Re: Complex GPO Configuration Issue

I have read a lot of posts and articles on loopback processing and have used
it myself. I think you are the first one I have come across attempting to
use multiple Group Policies linked to a OU with loopback processing enabled
on both.

If you enforce a policy then it will override all other polices in the path
to the user/computer unless another GPO closer to the user/computer is also
enforced. I have found RSOP in planning mode to be very helpful in planning
a Group Policy implementation and of course you can model with loopback
processing. If you can not get a model to work as you want then you may have
to use separate OUs and you can structure your OUs to accommodate almost any
need for applying settings to users and computers and have a logical
organization. In general MS recommends using GPO filtering sparingly and
instead organize your OU structure to accomplish your goals. You might also
want to post in one or more of the Terminal Services newsgroups as loopback
processing is used a lot on TS and someone over there may have some helpful
advice. --- Steve


"James Miller" <JamesMiller@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:6234A10B-46D1-40A5-BA32-9C6C22D039BA@xxxxxxxxxxxxxxxx
> Thanks Steve. Creating a separate OU would certainly take care of my
> needs in the short term. I'm really trying to avoid creating an OU
> because
> as more GPOs are applied, this strategy loses value. Trying to except
> machines from multiple policies this way turns into a mess because the
> computer object can only exist in a single OU.
> The user settings are definitely enabled on the policy in question. I
> did try to set my second policy to replace mode (both were merge mode to
> begin with). This didn't make a difference. However, if I set the second
> policy to enforce it does apply. This causes the first policy to stop
> applying when the machine is not a member of the 'deny' group though.
> My user settings are in the loopback policy, and should be coming from
> the computer OU's policy. What I'm getting for user configuration is
> actually coming from the default domain policy. This policy is not set to
> enforce, so I'm not sure why the user settings from my loopback policies
> won't merge.
> Logically I would expect my current setup to work, but perhaps I'm just
> pushing GPO to do something it was never intended to do.
> --
> _________________________
> JC Miller
> Distributed Technology Analyst
> Boise, ID
>
>
> "Steven L Umbach" wrote:
>
>> Loopback processing is computer configuration. When you "filter a GPO"
>> with
>> deny for the domain computers only computer configuration can be disabled
>> and the user configuration portion of the GPO could still be active. So
>> what
>> may be happening is that for all computers in the OU they could then have
>> the same user configuration applied to users as the second GPO user
>> configuration is applied to them and then the first one. In other words I
>> don't think that when loopback processing is enabled that the user
>> configuration settings can come from only the GPO where the Group Policy
>> is
>> configured for the computer. Another thing that could be happening is
>> that
>> the user configuration from the first GPO is overriding all user
>> configuration settings in the second GPO much as if they would if those
>> settings came from the OU where the user account is located and replace
>> mode
>> was used. It might be interesting to configure the top GPO with merge
>> mode
>> and then the second GPO with replace mode to see what happens assuming
>> you
>> are trying to configure additional settings for users in addition to the
>> top
>> level GPO which you may not be trying to do. Like I said before using a
>> separate OU may be something to look at. Also verify that the user
>> configuration portion of the Group Policy in question is enabled. ---
>> Steve
>>
>>
>> "James Miller" <JamesMiller@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:65743786-B787-4667-B05C-8D1B82CA7C18@xxxxxxxxxxxxxxxx
>> > Hmm..actually they do have read and apply. I saw read(from Security
>> > Filtering) in the GPMC and thought you'd nailed it. When I pulled up
>> > the
>> > Advanced window it did show both read and apply.
>> > --
>> > _________________________
>> > JC Miller
>> > Distributed Technology Analyst
>> > Boise, ID
>> >
>> >
>> > "Roger Abell [MVP]" wrote:
>> >
>> >> And the second, non-default loopback GPO does have the users that are
>> >> logging in defined for read/apply ?
>> >>
>> >> "James Miller" <JamesMiller@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
>> >> message
>> >> news:F0131426-C34A-45C5-B3BB-BC9ADD76EC7B@xxxxxxxxxxxxxxxx
>> >> >
>> >> > I am trying to create two policies that set user configuration
>> >> > on
>> >> > computer objects in our domain using loopback processing. One
>> >> > policy
>> >> > should
>> >> > be the default, and the handful of exception machines should use the
>> >> > second
>> >> > policy. Both policies are defined at the OU level, with the default
>> >> > set
>> >> > to
>> >> > take precedence.
>> >> > We have a group with deny rights to the default GPO object that
>> >> > contains machine accounts for all our exception machines. In
>> >> > theory,
>> >> > because
>> >> > they are denied access to the policy we want as default, they should
>> >> > effectively have the second policy settings applied.
>> >> > What our experience has been is that when a machine is placed
>> >> > into
>> >> > the
>> >> > group and denied access to our default policy, only the computer
>> >> > configuration settings from the second policy are applied. So the
>> >> > loopback
>> >> > setting in this policy shows that it is enabled, however none of the
>> >> > user
>> >> > configuration settings from that policy make it to the client.
>> >> > Modeling in the GPMC shows the default policy in the denied list
>> >> > as
>> >> > expected, and shows the second policy as being applied. It also
>> >> > shows
>> >> > the
>> >> > loopback setting, but none of the user configuration settings - it's
>> >> > accurately describing what my clients are experiencing. Is this
>> >> > behavior
>> >> > by
>> >> > design? What can I do to make this work the way I think it should?
>> >> > --
>> >> > _________________________
>> >> > JC Miller
>> >> > Distributed Technology Analyst
>> >> > Boise, ID
>> >>
>> >>
>> >>
>>
>>
>>


.

Relevant Pages

  • Re: More than one GPO on the same OU
    ... How does the Group Policy 'No Override' and 'Block Inheritance' work? ... NO OVERRIDE option of a GPO ... > COMPUTER CONFIGURATION ... [Christoffer Andersson] ...
    (microsoft.public.win2000.group_policy)
  • Re: GPO Problems
    ... The computer configuration part belongs to computers and the user configuration part to the user, so depending on the settings you must have the accounts located there. ... If rsop.msc or gpresult /v logged on with a user account doesn't give any output there can be additional problems with GPO applying belomging to DNS confgiruration or slow links between sites. ... Only the password policy an account lockout policy have to bet set on ...
    (microsoft.public.windows.server.active_directory)
  • Re: Complex GPO Configuration Issue
    ... The user settings are definitely enabled on the policy in question. ... pushing GPO to do something it was never intended to do. ... > Loopback processing is computer configuration. ...
    (microsoft.public.windows.group_policy)
  • Re: Applying user object policy (filtering based on computer location)
    ... leave "authenticated users" with read and apply group policy permissions and set deny on NY employees. ... should have the GPO applied via loopback when logging into ...
    (microsoft.public.win2000.group_policy)
  • Re: Applying user object policy (filtering based on computer location)
    ... should have the GPO applied via loopback when logging into ... the computers in NY Desktops OU, ... I have a OU called "NY DESKTOPS" - I created a new policy and enabled Loopback processing mode. ...
    (microsoft.public.win2000.group_policy)
Loading