Loopback gpo update#
This update changes the way user policies are applied.įrom now on, user policies are actually applied under both the computer and the user security context. If you have kb3163622 installed on your workstations, you can do the same by using security groups only. It will give you more headaches than you bargained for, as it doesn't apply only to the specified GPO that it is configured in, but to all policies applied to the computers.
So the WMI filtering specifies the comptuer it applies to, and the security filtering the users it applies to. You put the two together, and place the GPO on the users container. You create a GPO with the user settings only, and with security filtering. You create a WMI filter that catches those workstations you want. I think the solution would be WMI filtering (that's how I did it in my place). The policies are applied to computers, and the user settings inside them are applied to users only because they are logging on to those computers (yes, I know it's confusing, loopback processing is one of the trickiest things to get right about Group Policies). In this scenario, how can I tell AD to not enforce those settings if the user logging on belongs to a specific group (such as Domain Admins)? Alternatively, even the opposite solution ("only apply those settings to users belonging to a specific group") would be fine.īut please, remember that we are talking about loopback processing here. The question: how can loopback processing be bypassed for specific users who need to log on to those computers but should not be subject to those policy settings?Ĭase in point: there are several terminal servers where GPOs with loopback processing are used to enforce heavy user restrictions on everyone who logs on to them (they should basically only be able to run a bunch of company-approved applications) but this applies even to Domain Admins, which are thus rendered unable to even launch a command prompt or open the task manager.
The problem: when loopback processing is enabled, a GPO containing user settings is applied to everyone using those computers, and you can't bypass this by using ACLs on the GPO, because it's not actually applied to users, but to computers.
This is useful when you want all users logging on to a specific computer to receive some user policy, regardless of where their user accounts are actually located in AD. As you probably know, loopback processing is a feature of Active Directory Group Policies which applies user settings in a GPO to any user who logs on to computers in the GPO's scope (whereas the standard behavior would be to apply user settings only if the user account is actually located whithin the GPO's scope).
0 kommentar(er)
