Just catching up and saw this thread so maybe I'm missing something, but here goes.
I've got exactly this setup for our citrix farm and it works perfectly. The OU containing the citrix servers has a very restrictive policy that is set to no override and also loopback with replace so that all the user options are applied. In the permissions I have deny apply to enterprise admins and domain admins. The user parts of the policy apply to all users, but are not applied to members of either group. So it appears that in my envrionment (W2k SP3, native Mode Domain, Citrix MFXP SP1) that the group permissions are being taken into account with the user portion loopback policies. KC Brown Patterson Pump Company -----Original Message----- From: Roger Jardine [mailto:[EMAIL PROTECTED] Posted At: Wednesday, January 07, 2004 4:30 AM Posted To: ActiveDirList-PPC Conversation: [ActiveDir] Undoing a GPO for Domain Admins was - GPO Loopbac k problem Subject: RE: [ActiveDir] Undoing a GPO for Domain Admins was - GPO Loopbac k problem http://support.microsoft.com/?kbid=231287 Although by using loopback you're applying user setttings, the policy is still applying to a computer object, not to a user object, so you can't affect the application of what is essentially a computer policy, by changing any user perms [1]. i.e. in your case it's all working as it's supposed to. In replace mode you just get all the user settings from the computer's resultant collection of GPO's for *any user* who logs on to a computer affected by this policy. In merge mode the GPO's for the user object are calculated and processed too, but if there are any conflicting user settings then the computers GPO's will take higher precedence. So, if you want to apply user settings for specific groups of users, and only when logging onto a specific group/OU of computers, well, I can't think of any way of doing that using just group policy, you'd have to do some additional scripting. Perhaps it would be easier to rethink the problem or stick with the loopback policies, and accept that on those 2 terminal servers all domain users will get a locked down desktop? Roger [1] (As an aside, if lookback is turned on in policy A, you have no influence over the filtering of the user settings of any other computer policies, no matter what perms you apply, even if you change the *computer perms*!! e.g. If policy B is in the list of policies that would be collected when evaluating the computers GPO's and it has user settings in, but you've removed the read rights for the user object and the computer object for that policy, those user settings will still be applied (!!) which is not what I'd expect at all, but it is (unclearly) documented) --On 06/01/2004 12:03 -0800 Darren Mar-Elia wrote: | No, the merge/replace issues should't affect the fact that your admins | are still getting desktop lockdown even though they no longer have | permission to process that GPO. Desktop Lockdown (i.e. Admin Template | policy) should be undone (un-tattooed) when the GPO no longer applies. | Have you tried runing GPResult while logged on as the administrator to | see if that user is still processing user desktop lockdown settings | from that GPO? Also, you might try enabling verbose userenv logging to | see if that gives some clue as to why these settings are still getting | processed. | | -----Original Message----- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark | Sent: Tuesday, January 06, 2004 10:55 AM | To: [EMAIL PROTECTED] | Subject: RE: [ActiveDir] Undoing a GPO for Domain Admins was - GPO | Loopbac k problem | | Right, I saw that. But would that override the fact that I have domain | admins exempted from the policy (via the explicit deny)? I wouldn't | think it would...thanks! | | <mc> | -----Original Message----- | From: Rich Milburn [mailto:[EMAIL PROTECTED] | Sent: Tuesday, January 06, 2004 1:49 PM | To: [EMAIL PROTECTED] | Subject: RE: [ActiveDir] Undoing a GPO for Domain Admins was - GPO | Loopbac k problem | | Mark Jorge posted this a little while ago, I'd say loopback is causing | your problem... | Sorry if you saw this already - | Rich | ---- | Mark Creamer wrote: | Yes I do (loopback) - that may be where I'm going wrong. My goal is to | only have the settings apply to normal users, and only when they are | on the terminal servers in the OU where the GPO is applied. So in | order to have the user portion of the GPO apply to computers in the | OU, I enabled loopback (the user objects are all in the Users | container). If that's the problem, can you explain further for me | what's going wrong? Thanks Darren... | | <mc> | | | -----Original Message----- | From: Jorge de Almeida Pinto | [mailto:[EMAIL PROTECTED] | Sent: Tuesday, December 30, 2003 6:28 PM | To: ''[EMAIL PROTECTED]' ' | Subject: RE: [ActiveDir] GPO Loopback problem | | QUOTE FROM TECHNET | Using Loopback Processing to Configure User SettingsThe User Group | Policy loopback processing mode policy setting is an advanced option | that is intended to keep the configuration of the computer the same | regardless of who logs on. This option is appropriate in certain | closely managed environments, such as servers, terminal servers, | classrooms, public kiosks, and reception areas. Setting the loopback | processing mode policy setting applies the same user settings for any | user who logs onto the computer, based on the computer. | | When you apply Group Policy objects to users, normally the same set of | user policy settings applies to those users when they log on to any | computer. By enabling the loopback processing policy setting in a GPO, | you can configure user policy settings based on the computer that they | log on to. Those settings are applied regardless of which user logs on. | When you use this option, you must ensure that both the computer and | user portions of the GPO are enabled. | | You can set the loopback policy in the Group Policy Object Editor | snap-in by using the User Group Policy loopback processing mode policy | setting under Computer Settings\Administrative settings\System\Group | Policy. Two options are available: | | Merge mode In this mode, the list of GPOs for the user is gathered | during | the logon process. Then, the list of GPOs for the computer is gathered. | Next, the list of GPOs for the computer is added to the end of the | GPOs for the user. As a result, the computer's GPOs have higher | precedence than the user's GPOs. | | Replace mode In this mode, the list of GPOs for the user is not | gathered. | Instead, only the list of GPOs based on the computer object is used. | The User Configuration settings from this list are applied to the user. | | Regards, | Jorge | | -----Original Message----- | From: Salandra, Justin A. | To: '[EMAIL PROTECTED]' | Sent: 12/30/2003 8:33 PM | Subject: RE: [ActiveDir] GPO Loopback problem | | Loopback is have never fully understood, but from what I can | comprehend, if you enable loopback, no matter what settings you make | for the user under the user config, they are ignored and the computer | settings are true for the user. | | GPO are not applied to admins if the apply is not checked like you | said, however if there are computer configs in the GPO they are | applied to the computer and the computer is not in the admin group | | -----Original Message----- | From: Creamer, Mark [mailto:[EMAIL PROTECTED] | Sent: Tuesday, December 30, 2003 2:26 PM | To: [EMAIL PROTECTED] | Subject: [ActiveDir] GPO Loopback problem | | We're setting up a group policy being applied to an OU which contains | 2 computer objects, which are terminal servers. Then we want to set | user configuration policies disabling certain start menu options, etc. | | As expected, the policy affecting the users only goes into effect upon | selecting Loopback mode. The problem is, I have something enabled | which is completing blanking the desktop - no icons, no start menu, no | right-click, etc. Anyone know what I must have enabled to have that | happen? | | Also, I was (probably mistakenly) under the impression Administrators | are not affected by a GPO as long as the "Apply Group Policy" security | permission is not enabled. In this GPO, it is not enabled for | administrators, but the GPO is still applied to admins. | | Help! :-) | | Mark Creamer | Systems Engineer | Cintas Corporation | Honesty and Integrity in Everything We Do | | | This e-mail and any attachment is for authorised use by the intended | recipient(s) only. It may contain proprietary material, confidential | information and/or be subject to legal privilege. It should not be | copied, disclosed to, retained or used by, any other party. If you are | not an intended recipient then please promptly delete this e-mail and | any attachment and all copies and inform the sender. Thank you. | List info : http://www.activedir.org/mail_list.htm | List FAQ : http://www.activedir.org/list_faq.htm | List archive: | http://www.mail-archive.com/activedir%40mail.activedir.org/ | -------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE------- | PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message | or any attachments. This information is strictly confidential and may | be subject to attorney-client privilege. This message is intended only | for the use of the named addressee. If you are not the intended | recipient of this message, unauthorized forwarding, printing, copying, | distribution, or using such information is strictly prohibited and may | be unlawful. If you have received this in error, you should kindly | notify the sender by reply e-mail and immediately destroy this | message. Unauthorized interception of this e-mail is a violation of federal criminal law. | Applebee's International, Inc. reserves the right to monitor and | review the content of all messages sent to and from this e-mail address. | Messages sent to or from this e-mail address may be stored on the | Applebee's International, Inc. e-mail system. | List info : http://www.activedir.org/mail_list.htm | List FAQ : http://www.activedir.org/list_faq.htm | List archive: | http://www.mail-archive.com/activedir%40mail.activedir.org/ | List info : http://www.activedir.org/mail_list.htm | List FAQ : http://www.activedir.org/list_faq.htm | List archive: | http://www.mail-archive.com/activedir%40mail.activedir.org/ | | List info : http://www.activedir.org/mail_list.htm | List FAQ : http://www.activedir.org/list_faq.htm | List archive: | http://www.mail-archive.com/activedir%40mail.activedir.org/ -- -- Roger Jardine | Computing Services | University of Bath List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
