[gptalk] Re: access denied (security filtering)

  • From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Thu, 13 Mar 2008 12:24:29 -0700

Ah, ok. So what you are saying is that the GPO that enables loopback is the
one you are trying to modify security filtering on? In that case, I
understand what is going on. Authenticated Users applies to both computers
and users, thus allowing your TS boxes to get the loopback setting. When you
remove that group and apply it to only a user group, the TS computer is no
longer getting its loopback setting and goes back to non-loopback mode. So,
if you really want to control everything within that GPO, what you need to
do is remove Auth. Users, then create a group that includes the TS
computers, and add that group to the GPO, then you can add other user-based
groups to control which users get the per-user loopback policy settings.

 

Hope that helps.


Darren

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of McDonald, William
Sent: Thursday, March 13, 2008 12:05 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: access denied (security filtering)

 

Darren,

 

You have it right. I have loopback in the 1st GPO attached to the TS OU.
That is applying correctly as long as the scope includes authenticated
users. In fact, all of my GPOs in this OU will work if I include
authenticated users in the scope, but if I remove authenticated users and
substitute with any other group or user, it fails.

 

 

 

Regards, 


Bill McDonald
Systems Administrator II

Ebara LogoEbara Technologies, Inc. 
51 Main Avenue 
Sacramento, CA 95838 
Direct: (916) 923-7865 
Fax: (916) 920-5066 


wmcdonald@xxxxxxxxxxxxx 

 

 

 

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Darren Mar-Elia
Sent: Thursday, March 13, 2008 11:06 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: access denied (security filtering)

Only one GPO needs to set loopback Bill. So if I understand correctly, you
have a GPO setting loopback and then another GPO, linked to the TS OU, that
is permissioned for a particular group and setting some user configuration
settings, and that 2nd GPO is not applying to users logging into those TS
boxes due to security filtering?

 

Darren

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of McDonald, William
Sent: Thursday, March 13, 2008 10:52 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: access denied (security filtering)

 

Hi John,

 

Thanks for the input. I created a separate loopback gpo in the ts ou and
applied to authenticated users and set replace mode. no other changes in
this gpo. Unfortunately I have the same result for any other gpo in the ts
ou that is applied to any more restrictive group that authenticated users.
For both a single user, or a global security group with users in it I get
the access denied (security filtering) error. Do my other gpos for the ts
also need loopback inabled, or will the one loopback gpo take care of this?

 

Thanks again,

 

 

 

Regards, 


Bill McDonald
Systems Administrator II

Ebara LogoEbara Technologies, Inc. 
51 Main Avenue 
Sacramento, CA 95838 
Direct: (916) 923-7865 
Fax: (916) 920-5066 


wmcdonald@xxxxxxxxxxxxx 

 

 

 

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of jpsalemi@xxxxxxxxxxxxxxxxxxx
Sent: Thursday, March 13, 2008 9:35 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: access denied (security filtering)


Hi Bill, 

The terminal server is a member of authenticated users, that's why that
works. You could also apply the policy directly to the machine name, same
result. 

If your users are separated, which is sounds like they are, the easiest way
to do this is to have a loopback applied to authenticated users, in replace
mode. Leave the user section blank. Then you can add user type policies over
your terminal server OU, that will apply to different groups of users using
filtering the way you are trying to. 

Hope this helps, 
John 





"McDonald, William" <wmcdonald@xxxxxxxxxxxxx> 
Sent by: gptalk-bounce@xxxxxxxxxxxxx 

03/12/2008 05:55 PM 


Please respond to
gptalk@xxxxxxxxxxxxx


To

<gptalk@xxxxxxxxxxxxx> 


cc

        

Subject

[gptalk] access denied (security filtering)

 

                




All, 
  
I am trying to apply a gpo on a terminal server to an individual or small
group of users. I have loopback set, but my gpo will only work if I put
'authenticated users' in the scope. Any other group or user gets 'access
denied (security filtering)' when you test the GPO in modelling. The
terminal server belongs to a TS OU, and that is where my GPO is linked.
Anyone see this before? 
  
  
  
  
  
Regards, 


Bill McDonald
Systems Administrator II 

Ebara Technologies, Inc. 
51 Main Avenue 
Sacramento, CA 95838 
Direct: (916) 923-7865 
Fax: (916) 920-5066 


 <mailto:wmcdonald@xxxxxxxxxxxxx> wmcdonald@xxxxxxxxxxxxx 


  
  

JPEG image

Other related posts: