer Configuration settings and GPOs with User Configuration settings. Avoid setting both in the same GPO, they have nothing in common.
So split your "Loopback" GPO into two GPOs, one with only the Computer Settings (and the Loopback policy), one with the user settings you want to filter. Leave the permissions on the "Computer" GPO alone, and apply the usual security filtering to the "User" GPO.
0
 
LVL 27

Expert Comment

by:Steve
ID: 35011908
By definition, a loopback GPO applies its user elements based on Computer. This means you're a bit stuck I'm afraid.

You could try filtering it out of certain users on the 'security' tab. select a user or group and specify 'deny' permissions.

I've never tried it but its worth a go.
0
 

Author Comment

by:puryear-it
ID: 35011985
totallytonto: Yeah, I already tried that. No go.That leaves me in a bit of a pickle. We have a Windows 2008 Terminal Server. We want normal users to auto-start Outlook, but Admins clearly don't need/want that.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:puryear-it
ID: 35011991
oBdA- Huh? I think you missed what I was asking.
0
 
LVL 84

Expert Comment

by:oBdA
ID: 35012083
Uhm - no?
The Loopback setting does not have to be in the same GPO as the user setting you want to apply.
In your current attempts at filtering, you've removed Authenticated Users from the security settings of the single GPO and added a user group instead, thereby preventing the computer(!) from applying the Loopback setting to start with.
So either you keep your single GPO, remove Authenticated Users, add the user security group and add the computer(!) account to the security filtering as well, or you start following best practices and keeping user and computer GPOs separate.
0
 

Author Comment

by:puryear-it
ID: 35012431
oBdA-

If I am using a loopback GPO to target a user GPO setting at a specific computer under a given computer OU, how would I separate the computer/user GPO out? Maybe I'm missing something.
0
 
LVL 84

Expert Comment

by:oBdA
ID: 35012483
One GPO "Loopback" or whatever, with the Loopback setting (and maybe other computer settings in it), linked to the OU with the computer(s) in it.
An additional GPO "Restrictions" or whatever, with the user settings, linked to the OU with the computer(s) in it, and filtered with a security group.
0
 

Author Comment

by:puryear-it
ID: 35012529
Oh. You may be right. I take back my snarky and incorrect comment from earlier. Consider myself served!
0
 
LVL 27

Expert Comment

by:Steve
ID: 35022535
ah. so you set the loopback policy on one GPO, and the actual user settings on another.
By filtering the users out of the separate users settings you can control which settings apply?

Is that right?
0
 
LVL 84

Accepted Solution

by:
oBdA earned 250 total points
ID: 35024773
Yes.
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article explains the steps required to use the default Photos screensaver to display branding/corporate images
Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question