Solved

Group Policy not blocking inheritance

Posted on 2016-08-17
15
11 Views
Last Modified: 2016-10-12
I created a screen lockout policy for our domain.  I have an OU set up for our Internet cafe since I do not want the computers in the cafe to have the same settings as the computers used by staff (Inheritance is blocked for this OU in Group Policy Management).  The computers in the Internet cafe have the screen lockout policy applied to them even though inheritance is blocked and GPM does not show the screen lockout policy being inherited by the OU.  What am I missing here?  Thanks!
0
Comment
Question by:SAndrewsLGBT
  • 7
  • 5
  • 2
15 Comments
 
LVL 21

Expert Comment

by:Joseph Moody
Comment Utility
First, is the policy being set under user configuration? If so, the users can still apply it even though you have block inheritance on for the computer OU.

You may want to look at enable loopback policy processing in replace mode for these machines. It provides a consistent user experience no matter where users are located.
0
 

Author Comment

by:SAndrewsLGBT
Comment Utility
It is being applied under user configuration.  Do I apply the loopback policy processing on the local GP of the machines that are affected?  Thanks!
0
 
LVL 21

Expert Comment

by:Joseph Moody
Comment Utility
You can. It would be better to set it in a GPO linked to the comptuer's OU. See this guide on configuring loopback: https://deployhappiness.com/loopback-policy-how-a-computer-gets-a-transgender-operation/
0
 

Author Comment

by:SAndrewsLGBT
Comment Utility
I created the policy to enable loopback processing for the OU that the cafe computers are part of (loopback processing enabled, replace).  I restarted the computers in the cafe and the screens still lock from the prior policy :-(
0
 
LVL 21

Assisted Solution

by:Joseph Moody
Joseph Moody earned 166 total points
Comment Utility
Run a gpresult on those machines and ensure that loopback is enabled and set to replace.
0
 

Author Comment

by:SAndrewsLGBT
Comment Utility
Loopback is enabled and set to replace.  I even restarted the machines a 2nd time.
0
 
LVL 21

Expert Comment

by:Joseph Moody
Comment Utility
Do you have this screen lockout policy linked to the computer OU or any higher ou?
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:SAndrewsLGBT
Comment Utility
The lockout policy applies to the domain.  When we decided to create a screen lockout policy for staff I created an OU for the cafe computers (my predecessor did not have any OUs set up) and set the OU to block inheritance.  When I checked the computers under the OU for the cafe I see the loopback processing object was inherited.
0
 
LVL 21

Expert Comment

by:Joseph Moody
Comment Utility
Do you have the GPO enforced (lock symbol next to the link)? If so, unenforce it.
0
 

Author Comment

by:SAndrewsLGBT
Comment Utility
The GPO is not enforced.  I read that "enforced" overrides "block inheritance"  All of our GPOs are set to "link enabled" and none to "enforced"  This is very baffling.
0
 
LVL 38

Accepted Solution

by:
Adam Brown earned 334 total points
Comment Utility
Loopback policy processing will apply User settings on all computer objects in any OU the policy with that setting applies to, including child OUs.

Personally, I would recommend re-designing your OU structure so that the company systems and users are in one OU "branch" and the public cafe systems/users are in a different branch. One of the main goals of OU structure design is to ensure that Block Inheritance and Enforced GPO settings are never used, since they greatly complicate troubleshooting efforts.

That said, run rsop.msc on the Cafe systems to determine where the policy settings are coming from. There's a good chance that the lockout settings were applied using Local policy, which, in the absence of a Group Policy that modifies those settings, would apply. If it's not in Local policy, look directly at the registry on one of the computers with the lockout settings applied. All of the Group Policy settings are basically pointers to registry modifications, and with that in mind there is also a possibility that someone set the lockout policy directly through the registry (a really really dumb way to do it, but it's still possible).
0
 

Author Comment

by:SAndrewsLGBT
Comment Utility
Not sure what was causing the issue but I did finally get it to stop.  We use one general login for the cafe computers and then customers use a program installed on the computer to access the computer.  I moved that general login user to the Users OU of the cafe's OU and the issue has stopped (since the cafe OU blocks inheritance of any other GPOs.
0
 
LVL 38

Assisted Solution

by:Adam Brown
Adam Brown earned 334 total points
Comment Utility
If the policy was linked to the domain and the User wasn't already in an OU with policy block enabled, it doesn't matter if Loopback was enabled on the policy. It would still apply to the user.
0
 

Author Comment

by:SAndrewsLGBT
Comment Utility
Adam Brown - " if Loopback was enabled on the policy"  Am I adding Loopback to the current policy or creating a separate Loopback policy?  I created a separate Loopback policy for the cafe OU.  Are you saying I'm supposed to add Loopback to the screen lockout policy which means it has both user and computer configurations?
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

What to do when Windows Update is not working correctly? What tools can I use to detect the cause of the malfunction problem? What does this numeric error code mean? These and other questions that you have been asking in the past are answered here (…
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
In this Micro Tutorial viewers will learn how to restore their server from Bare Metal Backup image created with Windows Server Backup feature. As an example Windows 2012R2 is used.
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now