+ Post New Thread
Results 1 to 15 of 15
Windows Thread, Loopback Processing in Technical; I wonder if anyone can help. I want to apply loopback processing. I have an OU for some computers which ...
  1. #1

    Join Date
    Oct 2010
    Posts
    53
    Thank Post
    28
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Loopback Processing

    I wonder if anyone can help.

    I want to apply loopback processing.

    I have an OU for some computers which I have linked to a GPO with loopback processing merge enabled, in the User side of this loopback GPO I have made a few settings that oppose settings in the main staff GPO (eg I am enabling internet options menu as opposed to restricting them as this is what I want, I only want these opposed settings to apply for these computers in this GPO)
    When I log on to a computer in this loopback OU, the "opposed" settings do not apply ie internet options still disabled.

    My understanding is the computer in a loopback linked OU in merge mode will apply normal (in this case, staff policies and merge them with any applied in the user node, in my case allowing internet options menu, and that these take precedence over User's user settings, however this does not seem to be the case. Thoughts anyone, or am I missing something ?

  2. #2

    jinnantonnixx's Avatar
    Join Date
    Mar 2011
    Location
    In the Calamatorium.
    Posts
    1,958
    Thank Post
    109
    Thanked 482 Times in 331 Posts
    Blog Entries
    2
    Rep Power
    281
    We use loopback processing, the settings from the 'User' side of the 'Computer Settings' should override the 'User' side of the 'User Settings' (I hope I've stated that correctly).

    To check, run a simulation in AD (make sure you specify 'merge mode' within the wizard) and see your results. This will tell you the 'winning' policy.

    One thing Ive noticed, if you combine Internet settings from more than one GPO, things can get unreliable.
    Last edited by jinnantonnixx; 18th September 2013 at 12:33 PM.

  3. #3

    Join Date
    Oct 2010
    Posts
    53
    Thank Post
    28
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    I think I've worked it out, but don't fully understand why. Whilst testing this, in the GPO security filtering box I added the test computer name (which resides in the test OU linked to the loopback GPO). I have changed the security filtering to Authenticated Users and it now works !

    As an aside I noticed it also works if you put a user name AND the computer name in the security filtering box, and then log on to that computer as that user but not not if it is only the computer name in the security filtering, presumably to do with delegations ?

  4. #4

    Join Date
    May 2011
    Location
    Jus North of London, close but not too close
    Posts
    747
    Thank Post
    172
    Thanked 56 Times in 54 Posts
    Rep Power
    35
    I have had many an occasion where I've had to add Domain Computers as well as a specific user account or group for various policies.

  5. #5

    jinnantonnixx's Avatar
    Join Date
    Mar 2011
    Location
    In the Calamatorium.
    Posts
    1,958
    Thank Post
    109
    Thanked 482 Times in 331 Posts
    Blog Entries
    2
    Rep Power
    281
    The best way of applying policies is using security groups.

    While editing the policy, remove the 'Apply group policy' tick from Authenticated Users (but leave the 'Read' flag - they have to be able to read)

    Create a security group (e.g. LibraryComputers) and set the 'Apply Group policy' tick to this group. When you place machines into this group they will get the policy.

  6. #6

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    13,344
    Thank Post
    624
    Thanked 1,584 Times in 1,421 Posts
    Rep Power
    414
    Quote Originally Posted by jinnantonnixx View Post
    The best way of applying policies is using security groups.

    While editing the policy, remove the 'Apply group policy' tick from Authenticated Users (but leave the 'Read' flag - they have to be able to read)
    Can you clarify what you mean by that please?

    Ben

  7. #7


    Join Date
    Mar 2009
    Location
    Leeds
    Posts
    6,581
    Thank Post
    228
    Thanked 854 Times in 733 Posts
    Rep Power
    295
    Quote Originally Posted by plexer View Post
    Can you clarify what you mean by that please?

    Ben
    i assume he means its better to apply settings limited with filtering than have to overide them with loopback which should always be a last resort (says someone who uses it lol)

  8. #8

    jinnantonnixx's Avatar
    Join Date
    Mar 2011
    Location
    In the Calamatorium.
    Posts
    1,958
    Thank Post
    109
    Thanked 482 Times in 331 Posts
    Blog Entries
    2
    Rep Power
    281
    I worded that paragraph poorly.

    I was trying to reconcile GPO targeting-by-filtering with loopback processing.

    Loopback last resort? Pfah!
    Last edited by jinnantonnixx; 18th September 2013 at 02:15 PM. Reason: wrong link

  9. #9

    Join Date
    May 2011
    Location
    Jus North of London, close but not too close
    Posts
    747
    Thank Post
    172
    Thanked 56 Times in 54 Posts
    Rep Power
    35
    Quote Originally Posted by jinnantonnixx View Post

    Create a security group (e.g. LibraryComputers) and set the 'Apply Group policy' tick to this group. When you place machines into this group they will get the policy.
    I think the only problem with Computer Groups is that you have to remember to add the computer/s to the group, if however you need to apply the policy to all the computers in an OU it is better to use the built-in Domain Computers group.

  10. #10

    jinnantonnixx's Avatar
    Join Date
    Mar 2011
    Location
    In the Calamatorium.
    Posts
    1,958
    Thank Post
    109
    Thanked 482 Times in 331 Posts
    Blog Entries
    2
    Rep Power
    281
    Quote Originally Posted by Davit2005 View Post
    I think the only problem with Computer Groups is that you have to remember to add the computer/s to the group, if however you need to apply the policy to all the computers in an OU it is better to use the built-in Domain Computers group.
    Yes indeed. You can nest groups, though. A group "All-workstations" can contain "Library-workstations" & "Science-workstation". Apply general stuff to the group "All-workstation", and perhaps library-specific settings to '"Library-workstations". Horses for courses, but we've found this approach very flexible.
    Last edited by jinnantonnixx; 18th September 2013 at 02:22 PM.

  11. #11

    Join Date
    Oct 2010
    Posts
    53
    Thank Post
    28
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by jinnantonnixx View Post
    The best way of applying policies is using security groups.

    While editing the policy, remove the 'Apply group policy' tick from Authenticated Users (but leave the 'Read' flag - they have to be able to read)

    Create a security group (e.g. LibraryComputers) and set the 'Apply Group policy' tick to this group. When you place machines into this group they will get the policy.
    What do you mean by the 'Apply group policy' tick, where is that ?

  12. #12

    jinnantonnixx's Avatar
    Join Date
    Mar 2011
    Location
    In the Calamatorium.
    Posts
    1,958
    Thank Post
    109
    Thanked 482 Times in 331 Posts
    Blog Entries
    2
    Rep Power
    281
    Quote Originally Posted by sloughman View Post
    What do you mean by the 'Apply group policy' tick, where is that ?
    Here's a good article:
    How to Implement Group Policy Security Filtering :: Windows 2003 :: Articles & Tutorials :: WindowsNetworking.com


    I also found this about group policy best practices (includes a section on loopback)
    Group Policy Design | Group Policy content from Windows IT Pro

  13. #13

    jinnantonnixx's Avatar
    Join Date
    Mar 2011
    Location
    In the Calamatorium.
    Posts
    1,958
    Thank Post
    109
    Thanked 482 Times in 331 Posts
    Blog Entries
    2
    Rep Power
    281
    Another way of doing this would be Item Level Targeting.

    Edit your GPO,
    -User Configuration -> Preferences -> Control Panel -> Regional Options
    -Right-Click and Select New
    -Navigate to Common Tab
    -Check Item-Level Targeting and Press Targeting…
    Click New Item and feast your eyes upon the treasures herein.

    http://www.windowsnetworking.com/art...Targeting.html
    Last edited by jinnantonnixx; 18th September 2013 at 03:15 PM.

  14. #14

    Join Date
    Oct 2010
    Posts
    53
    Thank Post
    28
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    This topic is drifting off what loop back processing is for , isn't it ?

  15. #15

    jinnantonnixx's Avatar
    Join Date
    Mar 2011
    Location
    In the Calamatorium.
    Posts
    1,958
    Thank Post
    109
    Thanked 482 Times in 331 Posts
    Blog Entries
    2
    Rep Power
    281
    Quote Originally Posted by sloughman View Post
    This topic is drifting off what loop back processing is for , isn't it ?
    It is a bit. You can't beat a good tangent, though.

    Back to the topic, we use loopback, and for troubleshooting, group-policy simulation, rsop and gpresult have been useful.
    Last edited by jinnantonnixx; 18th September 2013 at 03:42 PM.

SHARE:
+ Post New Thread

Similar Threads

  1. Loopback Policy not applying fully
    By sidewinder in forum Windows
    Replies: 4
    Last Post: 23rd February 2007, 11:49 AM
  2. Listing and terminating remote programs/processes
    By wesleyw in forum How do you do....it?
    Replies: 4
    Last Post: 20th December 2006, 01:38 PM
  3. Replies: 2
    Last Post: 4th October 2006, 07:49 AM
  4. Replies: 22
    Last Post: 2nd November 2005, 01:11 PM
  5. Replies: 0
    Last Post: 26th August 2005, 01:29 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •