Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Group Policy not blocking inheritance

Posted on 2016-08-17
15
Medium Priority
?
29 Views
Last Modified: 2016-10-12
I created a screen lockout policy for our domain.  I have an OU set up for our Internet cafe since I do not want the computers in the cafe to have the same settings as the computers used by staff (Inheritance is blocked for this OU in Group Policy Management).  The computers in the Internet cafe have the screen lockout policy applied to them even though inheritance is blocked and GPM does not show the screen lockout policy being inherited by the OU.  What am I missing here?  Thanks!
0
Comment
Question by:SAndrewsLGBT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
  • 2
15 Comments
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 41759840
First, is the policy being set under user configuration? If so, the users can still apply it even though you have block inheritance on for the computer OU.

You may want to look at enable loopback policy processing in replace mode for these machines. It provides a consistent user experience no matter where users are located.
0
 

Author Comment

by:SAndrewsLGBT
ID: 41759842
It is being applied under user configuration.  Do I apply the loopback policy processing on the local GP of the machines that are affected?  Thanks!
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 41759857
You can. It would be better to set it in a GPO linked to the comptuer's OU. See this guide on configuring loopback: https://deployhappiness.com/loopback-policy-how-a-computer-gets-a-transgender-operation/
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 

Author Comment

by:SAndrewsLGBT
ID: 41759920
I created the policy to enable loopback processing for the OU that the cafe computers are part of (loopback processing enabled, replace).  I restarted the computers in the cafe and the screens still lock from the prior policy :-(
0
 
LVL 22

Assisted Solution

by:Joseph Moody
Joseph Moody earned 664 total points
ID: 41759935
Run a gpresult on those machines and ensure that loopback is enabled and set to replace.
0
 

Author Comment

by:SAndrewsLGBT
ID: 41759957
Loopback is enabled and set to replace.  I even restarted the machines a 2nd time.
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 41759984
Do you have this screen lockout policy linked to the computer OU or any higher ou?
0
 

Author Comment

by:SAndrewsLGBT
ID: 41759989
The lockout policy applies to the domain.  When we decided to create a screen lockout policy for staff I created an OU for the cafe computers (my predecessor did not have any OUs set up) and set the OU to block inheritance.  When I checked the computers under the OU for the cafe I see the loopback processing object was inherited.
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 41760034
Do you have the GPO enforced (lock symbol next to the link)? If so, unenforce it.
0
 

Author Comment

by:SAndrewsLGBT
ID: 41760049
The GPO is not enforced.  I read that "enforced" overrides "block inheritance"  All of our GPOs are set to "link enabled" and none to "enforced"  This is very baffling.
0
 
LVL 42

Accepted Solution

by:
Adam Brown earned 1336 total points
ID: 41760109
Loopback policy processing will apply User settings on all computer objects in any OU the policy with that setting applies to, including child OUs.

Personally, I would recommend re-designing your OU structure so that the company systems and users are in one OU "branch" and the public cafe systems/users are in a different branch. One of the main goals of OU structure design is to ensure that Block Inheritance and Enforced GPO settings are never used, since they greatly complicate troubleshooting efforts.

That said, run rsop.msc on the Cafe systems to determine where the policy settings are coming from. There's a good chance that the lockout settings were applied using Local policy, which, in the absence of a Group Policy that modifies those settings, would apply. If it's not in Local policy, look directly at the registry on one of the computers with the lockout settings applied. All of the Group Policy settings are basically pointers to registry modifications, and with that in mind there is also a possibility that someone set the lockout policy directly through the registry (a really really dumb way to do it, but it's still possible).
0
 

Author Comment

by:SAndrewsLGBT
ID: 41760222
Not sure what was causing the issue but I did finally get it to stop.  We use one general login for the cafe computers and then customers use a program installed on the computer to access the computer.  I moved that general login user to the Users OU of the cafe's OU and the issue has stopped (since the cafe OU blocks inheritance of any other GPOs.
0
 
LVL 42

Assisted Solution

by:Adam Brown
Adam Brown earned 1336 total points
ID: 41760225
If the policy was linked to the domain and the User wasn't already in an OU with policy block enabled, it doesn't matter if Loopback was enabled on the policy. It would still apply to the user.
0
 

Author Comment

by:SAndrewsLGBT
ID: 41760310
Adam Brown - " if Loopback was enabled on the policy"  Am I adding Loopback to the current policy or creating a separate Loopback policy?  I created a separate Loopback policy for the cafe OU.  Are you saying I'm supposed to add Loopback to the screen lockout policy which means it has both user and computer configurations?
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Windows Server 2003 introduced persistent Volume Shadow Copies and made 2003 a must-do upgrade.  Since then, it's been a must-implement feature for all servers doing any kind of file sharing.
Article by: Shawn
IT teams define success as solving problems quickly. To enable ITSM modernization we have to think of adopting the tools and methods that will enable resolution of ITSM issues more quickly.
In this Micro Tutorial viewers will learn how to restore their server from Bare Metal Backup image created with Windows Server Backup feature. As an example Windows 2012R2 is used.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question