Perhaps before the GPO was applied to 'Authenticated Users?' I've always had to include the machine account, especially for loopback. -lc
>________________________________ > From: "Rankin, James R" <[email protected]> >To: NT System Admin Issues <[email protected]> >Sent: Friday, April 13, 2012 10:16 AM >Subject: Re: GPO weirdness > > >Works with the computer account added, but I never had to do it that way before >---Blackberried >________________________________ > >From: Lora Cates <[email protected]> >Date: Fri, 13 Apr 2012 06:53:12 -0700 (PDT) >To: NT System Admin Issues<[email protected]> >ReplyTo: "NT System Admin Issues" <[email protected]> >Subject: Re: GPO weirdness > > >Have you tried to add the computer account? Loopback policy applies user >setting to a machine, or group of machines. If the machine can't read the >policy, it can'y apple the user settings to that machine. But you should see >the FILTERED result for the computer object in the GPRESULT. > >-lc > > >>________________________________ >> From: James Rankin <[email protected]> >>To: NT System Admin Issues <[email protected]> >>Sent: Friday, April 13, 2012 8:08 AM >>Subject: Re: GPO weirdness >> >> >>That's not how I understood it (I could be wrong), but as I said previously >>I've had it working before without having to add computer accounts. >> >>Maybe need one of the AD Yodas to provide a definitive answer :-) >> >> >>On 13 April 2012 13:54, Mayo, Bill <[email protected]> wrote: >> >>Loopback processing always ups the confusion for me (so I could be way off), >>but isn’t that the likely reason for it? Loopback processing says to use the >>policy applied to the computer, not the user, so it would not apply the >>policy in question unless it also applied to the computer being logged onto. >>If the restriction didn’t apply to the computer, it therefore wouldn’t be >>applied, right? >>> >>>Bill Mayo >>> >>>From:James Rankin [mailto:[email protected]] >>>Sent: Friday, April 13, 2012 8:31 AM >>> >>>To: NT System Admin Issues >>>Subject: Re: GPO weirdness >>> >>>Both. Settings aren't applied, and the GPO doesn't show as being applied in >>>gpresult. >>>On 13 April 2012 13:13, Christopher Bodnar <[email protected]> >>>wrote: >>>Just read your disclaimer, funny stuff, extraterrestrial eggplants? >>> >>>OK back to your issue. When you say the GPO does not apply do you mean that >>>the settings dont' get enforced, or that the GPO doesn't show up as being >>>applied in the output of GPRESULT? >>> >>> >>>Christopher Bodnar >>>Enterprise Achitect I, Corporate Office of Technology:Enterprise >>>Architecture and Engineering Services >>>Tel 610-807-6459 >>>3900 Burgess Place, Bethlehem, PA 18017 >>>[email protected] >>> >>> >>>The Guardian Life Insurance Company of America >>> >>>www.guardianlife.com >>> >>> >>> >>> >>> >>>From: James Rankin <[email protected]> >>>To: "NT System Admin Issues" <[email protected]> >>>Date: 04-13-12 05:12 AM >>>Subject: GPO weirdness >>> >>>________________________________ >>> >>> >>> >>> >>> >>>I have a GPO with user settings that I am applying to an OU with Terminal >>>Servers in it (Loopback Policy Processing is configured in another GPO on >>>the same OU). I also want to apply a security filter to the user settings OU >>>so that only a certain AD group are subject to it. However, whenever I >>>change the security filter from Authenticated Users, the GPO does not apply >>>even though the user is a member of the AD group in the security filter. The >>>only way I can get it to work is by adding the computer accounts for the >>>Terminal Servers to the security filter, which has me baffled because these >>>are user settings and shouldn't be applied to the computer accounts, should >>>they? I could be utterly wrong but I have checked GPOs I used in other, similar environments and I never had to add computer accounts specifically to a security filter for a user settings GPO to work. >>> >>>Can anyone confirm if this is expected behaviour or not? >>> >>>TIA, >>> >>> >>> >>>JRR >>> >>>-- >>>http://appsensebigot.blogspot.co.uk/ >>> >>>IMPORTANT INFORMATION/DISCLAIMER >>> >>>I certainly don't have time to monitor the content of e-mail sent and >>>received via this account for the purposes of ensuring compliance with >>>anyone's policies and procedures. I am pretty sure that somewhere in UK >>>legislation there is some politically-correct drivel that stipulates I must >>>never send or store e-mails or attachments that are obscene, indecent, >>>sexist, racist, defamatory, abusive, in breach of copyright, encrypted, >>>amusing, overly long, slightly opinionated, anonymous, likely to harm >>>animals or hurt the feelings of an as-yet-unspecified or as-yet-nonexistent >>>minority (such as extraterrestrial eggplants). Emails of this nature sent in >>>or out of this account may be intercepted and stopped by the system, but >>>it's a long shot. This being the UK, even if I was prosecuted for breach of >>>said email guidelines, I'd probably walk with a suspended sentence anyway, >>>but if I'd forgotten to pay my car insurance, I'd most certainly be hung, drawn and quartered. >>> >>>I am not responsible for any changes made to the message after it has been >>>sent, in more or less the same way that cyclozine manufacturers aren't >>>responsible for drug addicts mixing it with methadone and overdosing, so I'm >>>glad I cleared the confusion up there nice and early. Where opinions are >>>expressed, they are not necessarily mine. However, I don't make a habit of >>>expressing other people's opinions for them, so you shouldn't take that >>>statement as an indication that I am in the business of providing an >>>opinion-expressing service. In the event that I did, this discourse would >>>provide no guarantee that I would do it anyway, but I don't, so I won't. >>> >>>This e-mail and any files transmitted with it are confidential and intended >>>solely for the use of the individual or entity to whom they are addressed. >>>If you are not the intended addressee, or the person responsible for >>>delivering it to them, aside from the fact that you've clearly got some >>>level of unauthorised access to their account or are at least engaged in >>>some sort of fraud, I'm obliged to tell you that may not copy, forward >>>disclose or otherwise use it or any part of it in any way. To do so may be >>>unlawful, and as you're already breaking the law, I am sure that bombshell >>>makes you quake in your boots and turn yourself over to law enforcement >>>immediately. If you receive this e-mail by mistake, please advise the sender >>>immediately. That would be me, and as I am clearly prone to sending emails >>>to completely the wrong person, I should instantly be stripped of my status >>>as a technical consultant and sent to do something more becoming of my stupidity, such as appearing on Big Brother, the X Factor or "insert country name here"'s Got Talent. >>>~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>>~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>> >>>--- >>>To manage subscriptions click here: >>>http://lyris.sunbelt-software.com/read/my_forums/ >>>or send an email to [email protected] >>>with the body: unsubscribe ntsysadmin >>>----------------------------------------- This message, and any attachments >>>to it, may contain information that is privileged, confidential, and exempt >>>from disclosure under applicable law. If the reader of this message is not >>>the intended recipient, you are notified that any use, dissemination, >>>distribution, copying, or communication of this message is strictly >>>prohibited. If you have received this message in error, please notify the >>>sender immediately by return e-mail and delete the message and any >>>attachments. Thank you. >>>~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>> >>>~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>> >>>--- >>>To manage subscriptions click here: >>>http://lyris.sunbelt-software.com/read/my_forums/ >>>or send an email to [email protected] >>>with the body: unsubscribe ntsysadmin >>> >>> >>> >>>-- >>>http://appsensebigot.blogspot.co.uk >>> >>>IMPORTANT INFORMATION/DISCLAIMER >>> >>>I certainly don't have time to monitor the content of e-mail sent and >>>received via this account for the purposes of ensuring compliance with >>>anyone's policies and procedures. I am pretty sure that somewhere in UK >>>legislation there is some politically-correct drivel that stipulates I must >>>never send or store e-mails or attachments that are obscene, indecent, >>>sexist, racist, defamatory, abusive, in breach of copyright, encrypted, >>>amusing, overly long, slightly opinionated, anonymous, likely to harm >>>animals or hurt the feelings of an as-yet-unspecified or as-yet-nonexistent >>>minority (such as extraterrestrial eggplants). Emails of this nature sent in >>>or out of this account may be intercepted and stopped by the system, but >>>it's a long shot. This being the UK, even if I was prosecuted for breach of >>>said email guidelines, I'd probably walk with a suspended sentence anyway, >>>but if I'd forgotten to pay my car insurance, I'd most certainly be hung, drawn and quartered. >>> >>>I am not responsible for any changes made to the message after it has been >>>sent, in more or less the same way that cyclozine manufacturers aren't >>>responsible for drug addicts mixing it with methadone and overdosing, so I'm >>>glad I cleared the confusion up there nice and early. Where opinions are >>>expressed, they are not necessarily mine. However, I don't make a habit of >>>expressing other people's opinions for them, so you shouldn't take that >>>statement as an indication that I am in the business of providing an >>>opinion-expressing service. In the event that I did, this discourse would >>>provide no guarantee that I would do it anyway, but I don't, so I won't. >>> >>>This e-mail and any files transmitted with it are confidential and intended >>>solely for the use of the individual or entity to whom they are addressed. >>>If you are not the intended addressee, or the person responsible for >>>delivering it to them, aside from the fact that you've clearly got some >>>level of unauthorised access to their account or are at least engaged in >>>some sort of fraud, I'm obliged to tell you that may not copy, forward >>>disclose or otherwise use it or any part of it in any way. To do so may be >>>unlawful, and as you're already breaking the law, I am sure that bombshell >>>makes you quake in your boots and turn yourself over to law enforcement >>>immediately. If you receive this e-mail by mistake, please advise the sender >>>immediately. That would be me, and as I am clearly prone to sending emails >>>to completely the wrong person, I should instantly be stripped of my status >>>as a technical consultant and sent to do something more becoming of my stupidity, such as appearing on Big Brother, the X Factor or "insert country name here"'s Got Talent. >>>~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>>~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>> >>>--- >>>To manage subscriptions click here: >>>http://lyris.sunbelt-software.com/read/my_forums/ >>>or send an email to [email protected] >>>with the body: unsubscribe ntsysadmin >>>~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>>~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>> >>>--- >>>To manage subscriptions click here: >>>http://lyris.sunbelt-software.com/read/my_forums/ >>>or send an email to [email protected] >>>with the body: unsubscribe ntsysadmin >> >> >>-- >>http://appsensebigot.blogspot.co.uk >> >>IMPORTANT INFORMATION/DISCLAIMER >> >>I certainly don't have time to monitor the content of e-mail sent and >>received via this account for the purposes of ensuring compliance with >>anyone's policies and procedures. I am pretty sure that somewhere in UK >>legislation there is some politically-correct drivel that stipulates I must >>never send or store e-mails or attachments that are obscene, indecent, >>sexist, racist, defamatory, abusive, in breach of copyright, encrypted, >>amusing, overly long, slightly opinionated, anonymous, likely to harm animals >>or hurt the feelings of an as-yet-unspecified or as-yet-nonexistent minority >>(such as extraterrestrial eggplants). Emails of this nature sent in or out of >>this account may be intercepted and stopped by the system, but it's a long shot. This being the UK, even if I was prosecuted for breach of said email guidelines, I'd probably walk with a suspended sentence anyway, but if I'd forgotten to pay my car insurance, I'd most certainly be hung, drawn and quartered. >> >>I am not responsible for any changes made to the message after it has been >>sent, in more or less the same way that cyclozine manufacturers aren't >>responsible for drug addicts mixing it with methadone and overdosing, so I'm >>glad I cleared the confusion up there nice and early. Where opinions are >>expressed, they are not necessarily mine. However, I don't make a habit of >>expressing other people's opinions for them, so you shouldn't take that >>statement as an indication that I am in the business of providing an >>opinion-expressing service. In the event that I did, this discourse would >>provide no guarantee that I would do it anyway, but I don't, so I won't. >> >>This e-mail and any files transmitted with it are confidential and intended >>solely for the use of the individual or entity to whom they are addressed. If >>you are not the intended addressee, or the person responsible for delivering >>it to them, aside from the fact that you've clearly got some level of >>unauthorised access to their account or are at least engaged in some sort of >>fraud, I'm obliged to tell you that may not copy, forward disclose or >>otherwise use it or any part of it in any way. To do so may be unlawful, and >>as you're already breaking the law, I am sure that bombshell makes you quake >>in your boots and turn yourself over to law enforcement immediately. If you >>receive this e-mail by mistake, please advise the sender immediately. That >>would be me, and as I am clearly prone to sending emails to completely the >>wrong person, I should instantly be stripped of my status as a technical >>consultant and sent to do something more becoming of my stupidity, such as appearing on Big Brother, the X Factor or "insert country name here"'s Got Talent. >> >> >>~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >>--- >>To manage subscriptions click here: >>http://lyris.sunbelt-software.com/read/my_forums/ >>or send an email to [email protected] >>with the body: unsubscribe ntsysadmin >> >> >~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > >--- >To manage subscriptions click here: >http://lyris.sunbelt-software.com/read/my_forums/ >or send an email to [email protected] >with the body: unsubscribe ntsysadmin >~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > >--- >To manage subscriptions click here: >http://lyris.sunbelt-software.com/read/my_forums/ >or send an email to [email protected] >with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
