Group Policy loopback

I have a single OU with two policies:
- Policy 1 -> User Filter A / Computer Filter B
- Policy 2 -> User Filter A / Computer Filter C

Loopback is enabled.

User X (member of A) logs into computer Z (member of C).

Expected: Policy 2 applies.
Result: Policy 1 and 2 applies.

Why?
LVL 3
albatros99Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arnoldCommented:
Loopback reapplied user GPOs.

The issue you have two policies with each containing a computer and a user section.
When user A logs in to site b system, policy 2 is applied, the loopback reprocess GPOs applicable to the user, applying the user part of policy 1.

The application of those settings depends on the type of loopback you have, merge or replace.

Here is the write up.

https://technet.microsoft.com/en-us/library/cc782810(v=ws.10).aspx
0
albatros99Author Commented:
Let me rephrase: If you want to link several loopback policies that apply to different sets of computers but always to the same user group but you only want to use a single OU for this, is it possible?
0
arnoldCommented:
Using security filtering apply the loopback policy to the user's to which you want it to apply.
Yes, if you link the loopback GPO only to the OU of computers to which you want it to apply, only the user's who login into these system .......


Not sure what you mean several?
You can have replace loopback policies link to ous.......

Given your scenario as an example, what would you liketheresult to be?

Usually, besides the default domain policy, best practices are to add GPO for a specific task this way it is more manageable if the application of said policy is causing issue.  Further those individual tasks usually either apply to the computer or to the user.......
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

albatros99Author Commented:
I have found a KB article that sort of explains what I'm experiencing:
https://support.microsoft.com/en-us/kb/953768
According to the article, older versions of Windows ignore the security filtering of the computer (the computer impersonates the user).  

My point is: I don't want this to happen -> is there any way to change the default behavior?
0
arnoldCommented:
What OS is running on computer A and computer B?
What is your security filtering rule?

The problem is that I am trying to figure out what your setup is.
GPO1 loopback site A
GPO2 loopback site B

policy1 computer configuration disable only user settings.  security filter ?
policy2 computer configuration disable only user settings. security filter ?

unless your systems are windows XP and older, the article you mentioned ....
If they are newer than windows vista as long as computer A does not have access to policy 1, it will not reprocess policy 1 when the user to whom it applies logs in.

Further, it complicates matter further is that does user A to whom policy 1 applies need to have this policy applied when user A logs in on site B to computer B?
0
albatros99Author Commented:
Let's say there's an OU called 'Servers' with server objects in it. The financial servers and the accounting servers are in the same OU. There is a GPO Finance settings and a GPO Accounting settings. The financial servers are in the computer group 'financial servers' and the accounting servers are in the computer group accounting servers. All users are in group called 'FinanceAndAccountingUsers'.
GPO Finance linked to OU Servers with loopback and security filtering 'Finance Servers' and 'FinanceAndAccountingUsers'.
GPO Accounting also linked to OU Servers with loopback and security filtering 'Accounting Servers' and 'FinanceAndAccountingUsers'.
Expected: Finance settings apply to 'AccountingAndFinanceUsers' when logged on to Finance servers.
Expected: Accounting setings apply to ''AccountingAndFinanceUsers' when logged on to Accounting servers.
Not Expected: Both finance GPO and Accounting GPO apply to 'AccountingAndFinanceUsers' on Finance servers and Account servers.
So far I can only see the solution of separating the OU's and creating 'Finance Servers' and 'Account Servers'. I'm trying to avoid this, but it seems to be the only way?
0
arnoldCommented:
What OS is being run on the servers you have?  If it is a windows 2003/R2 that is what the MS article you posted to alludes.
0
albatros99Author Commented:
Server 2012 R2
0
arnoldCommented:
Add a denial on the security tab of GPO to deny the computer other group access rights.
i.e. finance, will have a deny to accounting
in accounting deny finance group.

Your issue might be that your security filtering are such that there nested..  and the computer you do not think have access, actually inherit them through different security groups.
0
albatros99Author Commented:
If you have a GPO with user and computer parts then the user part will be applied if:
- Loopback is enabled
- The user has rights to the GPO
The security filter for the computer is ignored for the user part.

That's my conclusion from testing.
0
albatros99Author Commented:
So unless you have mutually exclusive user filters, you need multiple OU's.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
albatros99Author Commented:
Solution based on testing.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.