Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

I'm having an issue with the "user group loopback processing mode"

265 views
Skip to first unread message

Rick

unread,
Aug 25, 2009, 2:53:01 PM8/25/09
to
I'm having an issue with the "user group loopback processing mode".
I can get the policy to work if i link it a "OU" and the OU only has
computers that policy needs to apply to are in there.
The issue is i need it to apply to only computers in the AD group i created
and assigned GPO to. Currently if i move the GPO higher in our OU structure
it starts apply to all computers and user below that link OU.


What im i doing wrong?

Background
1. I have a AD group with only computers in it. (No screen Saver group)
2. Computers in this group are in different OU's and cant be moved into
same "OU"
3. The GPO security filter has "auth users & no screen saver group".
4. the user section im configuring is "no screen saver" and loopback
process.

Florian Frommherz [MVP]

unread,
Aug 25, 2009, 3:28:24 PM8/25/09
to
Rick,

Rick schrieb:


> What im i doing wrong?
>
> Background
> 1. I have a AD group with only computers in it. (No screen Saver group)
> 2. Computers in this group are in different OU's and cant be moved into
> same "OU"
> 3. The GPO security filter has "auth users & no screen saver group".
> 4. the user section im configuring is "no screen saver" and loopback
> process.

Remove "Authenticated Users" from the security filtering tab.
"Authenticated Users" is a group that contains both Domain Users and
Domain Computers.

Cheers,
Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste

Rick

unread,
Aug 25, 2009, 3:51:02 PM8/25/09
to
When i do that the "No screen saver" GPO policy doesn't work at all. The
computer does run the policy but it's user settings do not apply.
The Group Policy result wizard shows that the "no screen saver" policy as
the winning GPO for the "user group loopback " setting.

Anthony [MVP]

unread,
Aug 27, 2009, 4:51:25 AM8/27/09
to
I think you would need to remove Authenticated Users (as Florian says) and
add Domain Computers, or a security group with the computers that you want
the policy to apply to.
Anthony
http://www.airdesk.com


"Rick" <Ri...@discussions.microsoft.com> wrote in message
news:E65D6CEA-766B-480A...@microsoft.com...

Rick

unread,
Aug 27, 2009, 9:20:01 AM8/27/09
to

I've done that, link the GPO only to the OU with the computers, block
inheritance, and added the (computers) AD group to the security filter.
Nothing.

When i run "gpresult" the only computer group policy being applied is the
one i want. Also the group policy result so that it is the winning GPO.

If i add users to the GPO filter the user config does apply but i need this
to only apply to computers. Thats why i had authenticate users in the
security filter.

I lost and any help would be great.

Anthony [MVP]

unread,
Aug 28, 2009, 3:19:50 AM8/28/09
to
Do you have the loopback set to Merge or Replace?
Anthony,
http://www.airdesk.com


"Anthony [MVP]" <ant...@no-reply.com> wrote in message
news:E7D3ABE0-32D2-4490...@microsoft.com...

Rick

unread,
Aug 28, 2009, 8:41:02 AM8/28/09
to
Currently it is set to "merge" but i have had it on both and got the same
response.

Anthony [MVP]

unread,
Aug 29, 2009, 4:48:18 AM8/29/09
to
I think you will find that the setting is "stuck". I have had this problem
with merge policies and do not use them.
The process we defined previously is the right one - using loopback and
security groups to filter - so I think the main problem at the moment is to
back out the changes made previously.
Anthony,
http://www.airdesk.com

"Anthony [MVP]" <ant...@no-reply.com> wrote in message

news:B1F37A3C-FF1E-4F11...@microsoft.com...

Rick

unread,
Sep 1, 2009, 9:23:01 AM9/1/09
to
I opened a ticket with Microsoft and they are having the same issue. Will let
you know the outcome once they get it working in their environment.

Anthony [MVP]

unread,
Sep 3, 2009, 5:41:43 AM9/3/09
to
OK, it will be interesting to hear back what the problem is,
Anthony
http://www.airdesk.com

"Rick" <Ri...@discussions.microsoft.com> wrote in message

news:3A546414-0ADE-4933...@microsoft.com...

Rick

unread,
Sep 3, 2009, 9:53:01 AM9/3/09
to
Okay, the issue have been identified and resolved.

What I learned/found is if you have a GPO higher in your AD environment
that enables "user group loopback processing" then it will effect all
workstations below that even if you have block inheritance to the OU. I think
this is an issue for me because security filter is set to "authenicate
users" on GPO's with "loopback" enabled.

Along with computer accounts, you also have add user accounts in the
security filter but not don't authenicate users if you don't have to. I used
"domain users" instead.

To get it to work in my current environment was to create another policy
that disabled "loopback" (security filter with Auth users) followed up with
enable "loopback" policy (domain users, computer group in security filter).
Both GPO's are link to the same OU.

Anthony [MVP]

unread,
Sep 3, 2009, 6:29:35 PM9/3/09
to
Rick,
See below
Anthony
http://www.airdesk.com


"Rick" <Ri...@discussions.microsoft.com> wrote in message

news:8797B25E-4345-415B...@microsoft.com...


> Okay, the issue have been identified and resolved.
>
> What I learned/found is if you have a GPO higher in your AD environment
> that enables "user group loopback processing" then it will effect all
> workstations below that even if you have block inheritance to the OU. I
> think
> this is an issue for me because security filter is set to "authenicate
> users" on GPO's with "loopback" enabled.

I'm not quite sure what this means. The loopback will apply to any computer
in the OU, but if you block a particular sub-OU I would expect it to take
effect. But I think you have some mix of user and group policies in a mixed
OU that I have not quite understood. My approach is to keep users and
computers in separate OU's. I think the basic purpose of an OU is as a unit
of Policy.

>
> Along with computer accounts, you also have add user accounts in the
> security filter but not don't authenicate users if you don't have to. I
> used
> "domain users" instead.

Yes. Having applied a loopback, you need to have the User Configuration
portions of the looped back policies apply to some defined objects. Its just
that those objects are not in the OU where the loopback is applied.

>
> To get it to work in my current environment was to create another policy
> that disabled "loopback" (security filter with Auth users) followed up
> with
> enable "loopback" policy (domain users, computer group in security
> filter).
> Both GPO's are link to the same OU.

OK, I think the Disable part must be to reverse what had previously been
applied. It is not a Deny. It just disables what had previously been
enabled. By default it is not configured, and therefore not enabled. The new
loopback is what you needed at the beginning. After you have reversed the
previous policies I think you will be able to dispense with the Disable
policy.

Rick

unread,
Sep 4, 2009, 9:40:01 AM9/4/09
to
Our OU are not mixed.
Authenticate users = Computers,Users

The problem was that i had a GPO (call it X) with loopback set and security
filter had authenticate users. The GPO X was in the path of applied policy
for all my AD objects (users,computers).

What i was doing was blocking inheritance to my OU that contain some of the
computers i want to stop the screen saver on and created another GPO (Y). GPO
Y also had loopback applied and was link to that OU.

The issue was that my user account which was in another OU and not block was
appliy both GPO's.

I know im not explaining correctly but the root issues was "authenticate
users" in the security filter of the GPO X.

0 new messages