Re: Complex GPO Configuration Issue
- From: James Miller <JamesMiller@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 5 Oct 2005 10:01:10 -0700
Thanks again, Steve. This is the first time I've tried a double-loopback
with deny configuration - although I've successfully used loopback for
locking down training room PCs in the past. I will heed your suggestion and
try cross-posting to the TS groups and see if anyone over there has tried
this.
--
_________________________
JC Miller
Distributed Technology Analyst
Boise, ID
"Steven L Umbach" wrote:
> I have read a lot of posts and articles on loopback processing and have used
> it myself. I think you are the first one I have come across attempting to
> use multiple Group Policies linked to a OU with loopback processing enabled
> on both.
>
> If you enforce a policy then it will override all other polices in the path
> to the user/computer unless another GPO closer to the user/computer is also
> enforced. I have found RSOP in planning mode to be very helpful in planning
> a Group Policy implementation and of course you can model with loopback
> processing. If you can not get a model to work as you want then you may have
> to use separate OUs and you can structure your OUs to accommodate almost any
> need for applying settings to users and computers and have a logical
> organization. In general MS recommends using GPO filtering sparingly and
> instead organize your OU structure to accomplish your goals. You might also
> want to post in one or more of the Terminal Services newsgroups as loopback
> processing is used a lot on TS and someone over there may have some helpful
> advice. --- Steve
>
>
> "James Miller" <JamesMiller@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:6234A10B-46D1-40A5-BA32-9C6C22D039BA@xxxxxxxxxxxxxxxx
> > Thanks Steve. Creating a separate OU would certainly take care of my
> > needs in the short term. I'm really trying to avoid creating an OU
> > because
> > as more GPOs are applied, this strategy loses value. Trying to except
> > machines from multiple policies this way turns into a mess because the
> > computer object can only exist in a single OU.
> > The user settings are definitely enabled on the policy in question. I
> > did try to set my second policy to replace mode (both were merge mode to
> > begin with). This didn't make a difference. However, if I set the second
> > policy to enforce it does apply. This causes the first policy to stop
> > applying when the machine is not a member of the 'deny' group though.
> > My user settings are in the loopback policy, and should be coming from
> > the computer OU's policy. What I'm getting for user configuration is
> > actually coming from the default domain policy. This policy is not set to
> > enforce, so I'm not sure why the user settings from my loopback policies
> > won't merge.
> > Logically I would expect my current setup to work, but perhaps I'm just
> > pushing GPO to do something it was never intended to do.
> > --
> > _________________________
> > JC Miller
> > Distributed Technology Analyst
> > Boise, ID
> >
> >
> > "Steven L Umbach" wrote:
> >
> >> Loopback processing is computer configuration. When you "filter a GPO"
> >> with
> >> deny for the domain computers only computer configuration can be disabled
> >> and the user configuration portion of the GPO could still be active. So
> >> what
> >> may be happening is that for all computers in the OU they could then have
> >> the same user configuration applied to users as the second GPO user
> >> configuration is applied to them and then the first one. In other words I
> >> don't think that when loopback processing is enabled that the user
> >> configuration settings can come from only the GPO where the Group Policy
> >> is
> >> configured for the computer. Another thing that could be happening is
> >> that
> >> the user configuration from the first GPO is overriding all user
> >> configuration settings in the second GPO much as if they would if those
> >> settings came from the OU where the user account is located and replace
> >> mode
> >> was used. It might be interesting to configure the top GPO with merge
> >> mode
> >> and then the second GPO with replace mode to see what happens assuming
> >> you
> >> are trying to configure additional settings for users in addition to the
> >> top
> >> level GPO which you may not be trying to do. Like I said before using a
> >> separate OU may be something to look at. Also verify that the user
> >> configuration portion of the Group Policy in question is enabled. ---
> >> Steve
> >>
> >>
> >> "James Miller" <JamesMiller@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> >> news:65743786-B787-4667-B05C-8D1B82CA7C18@xxxxxxxxxxxxxxxx
> >> > Hmm..actually they do have read and apply. I saw read(from Security
> >> > Filtering) in the GPMC and thought you'd nailed it. When I pulled up
> >> > the
> >> > Advanced window it did show both read and apply.
> >> > --
> >> > _________________________
> >> > JC Miller
> >> > Distributed Technology Analyst
> >> > Boise, ID
> >> >
> >> >
> >> > "Roger Abell [MVP]" wrote:
> >> >
> >> >> And the second, non-default loopback GPO does have the users that are
> >> >> logging in defined for read/apply ?
> >> >>
> >> >> "James Miller" <JamesMiller@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
> >> >> message
> >> >> news:F0131426-C34A-45C5-B3BB-BC9ADD76EC7B@xxxxxxxxxxxxxxxx
> >> >> >
> >> >> > I am trying to create two policies that set user configuration
> >> >> > on
> >> >> > computer objects in our domain using loopback processing. One
> >> >> > policy
> >> >> > should
> >> >> > be the default, and the handful of exception machines should use the
> >> >> > second
> >> >> > policy. Both policies are defined at the OU level, with the default
> >> >> > set
> >> >> > to
> >> >> > take precedence.
> >> >> > We have a group with deny rights to the default GPO object that
> >> >> > contains machine accounts for all our exception machines. In
> >> >> > theory,
> >> >> > because
> >> >> > they are denied access to the policy we want as default, they should
> >> >> > effectively have the second policy settings applied.
> >> >> > What our experience has been is that when a machine is placed
> >> >> > into
> >> >> > the
> >> >> > group and denied access to our default policy, only the computer
> >> >> > configuration settings from the second policy are applied. So the
> >> >> > loopback
> >> >> > setting in this policy shows that it is enabled, however none of the
> >> >> > user
> >> >> > configuration settings from that policy make it to the client.
> >> >> > Modeling in the GPMC shows the default policy in the denied list
> >> >> > as
> >> >> > expected, and shows the second policy as being applied. It also
> >> >> > shows
> >> >> > the
> >> >> > loopback setting, but none of the user configuration settings - it's
> >> >> > accurately describing what my clients are experiencing. Is this
> >> >> > behavior
> >> >> > by
> >> >> > design? What can I do to make this work the way I think it should?
> >> >> > --
> >> >> > _________________________
> >> >> > JC Miller
> >> >> > Distributed Technology Analyst
> >> >> > Boise, ID
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>
>
>
>
.
- References:
- Re: Complex GPO Configuration Issue
- From: Roger Abell [MVP]
- Re: Complex GPO Configuration Issue
- From: Steven L Umbach
- Re: Complex GPO Configuration Issue
- From: James Miller
- Re: Complex GPO Configuration Issue
- From: Steven L Umbach
- Re: Complex GPO Configuration Issue
- Prev by Date: Re: Internet Explorer [WILDPACKET]
- Next by Date: Offline Folder sync - how to define allowed and disallowed filetypes/ offline folder cache size
- Previous by thread: Re: Complex GPO Configuration Issue
- Next by thread: Re: Complex GPO Configuration Issue
- Index(es):
Relevant Pages
|
