[gptalk] Re: access denied (security filtering)

  • From: jpsalemi@xxxxxxxxxxxxxxxxxxx
  • To: gptalk@xxxxxxxxxxxxx
  • Date: Thu, 13 Mar 2008 13:05:20 -0500

Hi Bill

Did you disable the user settings?  Not just leave them not configured?

Putting another loopback will complicate matters really, then you have to 
figure out which loopback runs last.  Not fun.  They're a bit cumbersome 
to work with anyhow. It won't offer you granularity either.

Also, you are trying to apply user settings only to this group, or user 
right?  If you're trying to apply more computer settings to the OU, users 
can't apply them. 

The loopback basically says apply these user settings to this computer. 
When it's in replace mode, it will apply the blank policy unless it's 
disabled. 

So a loopback on replace mode with the user settings disabled will tell 
the TS to apply user settings to this computer.  Having a user settings 
only policy linked to the same OU "should" then take those user settings 
and apply them to the group (or user) you have set in the scope of the 
policy, but not to anyone else.

Also, if you make some other change in the computer part of the loopback, 
so you see that take effect? 

John







"McDonald, William" <wmcdonald@xxxxxxxxxxxxx> 
Sent by: gptalk-bounce@xxxxxxxxxxxxx
03/13/2008 12:51 PM
Please respond to
gptalk@xxxxxxxxxxxxx


To
<gptalk@xxxxxxxxxxxxx>
cc

Subject
[gptalk] Re: access denied (security filtering)






Hi John,
 
Thanks for the input. I created a separate loopback gpo in the ts ou and 
applied to authenticated users and set replace mode. no other changes in 
this gpo. Unfortunately I have the same result for any other gpo in the ts 
ou that is applied to any more restrictive group that authenticated users. 
For both a single user, or a global security group with users in it I get 
the access denied (security filtering) error. Do my other gpos for the ts 
also need loopback inabled, or will the one loopback gpo take care of 
this?
 
Thanks again,
 
 
 
Regards, 
Bill McDonald
Systems Administrator II
Ebara Technologies, Inc. 
51 Main Avenue 
Sacramento, CA 95838 
Direct: (916) 923-7865 
Fax: (916) 920-5066 
wmcdonald@xxxxxxxxxxxxx 
 
 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of jpsalemi@xxxxxxxxxxxxxxxxxxx
Sent: Thursday, March 13, 2008 9:35 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: access denied (security filtering)


Hi Bill, 

The terminal server is a member of authenticated users, that's why that 
works. You could also apply the policy directly to the machine name, same 
result. 

If your users are separated, which is sounds like they are, the easiest 
way to do this is to have a loopback applied to authenticated users, in 
replace mode. Leave the user section blank. Then you can add user type 
policies over your terminal server OU, that will apply to different groups 
of users using filtering the way you are trying to. 

Hope this helps, 
John 




"McDonald, William" <wmcdonald@xxxxxxxxxxxxx> 
Sent by: gptalk-bounce@xxxxxxxxxxxxx 
03/12/2008 05:55 PM 

Please respond to
gptalk@xxxxxxxxxxxxx



To
<gptalk@xxxxxxxxxxxxx> 
cc

Subject
[gptalk] access denied (security filtering)








All, 
  
I am trying to apply a gpo on a terminal server to an individual or small 
group of users. I have loopback set, but my gpo will only work if I put 
'authenticated users' in the scope. Any other group or user gets 'access 
denied (security filtering)' when you test the GPO in modelling. The 
terminal server belongs to a TS OU, and that is where my GPO is linked. 
Anyone see this before? 
 
 
 
 
  
Regards, 
Bill McDonald
Systems Administrator II 
Ebara Technologies, Inc. 
51 Main Avenue 
Sacramento, CA 95838 
Direct: (916) 923-7865 
Fax: (916) 920-5066 
wmcdonald@xxxxxxxxxxxxx 

 
 

Other related posts: