[gptalk] Re: access denied (security filtering)
- From: "Cruz, Jerome L" <jerome.l.cruz@xxxxxxxxxx>
- To: "gptalk@xxxxxxxxxxxxx" <gptalk@xxxxxxxxxxxxx>
- Date: Thu, 13 Mar 2008 17:45:23 -0700
One of the reasons that most server environments only use "Replace mode" is
that GPO settings applied to user accounts (along their LDAP path) can apply
things that Server Administrators 'do not' want applied to their server
systems. For simple GPO registry changes, you can override the setting in your
WTS GPOs since they apply after the normal User LDAP path GPO, but that same
thinking does not apply to other areas. A good example would be a "user
account" GPO that published application software that user's could optionally
install. A Server Admin normally would NOT want that type of the policy
affecting their 'controlled' server systems. How about User Logon scripts,
those will run on your servers as well. And even if those kinds of user
account-side GPO settings are not being applied to the user accounts today, who
knows what another GPO administrator might configure later on? If you are the
"only" Admin in your organization (or perhaps one of just a few admins), then
you already know what's going on and might be able to keep things under
control. In large organizations, there may be many types of administrators:
some for WTS servers, some for user accounts, some for desktop, etc.
Since Server Administrators can provide or configure the user settings
themselves using the Loopback system, it's been my experience that they usually
configure Loopback in 'Replace' mode knowing that they can configure anything
necessary for the user accounts themselves. That protects their server systems
from unplanned configuration change from other sources. Yes, it means that you
might need to explore the kinds of settings currently applied to the user
accounts and possibly duplicate some of them, but that's part of the job.
Jerry
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Darren Mar-Elia
Sent: Thursday, March 13, 2008 2:37 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: access denied (security filtering)
It can definitely be merge. It just behaves differently in merge mode-instead
of the user's "home" policies getting replaced, they are merged with whatever
you define in the loopback GPO under User Configuration.
Darren
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of McDonald, William
Sent: Thursday, March 13, 2008 2:32 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: access denied (security filtering)
John, Darren,
I was seeing the GPO denied in the computer section and stopping there. Now I'm
looking in the user's section and it is being approved there. So maybe I'm
getting somewhere.
I only want one loopback GPO in my TS OU for simplicity. Can that one be set to
'merge'? Or must it be 'replace'?
Regards,
Bill McDonald
Systems Administrator II
[cid:image003.jpg@01C88531.525011D0]Ebara Technologies, Inc.
51 Main Avenue
Sacramento, CA 95838
Direct: (916) 923-7865
Fax: (916) 920-5066
wmcdonald@xxxxxxxxxxxxx<mailto:wmcdonald@xxxxxxxxxxxxx>
________________________________
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of jpsalemi@xxxxxxxxxxxxxxxxxxx
Sent: Thursday, March 13, 2008 11:05 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: access denied (security filtering)
Hi Bill
Did you disable the user settings? Not just leave them not configured?
Putting another loopback will complicate matters really, then you have to
figure out which loopback runs last. Not fun. They're a bit cumbersome to
work with anyhow. It won't offer you granularity either.
Also, you are trying to apply user settings only to this group, or user right?
If you're trying to apply more computer settings to the OU, users can't apply
them.
The loopback basically says apply these user settings to this computer. When
it's in replace mode, it will apply the blank policy unless it's disabled.
So a loopback on replace mode with the user settings disabled will tell the TS
to apply user settings to this computer. Having a user settings only policy
linked to the same OU "should" then take those user settings and apply them to
the group (or user) you have set in the scope of the policy, but not to anyone
else.
Also, if you make some other change in the computer part of the loopback, so
you see that take effect?
John
"McDonald, William" <wmcdonald@xxxxxxxxxxxxx>
Sent by: gptalk-bounce@xxxxxxxxxxxxx
03/13/2008 12:51 PM
Please respond to
gptalk@xxxxxxxxxxxxx
To
<gptalk@xxxxxxxxxxxxx>
cc
Subject
[gptalk] Re: access denied (security filtering)
Hi John,
Thanks for the input. I created a separate loopback gpo in the ts ou and
applied to authenticated users and set replace mode. no other changes in this
gpo. Unfortunately I have the same result for any other gpo in the ts ou that
is applied to any more restrictive group that authenticated users. For both a
single user, or a global security group with users in it I get the access
denied (security filtering) error. Do my other gpos for the ts also need
loopback inabled, or will the one loopback gpo take care of this?
Thanks again,
Regards,
Bill McDonald
Systems Administrator II
Ebara Technologies, Inc.
51 Main Avenue
Sacramento, CA 95838
Direct: (916) 923-7865
Fax: (916) 920-5066
wmcdonald@xxxxxxxxxxxxx<mailto:wmcdonald@xxxxxxxxxxxxx>
________________________________
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of jpsalemi@xxxxxxxxxxxxxxxxxxx
Sent: Thursday, March 13, 2008 9:35 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: access denied (security filtering)
Hi Bill,
The terminal server is a member of authenticated users, that's why that works.
You could also apply the policy directly to the machine name, same result.
If your users are separated, which is sounds like they are, the easiest way to
do this is to have a loopback applied to authenticated users, in replace mode.
Leave the user section blank. Then you can add user type policies over your
terminal server OU, that will apply to different groups of users using
filtering the way you are trying to.
Hope this helps,
John
"McDonald, William" <wmcdonald@xxxxxxxxxxxxx>
Sent by: gptalk-bounce@xxxxxxxxxxxxx
03/12/2008 05:55 PM
Please respond to
gptalk@xxxxxxxxxxxxx
To
<gptalk@xxxxxxxxxxxxx>
cc
Subject
[gptalk] access denied (security filtering)
All,
I am trying to apply a gpo on a terminal server to an individual or small group
of users. I have loopback set, but my gpo will only work if I put
'authenticated users' in the scope. Any other group or user gets 'access denied
(security filtering)' when you test the GPO in modelling. The terminal server
belongs to a TS OU, and that is where my GPO is linked. Anyone see this before?
Regards,
Bill McDonald
Systems Administrator II
Ebara Technologies, Inc.
51 Main Avenue
Sacramento, CA 95838
Direct: (916) 923-7865
Fax: (916) 920-5066
wmcdonald@xxxxxxxxxxxxx<mailto:wmcdonald@xxxxxxxxxxxxx>
Other related posts:
