Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

GPO Loopback Processing or WMI filtering?

330 views
Skip to first unread message

UnderCoverGuy

unread,
Apr 10, 2008, 1:18:00 PM4/10/08
to
Good afternoon. I think that I am a little confused and have been unable to
get GPO loopback processing to work as desired.

I have a series of notebooks and desktops on my Windows 2003 domain. These
notebooks are spread into diffierent OU's - which are named by location then
a sub OU by business unit.

I have one policy which applies across the entire forest. I have another
policy which has loopback processing enabled (merge) and is applied to a
single test OU. When I update the GP on the test workstations using this
method (so the loopback processing policy should apply), it works perfectly
(security filtering is set to Domain Computers and Authenticated Users).
Anyone who logs on to these test systems receives the loopback GP.

The trick is that I need this to apply at the root of the domain but I only
want this to apply to notebook computers (systems that users take home) - not
workstations or servers. The easiest way to manage this is to create a new
security group in AD (called Notebooks), remove the Domain Computers security
filter on the loopback GPO (leaving Authenticated Users) and apply the new
Notebook group to the security filter of the loopback GPO. However, it
doesn't seem to want to work. I read an article somewhere (I can't find it
now) that mentioned loopback processing can only be applied to actual
computer objects and not to AD security groups. Is this true?

If so, sould it be possible to create some type of WMI filter to block out
notebook computers somehow? Will WMI filtering stop a loopback GPO from not
applying?

If not, how can I approach this?


Thanks in advance for any assistance,
UCG

Anthony [MVP]

unread,
Apr 10, 2008, 2:42:14 PM4/10/08
to
Authenticated Users includes computer accounts. You would need to remove
that.
A WMI filter to apply only on notebooks could work, if you can devise the
filter to identify your notebooks,
Anthony,
http://www.airdesk.co.uk


"UnderCoverGuy" <UnderC...@discussions.microsoft.com> wrote in message
news:9F931B66-92FF-48FF...@microsoft.com...

UnderCoverGuy

unread,
Apr 10, 2008, 3:09:00 PM4/10/08
to
Thanks. I figured that would work. I had just started looking into that
deeper and I did figure out a way to do it.

I set up a GPO WMI filter based on whether a file exist on the local
computer (i.e., c:\notebook.txt). If it exist, then the GPO gets applied
otherwise it doesn't.

Now, all I need to do is modify the logon script so that it test AD group
membership and if the computer is a member of a specific AD group then copy
over the notebook.txt file to the local workstation.

That and I need to figure out how to pass a system variable (i.e. WINDIR) to
the WMI filter in GPO. Does anyone know if that will work? I would prefer
to put the notebook.txt file in the windows directory (which may not be the
same on all of the computers - so I'd rather query with the WINDIR variable
versus c:\windows


Thanks for your help!!!
UCG

0 new messages