[THIN] Re: Group Policy help

• From: "Mack, Rick" <RMack@xxxxxxxxxxxxxx>
• To: "'thin@xxxxxxxxxxxxx'" <thin@xxxxxxxxxxxxx>
• Date: Sat, 12 Jul 2003 11:19:53 +1000

Hi,
 
I suspect there's a bit to much magic in loopback processing, so I'd like to
try to unmuddy the waters a bit with a simplistic view of how things work.
 
The basic issue is that you have to be an object "in" an an OU (container)
so that a group policy object (GPO) applied to to that container can apply
to you. 
 
Think of an OU as a circle. If you're inside the circle, any group policy
belonging to that circle applies to you (security filtering aside).
 
Normally if you log on to a machine belonging to a particular container
(machine OU), you are not "entering" the circle (machines OU), so only the
implemented machine policies will have any effect on you, no machine OU user
configuration policies will apply.
 
When you log on to a machine belonging to an OU with loopback processing
enabled you are "entering" the machine container and it's user configuration
policies will apply to you.
 
As an aside, loopback processing mode for a GPO is set under computer
configuration > administrative templates > system > group policy > Use group
policy loopback processing mode.
 
There are some special considerations with loopback processing.
 
You can choose either "replace" or "merge" modes for loopback processing.
Replace mode behaves like a standard GPO with "block inheritence" enabled,
merge mode means the GPO works just like a standard GPO. For replace mode,
this means that if any GPO's are set to "enforce" upstream from the machine
OU, these settings will override any settings in the machine OU. 
 
"Enforce" means ignore block inheritence, and means that the default
loopback processing replace mode can be ignored in part or fully. This can
cause a lot of pain.
 
regards,
 
Rick

Ulrich Mack
rmack@xxxxxxxxxxxxxx
Volante Systems
18 Heussler Terrace, Milton 4064
Queensland Australia
tel +61 7 32467704



-----Original Message-----
From: Brian Murphy [mailto:brian_murphy@xxxxxxxxx] 
Sent: Saturday, 12 July 2003 3:26 AM
To: 'thin@xxxxxxxxxxxxx'
Subject: [THIN] Re: Group Policy help



You seem to be on target. 

On your Server Container 
Make sure you have disabled Inheritence 
Create 3 policies 
1. ALL TS Users 
2. ALL TS Servers 
3. Normal Users 

Right Click ALL TS Users and disable Computer Policy 
Right Click ALL TS Servers and disable User Policy 
Right Click Normal Users and disable Computer Policy 

On ALL TS Servers set Authenticated Users to Read and Apply GPO 
Set Domain Admins to Full 
Set System to Read, Write, Create, Delete 

Same on ALL TS Users 

On Normal Users set Domain Admins to Full Control then check Deny on "Apply
GPO" 
You will end up with Read, Write, Create, Delete (Deny-on Apply GPO) 

This should do it for you assuming your Root Policy allows you to set the
"Disable Inherit" 


-----Original Message----- 
From: Brian Rota [mailto:brian.rota@xxxxxxxxxxxxx
<mailto:brian.rota@xxxxxxxxxxxxx> ] 
Sent: Friday, July 11, 2003 9:56 AM 
To: thin@xxxxxxxxxxxxx 
Subject: [THIN] Group Policy help 


I was wondering if anyone can help with some GPO help. 

Here is what I did. 
I created an OU called Citrix Servers. 
Created a Group called Citrix Users 
I added the Citrix server to the OU. 
I then created a Policy for a locked down environment. 
I only want the policy to affect the Citrix users when they log into a
citrix server not when they log into there every day Win2k computers. But
for some reason the Policy does not work I added a link to the domain root
but then the Policy locked down the local win2k computers.

Can someone please tell me what I may be missing? 

Thanks 

Brian 

******************************************************** 
This weeks sponsor - RTOSoft TScale 
Complaints about applications response time - DO SOMETHING ABOUT IT! TScale
2.0 improves applications response time and increases terminal server
capacity. Really get MORE from your existing servers! Free eval:
http://www.rtosoft.com/enter.asp?id=130
<http://www.rtosoft.com/enter.asp?id=130> 

********************************************************** 
Useful Thin Client Computing Links are available at:
http://thethin.net/links.cfm <http://thethin.net/links.cfm>  

For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm <http://thethin.net/citrixlist.cfm>  

--------------------------------------------------------------------------------------------------------------------
The information contained in this e-mail is confidential and may be subject
to legal professional privilege.  It is intended solely for the addressee.
If you receive this e-mail by mistake please promptly inform us by reply
e-mail and then delete the e-mail and destroy any printed copy.  You must
not disclose  or use in any way the information in the e-mail. There is no
warranty that this email or any attachment or message is error or virus free. 
It may be a private
communication, and if so, does not represent the views of Volante group Limited.

Other related posts:

• » [THIN] Group Policy help
• » [THIN] Re: Group Policy help
• » [THIN] Re: Group Policy help
• » [THIN] Re: Group Policy help
• » [THIN] Re: Group Policy help
• » [THIN] Re: Group Policy help
• » [THIN] Re: Group Policy help
• » [THIN] Re: Group Policy help
• » [THIN] Re: Group Policy help
• » [THIN] Re: Group Policy help

1. Home
2. thin
3. Archive
4. 07-2003

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---