Re: Loopback replace mode

From: Roger Abell [MVP] (mvpNoSpam_at_asu.edu)
Date: 09/03/04 

Date: Thu, 2 Sep 2004 19:18:51 -0700

It will not fly. No override mean just that.

You need to either filter the application of the GPO linked to
the domain with no override so that it does not apply onto the
Citrix servers (and then replace its desired settings in some
way, such as by linking the same GPO without no override at
a low priority directly on the OU of the Citrix servers) and then
provide a policy that provides the desired setting for the
shutdown user right.

Alternatively, you could look into factoring apart that domain
linked and enforced GPO into parts that are still set for no
override and another the is not (which contains the shutdown
setting). Then you could simply link an overwriting GPO onto
the OU of the Citrix servers.

The user right to shut down the system is a computer policy.
As such loopback processing will have nothing to do with it
whetther in replace or merge mode. 

-- 
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCDBA,  MCSE W2k3+W2k+Nt4
"Simon Geary" <simon_geary@hotmail.com> wrote in message 
news:OlPp$3OkEHA.636@TK2MSFTNGP12.phx.gbl...
> My situation is this:
> Windows 2000 domain with a GPO set at the domain level. No override is 
> enabled on this policy.
> One of the settings in the domain level policy allows Authenticated Users 
> to shut down the system.
> For one of the OUs that holds some Citrix servers, I want to change this 
> so that only Domain Admins can shut down servers in that OU.
>
> My plan is this:
> On the OU, enable loopback replace mode with a setting that only Domain 
> Admins can shut down servers.
>
> Will this work? The end result I want is for only Domain Admins to be able 
> to shut down the servers in that OU. I believe that the replace mode will 
> remove Authenticated Users' rights to shut down the servers but am not so 
> sure because of the no override setting on the domain level policy.
>

Relevant Pages

  • Re: Loopback replace mode
    ... No override mean just that. ... You need to either filter the application of the GPO linked to ... Citrix servers (and then replace its desired settings in some ... > One of the settings in the domain level policy allows Authenticated Users ...
    (microsoft.public.windows.group_policy)
  • Re: Loopback replace mode
    ... I will go with the suggestion of creating a new GPO with just ... that one setting and then not setting no override on it. ... > so that only Domain Admins can shut down servers in that OU. ...
    (microsoft.public.win2000.group_policy)
  • Re: Loopback replace mode
    ... I will go with the suggestion of creating a new GPO with just ... that one setting and then not setting no override on it. ... > so that only Domain Admins can shut down servers in that OU. ...
    (microsoft.public.windows.group_policy)
  • Loopback replace mode
    ... Windows 2000 domain with a GPO set at the domain level. ... One of the settings in the domain level policy allows Authenticated Users to ... For one of the OUs that holds some Citrix servers, I want to change this so ... sure because of the no override setting on the domain level policy. ...
    (microsoft.public.windows.group_policy)
  • Loopback replace mode
    ... Windows 2000 domain with a GPO set at the domain level. ... One of the settings in the domain level policy allows Authenticated Users to ... For one of the OUs that holds some Citrix servers, I want to change this so ... sure because of the no override setting on the domain level policy. ...
    (microsoft.public.win2000.group_policy)
Loading