[gptalk] Re: GP apply per machine?

  • From: "Savanah Garrison" <sgarrison@xxxxxxxxxxxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Mon, 30 Jun 2008 18:03:18 -0500

I set it to "replace".  Here is how it is set up.  The servers are in
the Terminal Server Folder, and the Users are in the Users folder...  So
to fix I need another OU?

 

 

 

________________________________

From: Nelson, Jamie [mailto:Jamie.Nelson@xxxxxxx] 
Sent: Monday, June 30, 2008 5:30 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GP apply per machine?

 

Are your terminal servers and user account in the same OU? If so, you
need to move it to an OU outside of where you've linked your GPO. Also,
did you set the loopback mode to "Replace" or "Merge"?

 

Jamie Nelson | Infrastructure Consultant | BI&T Operations | Devon
Energy | Work: 405.552.8054 | http://www.dvn.com <http://www.dvn.com/> 

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Savanah Garrison
Sent: Monday, June 30, 2008 5:05 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GP apply per machine?

 

Okay.  I'm still not understanding.  I have one user logging on to both
TS boxes. I want the policy to apply only on one box, but not the other.


 

Sorry for not getting it!  This is my first terminal server...  Thanks
for your help!

 

________________________________

From: Darren Mar-Elia [mailto:darren@xxxxxxxxxx] 
Sent: Monday, June 30, 2008 3:36 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GP apply per machine?

 

Savannah-

If the user account is in line to process the user policy on the
loopback GPO, then its going to get it unless you also permission the
loopback GPO to only allow the group of users that you want to process
that policy the ability to do so.

 

In other words, you must have the loopback GPO linked in such a way that
the user accounts that you don't want to apply it to are processing it
as a normal course of their policy processing cycle. If you only want
specific users to process it, then only allow those users the ability to
process the policy.

 

Darren

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Savanah Garrison
Sent: Monday, June 30, 2008 12:29 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GP apply per machine?

 

Yes, I only have the machine, and the one test user listed in Security
Filtering. I ran gp results on the 2nd box and my policy is not applying
to the box, but it IS applying to the user.  I want to only apply to the
user if the user is on the OTHER box.  

 

Here is a screenshot of where I set the loopback processing:

 

 

 

________________________________

From: Darren Mar-Elia [mailto:darren@xxxxxxxxxx] 
Sent: Monday, June 30, 2008 1:05 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GP apply per machine?

 

Did you remove the Authenticated Users group? Try running GP Results
Wizard against that 2nd TS box and see if it says that the GPO is
applying to it, and why.

 

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Savanah Garrison
Sent: Monday, June 30, 2008 10:50 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GP apply per machine?

 

I have this set as well.  I have the single server along with the users
it should apply too listed in security filtering, but the policy is
still applying when I log on to my second terminal server...

 

________________________________

From: Darren Mar-Elia [mailto:darren@xxxxxxxxxx] 
Sent: Monday, June 30, 2008 11:24 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GP apply per machine?

 

Savannah,

You would use security filtering of the GPO that applies the loopback
setting. So, for example, if your TS machines are called TS1 and TS2 and
you wanted only TS2 to run in loopback mode, you would remove
"Authenticated Users" from the loopback GPO and add the TS2 machine
account to the GPO's security filter.

 

Darren

 

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Savanah Garrison
Sent: Monday, June 30, 2008 9:23 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GP apply per machine?

 

Ok, I had this enabled, but the policy is still applying to both
terminal servers.  How do I tell it which one it needs to apply too?

 

________________________________

From: Nelson, Jamie [mailto:Jamie.Nelson@xxxxxxx] 
Sent: Monday, June 30, 2008 8:56 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GP apply per machine?

 

Savanah,

 

Yes, that is called loopback processing. It means that User policy gets
applied based on the location of the computer object, not the user
object. Check out this Microsoft KB article for more details:

 

http://support.microsoft.com/?id=231287

 

Regards,

 

Jamie Nelson | Infrastructure Consultant | BI&T Operations | Devon
Energy | Work: 405.552.8054 | http://www.dvn.com <http://www.dvn.com/> 

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Savanah Garrison
Sent: Monday, June 30, 2008 8:54 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] GP apply per machine?

 

Is there a way to get my group policy to apply only if the users log in
to one of my terminal servers, but not the other?

 

Thanks!

CONFIDENTIAL NOTICE: This electronic transmission and any documents or
other writings sent with it constitute confidential information intended
only for the named recipient.  If you have received this communication
in error, do not read it. Please reply to the sender that you have
received the message in error, then delete the message.  Any disclosure,
copying, distribution or the taking of any action concerning the
contents of this communication or any attachment(s) by anyone other than
the named recipient is strictly prohibited.

 

________________________________

Confidentiality Warning: This message and any attachments are intended
only for the use of the intended recipient(s), are confidential, and may
be privileged. If you are not the intended recipient, you are hereby
notified that any review, retransmission, conversion to hard copy,
copying, circulation or other use of all or any portion of this message
and any attachments is strictly prohibited. If you are not the intended
recipient, please notify the sender immediately by return e-mail, and
delete this message and any attachments from your system. 

CONFIDENTIAL NOTICE: This electronic transmission and any documents or
other writings sent with it constitute confidential information intended
only for the named recipient.  If you have received this communication
in error, do not read it. Please reply to the sender that you have
received the message in error, then delete the message.  Any disclosure,
copying, distribution or the taking of any action concerning the
contents of this communication or any attachment(s) by anyone other than
the named recipient is strictly prohibited.

 

CONFIDENTIAL NOTICE: This electronic transmission and any documents or
other writings sent with it constitute confidential information intended
only for the named recipient.  If you have received this communication
in error, do not read it. Please reply to the sender that you have
received the message in error, then delete the message.  Any disclosure,
copying, distribution or the taking of any action concerning the
contents of this communication or any attachment(s) by anyone other than
the named recipient is strictly prohibited.

 

CONFIDENTIAL NOTICE: This electronic transmission and any documents or
other writings sent with it constitute confidential information intended
only for the named recipient.  If you have received this communication
in error, do not read it. Please reply to the sender that you have
received the message in error, then delete the message.  Any disclosure,
copying, distribution or the taking of any action concerning the
contents of this communication or any attachment(s) by anyone other than
the named recipient is strictly prohibited.

 

JPEG image

JPEG image

Other related posts: