[gptalk] Re: GP apply per machine?

  • From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Mon, 30 Jun 2008 15:41:47 -0700

Thanks Alan. I was missing a 'not' in that sentence. It should have been:

 

"In other words, you must have the loopback GPO linked in such a way that
the user accounts that you don't want to apply it to are not processing."

 

 

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Alan & Margaret
Sent: Monday, June 30, 2008 3:24 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GP apply per machine?

 

Hi Darren,

 

I think your second paragraph may be open to misinterpretation J

 

What you mean is "Since it is not working properly you must have the
loopback GPO .." rather than "If you want it to work properly you must have
the loopback GPO.."

 

While there are multiple ways of doing it, the least confusing way is to
have a LoopBack GPO which has a machine setting to enable loopback
processing plus the User settings that you want applied when on the specific
machine. Make sure that this GPO is linked to the OU (or parent OU's)
containing the machines you want to be affected. Make sure that it is NOT
linked to the OU (or parent OU's) containing the Users. This will mean that
all Users that log on to all of the machines will get the settings. You can
use security filtering to limit the machines that enable loopback processing
and the users that get the settings. i.e. if you remove Authenticated users,
you can then add the Machines that get loop back processing. You can then
add specific Users (or Domain Users) to control who gets it. In short, the
machine AND the user must have the "apply policy" setting.

 

One further thing is that Loopback processing can be set to MERGE or
REPLACE. MERGE  means "give the user his normal policy settings then add on
these settings". Replace says "just give him these settings". My personal
preference is MERGE, although it takes a bit more processing.

 

Alan Cuthbertson

 

 

 Policy Management Software:-

http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml>
&f=pol_summary.shtml

 

ADM Template Editor:-

http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml>
&f=adm_summary.shtml

 

Policy Log Reporter(Free)

http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml>
&f=policyreporter.shtml

 

 

       

 

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Darren Mar-Elia
Sent: Tuesday, 1 July 2008 6:36 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GP apply per machine?

 

Savannah-

If the user account is in line to process the user policy on the loopback
GPO, then its going to get it unless you also permission the loopback GPO to
only allow the group of users that you want to process that policy the
ability to do so.

 

In other words, you must have the loopback GPO linked in such a way that the
user accounts that you don't want to apply it to are processing it as a
normal course of their policy processing cycle. If you only want specific
users to process it, then only allow those users the ability to process the
policy.

 

Darren

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Savanah Garrison
Sent: Monday, June 30, 2008 12:29 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GP apply per machine?

 

Yes, I only have the machine, and the one test user listed in Security
Filtering. I ran gp results on the 2nd box and my policy is not applying to
the box, but it IS applying to the user.  I want to only apply to the user
if the user is on the OTHER box.  

 

Here is a screenshot of where I set the loopback processing:

 



 

  _____  

From: Darren Mar-Elia [mailto:darren@xxxxxxxxxx] 
Sent: Monday, June 30, 2008 1:05 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GP apply per machine?

 

Did you remove the Authenticated Users group? Try running GP Results Wizard
against that 2nd TS box and see if it says that the GPO is applying to it,
and why.

 

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Savanah Garrison
Sent: Monday, June 30, 2008 10:50 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GP apply per machine?

 

I have this set as well.  I have the single server along with the users it
should apply too listed in security filtering, but the policy is still
applying when I log on to my second terminal server.

 

  _____  

From: Darren Mar-Elia [mailto:darren@xxxxxxxxxx] 
Sent: Monday, June 30, 2008 11:24 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GP apply per machine?

 

Savannah,

You would use security filtering of the GPO that applies the loopback
setting. So, for example, if your TS machines are called TS1 and TS2 and you
wanted only TS2 to run in loopback mode, you would remove "Authenticated
Users" from the loopback GPO and add the TS2 machine account to the GPO's
security filter.

 

Darren

 

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Savanah Garrison
Sent: Monday, June 30, 2008 9:23 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GP apply per machine?

 

Ok, I had this enabled, but the policy is still applying to both terminal
servers.  How do I tell it which one it needs to apply too?

 

  _____  

From: Nelson, Jamie [mailto:Jamie.Nelson@xxxxxxx] 
Sent: Monday, June 30, 2008 8:56 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GP apply per machine?

 

Savanah,

 

Yes, that is called loopback processing. It means that User policy gets
applied based on the location of the computer object, not the user object.
Check out this Microsoft KB article for more details:

 

http://support.microsoft.com/?id=231287

 

Regards,

 

Jamie Nelson | Infrastructure Consultant | BI&T Operations | Devon Energy |
Work: 405.552.8054 | http://www.dvn.com <http://www.dvn.com/> 

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Savanah Garrison
Sent: Monday, June 30, 2008 8:54 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] GP apply per machine?

 

Is there a way to get my group policy to apply only if the users log in to
one of my terminal servers, but not the other?

 

Thanks!

CONFIDENTIAL NOTICE: This electronic transmission and any documents or other
writings sent with it constitute confidential information intended only for
the named recipient.  If you have received this communication in error, do
not read it. Please reply to the sender that you have received the message
in error, then delete the message.  Any disclosure, copying, distribution or
the taking of any action concerning the contents of this communication or
any attachment(s) by anyone other than the named recipient is strictly
prohibited.

 

  _____  

Confidentiality Warning: This message and any attachments are intended only
for the use of the intended recipient(s), are confidential, and may be
privileged. If you are not the intended recipient, you are hereby notified
that any review, retransmission, conversion to hard copy, copying,
circulation or other use of all or any portion of this message and any
attachments is strictly prohibited. If you are not the intended recipient,
please notify the sender immediately by return e-mail, and delete this
message and any attachments from your system. 

CONFIDENTIAL NOTICE: This electronic transmission and any documents or other
writings sent with it constitute confidential information intended only for
the named recipient.  If you have received this communication in error, do
not read it. Please reply to the sender that you have received the message
in error, then delete the message.  Any disclosure, copying, distribution or
the taking of any action concerning the contents of this communication or
any attachment(s) by anyone other than the named recipient is strictly
prohibited.

 

CONFIDENTIAL NOTICE: This electronic transmission and any documents or other
writings sent with it constitute confidential information intended only for
the named recipient.  If you have received this communication in error, do
not read it. Please reply to the sender that you have received the message
in error, then delete the message.  Any disclosure, copying, distribution or
the taking of any action concerning the contents of this communication or
any attachment(s) by anyone other than the named recipient is strictly
prohibited.

 

JPEG image

Other related posts: