security filtering on group policies.

[browolf]

In an OU I'm trying to apply a policy to only a few computers.

I've created a security group in AD and added the 2 computers to it

In GPM for the policy in question I removed the defaults on security filtering and added the above security group.

when I use group policy modelling with 1 of these computers, it comes up as access denied (security filtering)


I'm wondering if this is something to do with the fact this is a loopback policy.
Do I need to add a user group to the security filtering too?

with a computer and a user group in security filtering does this turn into a both have to be satisfied situation?

thx

[Geoff]

In an OU I'm trying to apply a policy to only a few computers.

I've created a security group in AD and added the 2 computers to it

In GPM for the policy in question I removed the defaults on security filtering and added the above security group.

when I use group policy modelling with 1 of these computers, it comes up as access denied (security filtering)


I'm wondering if this is something to do with the fact this is a loopback policy.
Do I need to add a user group to the security filtering too?

with a computer and a user group in security filtering does this turn into a both have to be satisfied situation?

thx

Yes, if it's loopback then you want to filter based on user/group membership rather than machine accounts.

[browolf]

In that case it needs to be both. ie all pupils on 2 machines.

[browolf]

ok that works but something else now

I've got 2 loopback policies. The one mentioned above is called
localised start menus (restricted)

I need it to "overwrite" a different loopbakl policy called
classrooms:loopback

except it isnt doing. is there a way for the start menu one to gain more importance?

[azrael78]

In the GPMC - navigate to the OU where the policies are applied.
Click that OU and then click 'Linked Group Policy Objects'.

I believe that the higher the link order - the more precedence the policy is given, but I may be mistaken.

Unfortunately I can't help you all that much more as the image you supplied is very small and it's tough to actually see it.

Az

[browolf]

it was full size when i uploaded it....

i've got it working by putting the one i want to take precedencee slightly deeper into the AD. the further in they are the more they take precedence.

[burgemaster]

Im having the same problem here....
It is our terminal server and as we have Loopback enabled all the user settings are effecting admins also...
I just want the "terminalservices_users" GP to be applied to the staff...

So i thought, easy just use the "security Filtering" and remove "auth users" and put in the staff group (just teachers)



but when i run the group policy results tool for a user in the staff group i get:



In the post above it says you also need a computer account, but this is the only PC they will ever log into as it is our terminal server, if i aslo add our TS1 server in the policy filtering then it applies the policy to anyone including admins....

Anyone please got any ideas?

[adamf]

Im having the same problem here....
It is our terminal server and as we have Loopback enabled all the user settings are effecting admins also...
I just want the "terminalservices_users" GP to be applied to the staff...

So i thought, easy just use the "security Filtering" and remove "auth users" and put in the staff group (just teachers)



but when i run the group policy results tool for a user in the staff group i get:



In the post above it says you also need a computer account, but this is the only PC they will ever log into as it is our terminal server, if i aslo add our TS1 server in the policy filtering then it applies the policy to anyone including admins....

Anyone please got any ideas?

I've just setup up our loopback policy not to apply to admins when they log on to our terminal servers. I did it by specifically denying the Enterprise Admins group the right to apply the policy

In GPMC click on your loopback gpo, select the delegation tab, click the advanced button, select deny apply group policy against your Enterprise Admins, Domain Admins or whatever security group your using.

Then it won't apply the loopback policy to members of that group.

[burgemaster]

thanks for the reply mate...
I will try that now