Announcement

Collapse
No announcement yet.

Loopback processing

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Loopback processing

    I have a number of GPOs that use loopback processing to apply user settings on specific PCs. The policies are all in merge mode and have (as far as I'm aware) been working fine.

    The policies are linked at the OU that contains the appropriate Computer objects, and filtered to the specific PCs that require the settings by Security Filtering (usually via security group membership). The GPOs' Security Filtering settings also contain the Domain Users group, because I want the settings to apply to all users who log on to those PCs.

    Recently, a new policy has been created in the same manner, which has caused another loopback policy to apply to the users (this one sets a desktop wallpaper, so is quite noticeable). Looking at the output of GPRESULT.EXE, all loopback policies are being applied to the user, despite the computer object not being included in the Security Filtering settings of the GPO.

    Is this behaviour normal? The way I understood it was that the User portion of a loopback policy was only applied to a User if the Computer portion was processed by the Computer. Or am I being dense?

    Many thanks, Doc.

  • #2
    Re: Loopback processing

    User settings apply to users regardless of the state of the computer settings or security filtering based on computer. The reason is, a security filter that includes or exludes a computer account will only be effective for computer settings for the computer, not the user settings for the user logging on to that computer.

    Comment


    • #3
      Re: Loopback processing

      Originally posted by joeqwerty View Post
      User settings apply to users regardless of the state of the computer settings or security filtering based on computer. The reason is, a security filter that includes or exludes a computer account will only be effective for computer settings for the computer, not the user settings for the user logging on to that computer.
      But surely in this case the Computer Security filtering is restricting which Computers the GPO applies to and the loopback settings of that GPO cause the User portion to be applied to the logged on user (despite the GPO not being linked above the user object in AD)

      Comment


      • #4
        Re: Loopback processing

        Because loopback policy processing can be confusing, I want to clarify:

        1. Computer settings apply to computers. Setting a computer account/group security filter on the GPO will cause GPO processing to apply or not apply the computer settings to the computers in the OU where the GPO is linked.

        2. User settings apply to users. Setting a user/group security filter on the GPO will cause GPO processing to apply or not apply the user settings to users logging on to the computers in the OU where the GPO is linked.

        3. Using a security filter that is based on the computer tells GPO processing to apply or not apply the computer settings to that computer but has no affect on user settings.

        4. If you want to filter the GPO for the user settings you need to add a user/group to the security filter.

        Comment


        • #5
          Re: Loopback processing

          Originally posted by Doc Dish View Post
          But surely in this case the Computer Security filtering is restricting which Computers the GPO applies to and the loopback settings of that GPO cause the User portion to be applied to the logged on user (despite the GPO not being linked above the user object in AD)
          No the Computer security filter tells GP processing not to process computer settings to those computers. It has no bearing on the user settings.

          At least that's my understanding of loopback policy processing.

          Comment


          • #6
            Re: Loopback processing

            Originally posted by joeqwerty View Post
            No the Computer security filter tells GP processing not to process computer settings to those computers. It has no bearing on the user settings.

            At least that's my understanding of loopback policy processing.
            Which is my point; if a loopback GPO is not accessible to the Computer object (via Security filtering) then the User portion will not be added to the list of GPOs that the User receives.

            Comment


            • #7
              Re: Loopback processing

              But loopback policy processing is based on the user credentials not the computer credentials, so I believe setting a computer based security filter simply tells GPO processing not to apply any Computer Configuration settings in the GPO to those computers (in the filter) but has no bearing on the User Configuration settings in the GPO.

              As I said, loopback policy processing is confusing and I may be wrong, but this is my understanding of it. When you run gpresults against one of the computers and users what does it show as far as GPO's being applied and denied?

              Comment


              • #8
                Re: Loopback processing

                Check out how the security filtering has been configured.

                http://technet.microsoft.com/en-us/l...06(WS.10).aspx

                Comment


                • #9
                  Re: Loopback processing

                  I think I've got a handle on this:

                  When a Computer object processes a GPO that contains the Loopback Policy option in Merge mode, it causes the User object to append the list of GPOs for the Computer object to the list of GPOs for the Computer object.

                  If any of those GPOs contain any User Configuration settings and the User object has the ability to read them (i.e. the user object has Read (from Security Filtering) permissions on the GPO) then those settings are applied after the settings from the User's own list of GPOs.

                  The important information to my issue can be found about half-way down in http://support.microsoft.com/kb/231287:

                  Note You cannot filter the user settings that are applied by denying or removing the AGP and Read rights from the computer object specified for the loopback policy.
                  This means that the User Configuration settings from all GPOs linked above the Computer object are applied - even if the Computer object cannot read them due to Security Filtering.

                  This also means (as far as I can make out) that you need to isolate each group of PCs that require loopback policy in its own OU, unless you use security filtering on the User objects.

                  Does this make sense or am I just making random noises?

                  Comment


                  • #10
                    Re: Loopback processing

                    The GPO processing part makes sense to me, except I don't quite understand what moving each set of computers into their own OU's would accomplish.

                    Comment


                    • #11
                      Re: Loopback processing

                      Originally posted by joeqwerty View Post
                      The GPO processing part makes sense to me, except I don't quite understand what moving each set of computers into their own OU's would accomplish.
                      If you have multiple GPOs that are linked to a single OU containing your Computer objects and those GPOs have User Configuration settings that are readable by all users then all users will apply the User Configuration settings from all policies even if the GPOs do not apply to the PCs.

                      Example: OU-A contains the Computer objects for PC1 & PC2 and has two GPOs linked to it GP1 & GP2. GP1's Security Filtering only contains PC1 and GP2's only contains PC2.

                      Result: PC1 applies the Computer Configuration settings in GP1 and vice-versa for PC2.

                      However, if those GPOs also contain User Configuration settings and the Computer Configuration includes enabling loopback processing, then any user logging on to PC1 will apply the User Configuration settings for both GP1 and GP2, despite the fact that GP2 does not apply to PC1.

                      Comment


                      • #12
                        Re: Loopback processing

                        That doesn't sound right. The user's GPO's would normally be processed from the GPO's linked to the OU where the user object is. In your scenario a user would get the GPO settings from the GPO linked to the OU where the computer object is (via loopback processing) BUT only from the GPO that applies to the computer they're logging in to. So if the user logs on to PC1 (with loopback processing enabled) they'll get the User Configuration settings from the GPO for PC1 but not PC2 since they aren't logging on to PC2.

                        Comment


                        • #13
                          Re: Loopback processing

                          Originally posted by joeqwerty View Post
                          That doesn't sound right. The user's GPO's would normally be processed from the GPO's linked to the OU where the user object is. In your scenario a user would get the GPO settings from the GPO linked to the OU where the computer object is (via loopback processing) BUT only from the GPO that applies to the computer they're logging in to. So if the user logs on to PC1 (with loopback processing enabled) they'll get the User Configuration settings from the GPO for PC1 but not PC2 since they aren't logging on to PC2.
                          That's what I thought. However, in testing, what I've stated previously seems to apply - which fits in with the rather ambiguous statement in the Knowledge Base article about Computer object filtering not affecting the policies applied to the user.

                          If you run GPRESULT.exe. you can see that the entire list of GPOs applied to the Computer is also appended to the list of GPOs applied to the User (the Default Domain Policy will be applied twice for example).

                          Comment


                          • #14
                            Re: Loopback processing

                            Yep, it's confusing. So, did you get your original issue sorted out?

                            Comment


                            • #15
                              Re: Loopback processing

                              Originally posted by joeqwerty View Post
                              Yep, it's confusing. So, did you get your original issue sorted out?
                              It's more a case of now I have a workaround (put the PCs that need to have an 'all user' loopback policy in a separate OU and avoid creating any more loopback policies at all costs!)

                              Comment

                              Working...
                              X