No problem Roger - it's still not totally clear to me...but I'm getting closer ;-)
<mc> -----Original Message----- From: Roger Jardine [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 07, 2004 11:21 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Undoing a GPO for Domain Admins was - GPO Loopbac k problem Hmm, typical... my first post to this list, and it was complete rubbish. Quite some time ago I'd had a similar issue with user perms and loopback policies and from that, and after a few tests, I'd understood loopback policies to work as I described. Having just done a few simple tests again, the user perms clearly *are* taken into account with the user portion of the loopback policies just as everyone else expected, so either something's changed, my brain was not screwed in correctly last time I did the tests, or both! Well, at least my understanding of loopback group policy processing has improved, but that's not much help to Mark! Apologies, Roger --On 07/01/2004 09:21 -0500 ActiveDirList-PPC wrote: | Just catching up and saw this thread so maybe I'm missing something, but | here goes. | | I've got exactly this setup for our citrix farm and it works perfectly. | The OU containing the citrix servers has a very restrictive policy that | is set to no override and also loopback with replace so that all the | user options are applied. In the permissions I have deny apply to | enterprise admins and domain admins. The user parts of the policy apply | to all users, but are not applied to members of either group. So it | appears that in my envrionment (W2k SP3, native Mode Domain, Citrix MFXP | SP1) that the group permissions are being taken into account with the | user portion loopback policies. | | KC Brown | Patterson Pump Company | -----Original Message----- | From: Roger Jardine [mailto:[EMAIL PROTECTED] | Posted At: Wednesday, January 07, 2004 4:30 AM | Posted To: ActiveDirList-PPC | Conversation: [ActiveDir] Undoing a GPO for Domain Admins was - GPO | Loopbac k problem | Subject: RE: [ActiveDir] Undoing a GPO for Domain Admins was - GPO | Loopbac k problem | | | http://support.microsoft.com/?kbid=231287 | | Although by using loopback you're applying user setttings, the policy is | still applying to a computer object, not to a user object, so you can't | affect the application of what is essentially a computer policy, by | changing any user perms [1]. i.e. in your case it's all working as it's | supposed to. | | In replace mode you just get all the user settings from the computer's | resultant collection of GPO's for *any user* who logs on to a computer | affected by this policy. | | In merge mode the GPO's for the user object are calculated and processed | too, but if there are any conflicting user settings then the computers | GPO's will take higher precedence. | | So, if you want to apply user settings for specific groups of users, and | only when logging onto a specific group/OU of computers, well, I can't | think of any way of doing that using just group policy, you'd have to do | some additional scripting. Perhaps it would be easier to rethink the | problem or stick with the loopback policies, and accept that on those 2 | terminal servers all domain users will get a locked down desktop? | | Roger | | [1] (As an aside, if lookback is turned on in policy A, you have no | influence over the filtering of the user settings of any other computer | policies, no matter what perms you apply, even if you change the | *computer perms*!! e.g. If policy B is in the list of policies that | would be collected when evaluating the computers GPO's and it has user | settings in, but you've removed the read rights for the user object and | the computer object for that policy, those user settings will still be | applied (!!) which is not what I'd expect at all, but it is (unclearly) | documented) | | --On 06/01/2004 12:03 -0800 Darren Mar-Elia wrote: | || No, the merge/replace issues should't affect the fact that your admins | || are still getting desktop lockdown even though they no longer have || permission to process that GPO. Desktop Lockdown (i.e. Admin Template || policy) should be undone (un-tattooed) when the GPO no longer applies. || Have you tried runing GPResult while logged on as the administrator to | || see if that user is still processing user desktop lockdown settings || from that GPO? Also, you might try enabling verbose userenv logging to | || see if that gives some clue as to why these settings are still getting | || processed. || || -----Original Message----- || From: [EMAIL PROTECTED] || [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark || Sent: Tuesday, January 06, 2004 10:55 AM || To: [EMAIL PROTECTED] || Subject: RE: [ActiveDir] Undoing a GPO for Domain Admins was - GPO || Loopbac k problem || || Right, I saw that. But would that override the fact that I have domain | || admins exempted from the policy (via the explicit deny)? I wouldn't || think it would...thanks! || || <mc> || -----Original Message----- || From: Rich Milburn [mailto:[EMAIL PROTECTED] || Sent: Tuesday, January 06, 2004 1:49 PM || To: [EMAIL PROTECTED] || Subject: RE: [ActiveDir] Undoing a GPO for Domain Admins was - GPO || Loopbac k problem || || Mark Jorge posted this a little while ago, I'd say loopback is causing | || your problem... || Sorry if you saw this already - || Rich || ---- || Mark Creamer wrote: || Yes I do (loopback) - that may be where I'm going wrong. My goal is to | || only have the settings apply to normal users, and only when they are || on the terminal servers in the OU where the GPO is applied. So in || order to have the user portion of the GPO apply to computers in the || OU, I enabled loopback (the user objects are all in the Users || container). If that's the problem, can you explain further for me || what's going wrong? Thanks Darren... || || <mc> || || || -----Original Message----- || From: Jorge de Almeida Pinto || [mailto:[EMAIL PROTECTED] || Sent: Tuesday, December 30, 2003 6:28 PM || To: ''[EMAIL PROTECTED]' ' || Subject: RE: [ActiveDir] GPO Loopback problem || || QUOTE FROM TECHNET || Using Loopback Processing to Configure User SettingsThe User Group || Policy loopback processing mode policy setting is an advanced option || that is intended to keep the configuration of the computer the same || regardless of who logs on. This option is appropriate in certain || closely managed environments, such as servers, terminal servers, || classrooms, public kiosks, and reception areas. Setting the loopback || processing mode policy setting applies the same user settings for any || user who logs onto the computer, based on the computer. || || When you apply Group Policy objects to users, normally the same set of | || user policy settings applies to those users when they log on to any || computer. By enabling the loopback processing policy setting in a GPO, | || you can configure user policy settings based on the computer that they | || log on to. Those settings are applied regardless of which user logs | on. || When you use this option, you must ensure that both the computer and || user portions of the GPO are enabled. || || You can set the loopback policy in the Group Policy Object Editor || snap-in by using the User Group Policy loopback processing mode policy | || setting under Computer Settings\Administrative settings\System\Group || Policy. Two options are available: || || Merge mode In this mode, the list of GPOs for the user is gathered || during || the logon process. Then, the list of GPOs for the computer is | gathered. || Next, the list of GPOs for the computer is added to the end of the || GPOs for the user. As a result, the computer's GPOs have higher || precedence than the user's GPOs. || || Replace mode In this mode, the list of GPOs for the user is not || gathered. || Instead, only the list of GPOs based on the computer object is used. || The User Configuration settings from this list are applied to the | user. || || Regards, || Jorge || || -----Original Message----- || From: Salandra, Justin A. || To: '[EMAIL PROTECTED]' || Sent: 12/30/2003 8:33 PM || Subject: RE: [ActiveDir] GPO Loopback problem || || Loopback is have never fully understood, but from what I can || comprehend, if you enable loopback, no matter what settings you make || for the user under the user config, they are ignored and the computer || settings are true for the user. || || GPO are not applied to admins if the apply is not checked like you || said, however if there are computer configs in the GPO they are || applied to the computer and the computer is not in the admin group || || -----Original Message----- || From: Creamer, Mark [mailto:[EMAIL PROTECTED] || Sent: Tuesday, December 30, 2003 2:26 PM || To: [EMAIL PROTECTED] || Subject: [ActiveDir] GPO Loopback problem || || We're setting up a group policy being applied to an OU which contains || 2 computer objects, which are terminal servers. Then we want to set || user configuration policies disabling certain start menu options, etc. || || As expected, the policy affecting the users only goes into effect upon | || selecting Loopback mode. The problem is, I have something enabled || which is completing blanking the desktop - no icons, no start menu, no | || right-click, etc. Anyone know what I must have enabled to have that || happen? || || Also, I was (probably mistakenly) under the impression Administrators || are not affected by a GPO as long as the "Apply Group Policy" security | || permission is not enabled. In this GPO, it is not enabled for || administrators, but the GPO is still applied to admins. || || Help! :-) || || Mark Creamer || Systems Engineer || Cintas Corporation || Honesty and Integrity in Everything We Do || || || This e-mail and any attachment is for authorised use by the intended || recipient(s) only. It may contain proprietary material, confidential || information and/or be subject to legal privilege. It should not be || copied, disclosed to, retained or used by, any other party. If you are | || not an intended recipient then please promptly delete this e-mail and || any attachment and all copies and inform the sender. Thank you. || List info : http://www.activedir.org/mail_list.htm || List FAQ : http://www.activedir.org/list_faq.htm || List archive: || http://www.mail-archive.com/activedir%40mail.activedir.org/ || -------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE------- || PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message | || or any attachments. This information is strictly confidential and may || be subject to attorney-client privilege. This message is intended only | || for the use of the named addressee. If you are not the intended || recipient of this message, unauthorized forwarding, printing, copying, | || distribution, or using such information is strictly prohibited and may | || be unlawful. If you have received this in error, you should kindly || notify the sender by reply e-mail and immediately destroy this || message. Unauthorized interception of this e-mail is a violation of | federal criminal law. || Applebee's International, Inc. reserves the right to monitor and || review the content of all messages sent to and from this e-mail | address. || Messages sent to or from this e-mail address may be stored on the || Applebee's International, Inc. e-mail system. || List info : http://www.activedir.org/mail_list.htm || List FAQ : http://www.activedir.org/list_faq.htm || List archive: || http://www.mail-archive.com/activedir%40mail.activedir.org/ || List info : http://www.activedir.org/mail_list.htm || List FAQ : http://www.activedir.org/list_faq.htm || List archive: || http://www.mail-archive.com/activedir%40mail.activedir.org/ || || List info : http://www.activedir.org/mail_list.htm || List FAQ : http://www.activedir.org/list_faq.htm || List archive: || http://www.mail-archive.com/activedir%40mail.activedir.org/ | | -- | | | -- | Roger Jardine | Computing Services | University of Bath | | | List info : http://www.activedir.org/mail_list.htm | List FAQ : http://www.activedir.org/list_faq.htm | List archive: | http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | List info : http://www.activedir.org/mail_list.htm | List FAQ : http://www.activedir.org/list_faq.htm | List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- -- Roger Jardine | Computing Services | University of Bath List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
