Solved

Group Policy not blocking inheritance

Posted on 2016-08-17
15
14 Views
Last Modified: 2016-10-12
I created a screen lockout policy for our domain.  I have an OU set up for our Internet cafe since I do not want the computers in the cafe to have the same settings as the computers used by staff (Inheritance is blocked for this OU in Group Policy Management).  The computers in the Internet cafe have the screen lockout policy applied to them even though inheritance is blocked and GPM does not show the screen lockout policy being inherited by the OU.  What am I missing here?  Thanks!
0
Comment
Question by:SAndrewsLGBT
  • 7
  • 5
  • 2
15 Comments
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 41759840
First, is the policy being set under user configuration? If so, the users can still apply it even though you have block inheritance on for the computer OU.

You may want to look at enable loopback policy processing in replace mode for these machines. It provides a consistent user experience no matter where users are located.
0
 

Author Comment

by:SAndrewsLGBT
ID: 41759842
It is being applied under user configuration.  Do I apply the loopback policy processing on the local GP of the machines that are affected?  Thanks!
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 41759857
You can. It would be better to set it in a GPO linked to the comptuer's OU. See this guide on configuring loopback: https://deployhappiness.com/loopback-policy-how-a-computer-gets-a-transgender-operation/
0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 

Author Comment

by:SAndrewsLGBT
ID: 41759920
I created the policy to enable loopback processing for the OU that the cafe computers are part of (loopback processing enabled, replace).  I restarted the computers in the cafe and the screens still lock from the prior policy :-(
0
 
LVL 22

Assisted Solution

by:Joseph Moody
Joseph Moody earned 166 total points
ID: 41759935
Run a gpresult on those machines and ensure that loopback is enabled and set to replace.
0
 

Author Comment

by:SAndrewsLGBT
ID: 41759957
Loopback is enabled and set to replace.  I even restarted the machines a 2nd time.
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 41759984
Do you have this screen lockout policy linked to the computer OU or any higher ou?
0
 

Author Comment

by:SAndrewsLGBT
ID: 41759989
The lockout policy applies to the domain.  When we decided to create a screen lockout policy for staff I created an OU for the cafe computers (my predecessor did not have any OUs set up) and set the OU to block inheritance.  When I checked the computers under the OU for the cafe I see the loopback processing object was inherited.
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 41760034
Do you have the GPO enforced (lock symbol next to the link)? If so, unenforce it.
0
 

Author Comment

by:SAndrewsLGBT
ID: 41760049
The GPO is not enforced.  I read that "enforced" overrides "block inheritance"  All of our GPOs are set to "link enabled" and none to "enforced"  This is very baffling.
0
 
LVL 39

Accepted Solution

by:
Adam Brown earned 334 total points
ID: 41760109
Loopback policy processing will apply User settings on all computer objects in any OU the policy with that setting applies to, including child OUs.

Personally, I would recommend re-designing your OU structure so that the company systems and users are in one OU "branch" and the public cafe systems/users are in a different branch. One of the main goals of OU structure design is to ensure that Block Inheritance and Enforced GPO settings are never used, since they greatly complicate troubleshooting efforts.

That said, run rsop.msc on the Cafe systems to determine where the policy settings are coming from. There's a good chance that the lockout settings were applied using Local policy, which, in the absence of a Group Policy that modifies those settings, would apply. If it's not in Local policy, look directly at the registry on one of the computers with the lockout settings applied. All of the Group Policy settings are basically pointers to registry modifications, and with that in mind there is also a possibility that someone set the lockout policy directly through the registry (a really really dumb way to do it, but it's still possible).
0
 

Author Comment

by:SAndrewsLGBT
ID: 41760222
Not sure what was causing the issue but I did finally get it to stop.  We use one general login for the cafe computers and then customers use a program installed on the computer to access the computer.  I moved that general login user to the Users OU of the cafe's OU and the issue has stopped (since the cafe OU blocks inheritance of any other GPOs.
0
 
LVL 39

Assisted Solution

by:Adam Brown
Adam Brown earned 334 total points
ID: 41760225
If the policy was linked to the domain and the User wasn't already in an OU with policy block enabled, it doesn't matter if Loopback was enabled on the policy. It would still apply to the user.
0
 

Author Comment

by:SAndrewsLGBT
ID: 41760310
Adam Brown - " if Loopback was enabled on the policy"  Am I adding Loopback to the current policy or creating a separate Loopback policy?  I created a separate Loopback policy for the cafe OU.  Are you saying I'm supposed to add Loopback to the screen lockout policy which means it has both user and computer configurations?
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
In this Micro Tutorial viewers will learn how to use Windows Server Backup to create full image of their system. Tutorial shows how to install Windows Server Backup Feature on Windows 2012R2 and how to configure scheduled Bare Metal Recovery backup.…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

832 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question