Solved

Group Policy not blocking inheritance

Posted on 2016-08-17
15
19 Views
Last Modified: 2016-10-12
I created a screen lockout policy for our domain.  I have an OU set up for our Internet cafe since I do not want the computers in the cafe to have the same settings as the computers used by staff (Inheritance is blocked for this OU in Group Policy Management).  The computers in the Internet cafe have the screen lockout policy applied to them even though inheritance is blocked and GPM does not show the screen lockout policy being inherited by the OU.  What am I missing here?  Thanks!
0
Comment
Question by:SAndrewsLGBT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
  • 2
15 Comments
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 41759840
First, is the policy being set under user configuration? If so, the users can still apply it even though you have block inheritance on for the computer OU.

You may want to look at enable loopback policy processing in replace mode for these machines. It provides a consistent user experience no matter where users are located.
0
 

Author Comment

by:SAndrewsLGBT
ID: 41759842
It is being applied under user configuration.  Do I apply the loopback policy processing on the local GP of the machines that are affected?  Thanks!
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 41759857
You can. It would be better to set it in a GPO linked to the comptuer's OU. See this guide on configuring loopback: https://deployhappiness.com/loopback-policy-how-a-computer-gets-a-transgender-operation/
0
Comparison of Amazon Drive, Google Drive, OneDrive

What is Best for Backup: Amazon Drive, Google Drive or MS OneDrive? In this free whitepaper we look at their performance, pricing, and platform availability to help you decide which cloud drive is right for your situation. Download and read the results of our testing for free!

 

Author Comment

by:SAndrewsLGBT
ID: 41759920
I created the policy to enable loopback processing for the OU that the cafe computers are part of (loopback processing enabled, replace).  I restarted the computers in the cafe and the screens still lock from the prior policy :-(
0
 
LVL 22

Assisted Solution

by:Joseph Moody
Joseph Moody earned 166 total points
ID: 41759935
Run a gpresult on those machines and ensure that loopback is enabled and set to replace.
0
 

Author Comment

by:SAndrewsLGBT
ID: 41759957
Loopback is enabled and set to replace.  I even restarted the machines a 2nd time.
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 41759984
Do you have this screen lockout policy linked to the computer OU or any higher ou?
0
 

Author Comment

by:SAndrewsLGBT
ID: 41759989
The lockout policy applies to the domain.  When we decided to create a screen lockout policy for staff I created an OU for the cafe computers (my predecessor did not have any OUs set up) and set the OU to block inheritance.  When I checked the computers under the OU for the cafe I see the loopback processing object was inherited.
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 41760034
Do you have the GPO enforced (lock symbol next to the link)? If so, unenforce it.
0
 

Author Comment

by:SAndrewsLGBT
ID: 41760049
The GPO is not enforced.  I read that "enforced" overrides "block inheritance"  All of our GPOs are set to "link enabled" and none to "enforced"  This is very baffling.
0
 
LVL 40

Accepted Solution

by:
Adam Brown earned 334 total points
ID: 41760109
Loopback policy processing will apply User settings on all computer objects in any OU the policy with that setting applies to, including child OUs.

Personally, I would recommend re-designing your OU structure so that the company systems and users are in one OU "branch" and the public cafe systems/users are in a different branch. One of the main goals of OU structure design is to ensure that Block Inheritance and Enforced GPO settings are never used, since they greatly complicate troubleshooting efforts.

That said, run rsop.msc on the Cafe systems to determine where the policy settings are coming from. There's a good chance that the lockout settings were applied using Local policy, which, in the absence of a Group Policy that modifies those settings, would apply. If it's not in Local policy, look directly at the registry on one of the computers with the lockout settings applied. All of the Group Policy settings are basically pointers to registry modifications, and with that in mind there is also a possibility that someone set the lockout policy directly through the registry (a really really dumb way to do it, but it's still possible).
0
 

Author Comment

by:SAndrewsLGBT
ID: 41760222
Not sure what was causing the issue but I did finally get it to stop.  We use one general login for the cafe computers and then customers use a program installed on the computer to access the computer.  I moved that general login user to the Users OU of the cafe's OU and the issue has stopped (since the cafe OU blocks inheritance of any other GPOs.
0
 
LVL 40

Assisted Solution

by:Adam Brown
Adam Brown earned 334 total points
ID: 41760225
If the policy was linked to the domain and the User wasn't already in an OU with policy block enabled, it doesn't matter if Loopback was enabled on the policy. It would still apply to the user.
0
 

Author Comment

by:SAndrewsLGBT
ID: 41760310
Adam Brown - " if Loopback was enabled on the policy"  Am I adding Loopback to the current policy or creating a separate Loopback policy?  I created a separate Loopback policy for the cafe OU.  Are you saying I'm supposed to add Loopback to the screen lockout policy which means it has both user and computer configurations?
0

Featured Post

Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
How many times a day do you open, acknowledge, or close an IT incident? What’s your process? Do you have a process depending on the incident, systems involved, and other factors? New Relic Alerts gives you options for how you interact with notifica…
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question