• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1377
  • Last Modified:

Restrict a loopback GPO to a user group

We have a loopback GPO that is set to Merge. The GPO works fine on the target server. However, we also want to restrict the GPO to a specific security group. So far, it doesn't seem like this is possible.

I read a related note on this:
http://www.howtonetworking.com/security/gp4ts4.htm

This seems to indicate the same thing.

Specifically, that using loopback processing on a user GPO so that it is server specific means you can't use the delegation rights to restrict to a specific user or security group.

But I would like to be able to do just that.

Am I mistaken? Is this possible? And if so, how can I do ti?
0
puryear-it
Asked:
puryear-it
  • 4
  • 4
  • 2
1 Solution
 
oBdACommented:
Yes, you can still filter the user settings by security groups.
The best thing to achieve this is to separate GPOs with Computer Configuration settings and GPOs with User Configuration settings. Avoid setting both in the same GPO, they have nothing in common.
So split your "Loopback" GPO into two GPOs, one with only the Computer Settings (and the Loopback policy), one with the user settings you want to filter. Leave the permissions on the "Computer" GPO alone, and apply the usual security filtering to the "User" GPO.
0
 
SteveCommented:
By definition, a loopback GPO applies its user elements based on Computer. This means you're a bit stuck I'm afraid.

You could try filtering it out of certain users on the 'security' tab. select a user or group and specify 'deny' permissions.

I've never tried it but its worth a go.
0
 
puryear-itAuthor Commented:
totallytonto: Yeah, I already tried that. No go.That leaves me in a bit of a pickle. We have a Windows 2008 Terminal Server. We want normal users to auto-start Outlook, but Admins clearly don't need/want that.
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 
puryear-itAuthor Commented:
oBdA- Huh? I think you missed what I was asking.
0
 
oBdACommented:
Uhm - no?
The Loopback setting does not have to be in the same GPO as the user setting you want to apply.
In your current attempts at filtering, you've removed Authenticated Users from the security settings of the single GPO and added a user group instead, thereby preventing the computer(!) from applying the Loopback setting to start with.
So either you keep your single GPO, remove Authenticated Users, add the user security group and add the computer(!) account to the security filtering as well, or you start following best practices and keeping user and computer GPOs separate.
0
 
puryear-itAuthor Commented:
oBdA-

If I am using a loopback GPO to target a user GPO setting at a specific computer under a given computer OU, how would I separate the computer/user GPO out? Maybe I'm missing something.
0
 
oBdACommented:
One GPO "Loopback" or whatever, with the Loopback setting (and maybe other computer settings in it), linked to the OU with the computer(s) in it.
An additional GPO "Restrictions" or whatever, with the user settings, linked to the OU with the computer(s) in it, and filtered with a security group.
0
 
puryear-itAuthor Commented:
Oh. You may be right. I take back my snarky and incorrect comment from earlier. Consider myself served!
0
 
SteveCommented:
ah. so you set the loopback policy on one GPO, and the actual user settings on another.
By filtering the users out of the separate users settings you can control which settings apply?

Is that right?
0
 
oBdACommented:
Yes.
0

Featured Post

Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

  • 4
  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now