| Author | Messages | |
MaryWinter
Posts:43
 | | 08/06/2010 4:31 PM |
| Hello,
When creating a loopback GPO does the filter have to contain both the
user and the computer IDs or just the computer ID?
Thanks for your help.
Mary Winter
| | | |
| Syspro
Posts:0
| | 08/06/2010 4:31 PM |
| Hi Mary,
Darren's simple answer is absolutely correct (what else would you expect),
but the more complex answer can help in people's understanding.
For a computer to process in Loop Back mode, it must have the registry value
UserPolicyMode set in the machine key
Software\Policies\Microsoft\Windows\System. Normally you would do this by
creating a GPO which contains the registry key on the machine side and
ensure the machine receives that GPO. So the registry key must be in a GPO
that is applied to the machine based on the Machine's OU membership and the
Machine's security membership. You could get the machine registry in place
by security filtering, or you could do it by OU filtering, or both. You
could even do it by site filtering, i.e "when the machine is connected to
this site, activate loop back processing, otherwise don't". In fact if you
are an administrator on the machine you could set the registry key manually
(provided policies don't reset it).
Once the machine key is in place, any user will have their policy processing
behaviour changed when they use that machine. Normally, they would get the
settings in the GPO's that are selected based on the User's OU and User's
security membership.
If the registry key is set to REPLACE then the user behaves as if they were
a member of the Machine's OU. That is they would get the settings in the
GPO's that are selected based on the Machine's OU and User's security
membership.
If the registry key is set to MERGE, then the user gets a dual personality.
They act as if they were a member of the User's OU and the Machine's OU.
That is they would get the settings in the GPO's that are selected based on
the User's OU and User's security membership, followed by the settings in
the GPO's that are selected based on the Machine's OU and User's security
membership.
So, you could get the user settings by security filtering, or you could do
it by OU filtering, or both. For instance you could create an OU which
contains all of the machines for which Loop Back processing is to be enabled
and connect a GPO that contains both the machine registry key and the user
settings.
It really comes down to what you want. If you want all users on a given
machine, just add the machine to the security filter (or place the machine
in an OU that receives the GPO, or place the machine at a site that receives
the GPO)
If you just want some users on a given machine, just add the machine and the
user to the security filter (or place the machine in an OU that receives the
GPO and add the user to the security filtering, or place the machine at a
site that receives the GPO and add the user to the security filtering)
If you just want all users except some users on a given machine, just add
the machine to the ENABLE security filter and the user to the DENY security
filter (or place the machine in an OU that receives the GPO and add the user
to the DENY security filtering, or place the machine at a site that receives
the GPO and add the user to the DENY security filtering).
I hope that this enhances your understanding rather than totally confuse
you.
Alan Cuthbertson
Policy Management Software (Now with ADMX and Preference support):-
http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml>
&f=pol_summary.shtml
ADM Template Editor(Now with ADMX support):-
http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml>
&f=adm_summary.shtml
Policy Log Reporter - including Preference logging(Free)
http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml>
&f=policyreporter.shtml
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Winter.Mary
Sent: Friday, 6 August 2010 7:01 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Loopback question
Thanks Darren. Then can I use an AD group that contains both the computer
and the user IDs as the filter?
~ Mary ~
_____
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Thursday, August 05, 2010 3:31 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Loopback question
Mary-
The simple answer is "both". The computer has to be able to process the
per-computer loopback setting itself, but any users who log onto that
loopback computer need read and apply GP rights on the computer GPOs that
contain the user settings, if that makes sense.
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Winter.Mary
Sent: Thursday, August 05, 2010 12:39 PM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Loopback question
Hello,
When creating a loopback GPO does the filter have to contain both the user
and the computer IDs or just the computer ID?
Thanks for your help.
Mary Winter
| | | |
| MaryWinter
Posts:43
| | 08/06/2010 5:10 PM |
| Thanks Alan and Darren,
Since this is a lot of users on machines that are in OUs that are not
necessarily getting the settings applied at OU level; I am using an AD
group that contains both users and settings. The GPO is applied at the
\corp\standard\computer\ OU. Does this sound like a workable solution?
Thanks for the help.
~ Mary ~
________________________________
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Alan and Margaret
Cuthbertson
Sent: Thursday, August 05, 2010 6:17 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Loopback question
Hi Mary,
Darren's simple answer is absolutely correct (what else would you
expect), but the more complex answer can help in people's understanding.
For a computer to process in Loop Back mode, it must have the registry
value UserPolicyMode set in the machine key
Software\Policies\Microsoft\Windows\System. Normally you would do this
by creating a GPO which contains the registry key on the machine side
and ensure the machine receives that GPO. So the registry key must be in
a GPO that is applied to the machine based on the Machine's OU
membership and the Machine's security membership. You could get the
machine registry in place by security filtering, or you could do it by
OU filtering, or both. You could even do it by site filtering, i.e "when
the machine is connected to this site, activate loop back processing,
otherwise don't". In fact if you are an administrator on the machine you
could set the registry key manually (provided policies don't reset it).
Once the machine key is in place, any user will have their policy
processing behaviour changed when they use that machine. Normally, they
would get the settings in the GPO's that are selected based on the
User's OU and User's security membership.
If the registry key is set to REPLACE then the user behaves as if they
were a member of the Machine's OU. That is they would get the settings
in the GPO's that are selected based on the Machine's OU and User's
security membership.
If the registry key is set to MERGE, then the user gets a dual
personality. They act as if they were a member of the User's OU and the
Machine's OU. That is they would get the settings in the GPO's that are
selected based on the User's OU and User's security membership, followed
by the settings in the GPO's that are selected based on the Machine's OU
and User's security membership.
So, you could get the user settings by security filtering, or you could
do it by OU filtering, or both. For instance you could create an OU
which contains all of the machines for which Loop Back processing is to
be enabled and connect a GPO that contains both the machine registry key
and the user settings.
It really comes down to what you want. If you want all users on a given
machine, just add the machine to the security filter (or place the
machine in an OU that receives the GPO, or place the machine at a site
that receives the GPO)
If you just want some users on a given machine, just add the machine and
the user to the security filter (or place the machine in an OU that
receives the GPO and add the user to the security filtering, or place
the machine at a site that receives the GPO and add the user to the
security filtering)
If you just want all users except some users on a given machine, just
add the machine to the ENABLE security filter and the user to the DENY
security filter (or place the machine in an OU that receives the GPO and
add the user to the DENY security filtering, or place the machine at a
site that receives the GPO and add the user to the DENY security
filtering).
I hope that this enhances your understanding rather than totally confuse
you.
Alan Cuthbertson
Policy Management Software (Now with ADMX and Preference support):-
http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml
ADM Template Editor(Now with ADMX support):-
http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml
Policy Log Reporter - including Preference logging(Free)
http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary
Sent: Friday, 6 August 2010 7:01 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Loopback question
Thanks Darren. Then can I use an AD group that contains both the
computer and the user IDs as the filter?
~ Mary ~
________________________________
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: Thursday, August 05, 2010 3:31 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Loopback question
Mary-
The simple answer is "both". The computer has to be able to process the
per-computer loopback setting itself, but any users who log onto that
loopback computer need read and apply GP rights on the computer GPOs
that contain the user settings, if that makes sense.
Darren
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary
Sent: Thursday, August 05, 2010 12:39 PM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Loopback question
Hello,
When creating a loopback GPO does the filter have to contain both the
user and the computer IDs or just the computer ID?
Thanks for your help.
Mary Winter
| | | |
| MaryWinter
Posts:43
| | 08/06/2010 5:52 PM |
| Sorry, that should say:
Thanks Alan and Darren,
Since this is a lot of users on machines that are in OUs that are not
necessarily getting the settings applied at OU level; I am using an AD
group that contains both users and computers. The GPO is applied at the
\corp\ computer\standard\ OU. Does this sound like a workable solution?
Thanks for the help.
~ Mary ~
________________________________
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Alan and Margaret
Cuthbertson
Sent: Thursday, August 05, 2010 6:17 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Loopback question
Hi Mary,
Darren's simple answer is absolutely correct (what else would you
expect), but the more complex answer can help in people's understanding.
For a computer to process in Loop Back mode, it must have the registry
value UserPolicyMode set in the machine key
Software\Policies\Microsoft\Windows\System. Normally you would do this
by creating a GPO which contains the registry key on the machine side
and ensure the machine receives that GPO. So the registry key must be in
a GPO that is applied to the machine based on the Machine's OU
membership and the Machine's security membership. You could get the
machine registry in place by security filtering, or you could do it by
OU filtering, or both. You could even do it by site filtering, i.e "when
the machine is connected to this site, activate loop back processing,
otherwise don't". In fact if you are an administrator on the machine you
could set the registry key manually (provided policies don't reset it).
Once the machine key is in place, any user will have their policy
processing behaviour changed when they use that machine. Normally, they
would get the settings in the GPO's that are selected based on the
User's OU and User's security membership.
If the registry key is set to REPLACE then the user behaves as if they
were a member of the Machine's OU. That is they would get the settings
in the GPO's that are selected based on the Machine's OU and User's
security membership.
If the registry key is set to MERGE, then the user gets a dual
personality. They act as if they were a member of the User's OU and the
Machine's OU. That is they would get the settings in the GPO's that are
selected based on the User's OU and User's security membership, followed
by the settings in the GPO's that are selected based on the Machine's OU
and User's security membership.
So, you could get the user settings by security filtering, or you could
do it by OU filtering, or both. For instance you could create an OU
which contains all of the machines for which Loop Back processing is to
be enabled and connect a GPO that contains both the machine registry key
and the user settings.
It really comes down to what you want. If you want all users on a given
machine, just add the machine to the security filter (or place the
machine in an OU that receives the GPO, or place the machine at a site
that receives the GPO)
If you just want some users on a given machine, just add the machine and
the user to the security filter (or place the machine in an OU that
receives the GPO and add the user to the security filtering, or place
the machine at a site that receives the GPO and add the user to the
security filtering)
If you just want all users except some users on a given machine, just
add the machine to the ENABLE security filter and the user to the DENY
security filter (or place the machine in an OU that receives the GPO and
add the user to the DENY security filtering, or place the machine at a
site that receives the GPO and add the user to the DENY security
filtering).
I hope that this enhances your understanding rather than totally confuse
you.
Alan Cuthbertson
Policy Management Software (Now with ADMX and Preference support):-
http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml
ADM Template Editor(Now with ADMX support):-
http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml
Policy Log Reporter - including Preference logging(Free)
http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary
Sent: Friday, 6 August 2010 7:01 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Loopback question
Thanks Darren. Then can I use an AD group that contains both the
computer and the user IDs as the filter?
~ Mary ~
________________________________
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: Thursday, August 05, 2010 3:31 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Loopback question
Mary-
The simple answer is "both". The computer has to be able to process the
per-computer loopback setting itself, but any users who log onto that
loopback computer need read and apply GP rights on the computer GPOs
that contain the user settings, if that makes sense.
Darren
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary
Sent: Thursday, August 05, 2010 12:39 PM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Loopback question
Hello,
When creating a loopback GPO does the filter have to contain both the
user and the computer IDs or just the computer ID?
Thanks for your help.
Mary Winter
| | | |
| MaryWinter
Posts:43
| | 08/06/2010 9:55 PM |
| Yes, I'm asking if it is OK to filter on a group with both users and
computers. There are too many of both to add to the GPO filter singly.
Will it work as if the GPO was applied to the OU on the computer side?
~ Mary ~
________________________________
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: Friday, August 06, 2010 3:44 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Loopback question
Mary-
So, are you asking if its ok to have a group with both users and
computers in it? Or something else?
Darren
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary
Sent: Friday, August 06, 2010 9:51 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Loopback question
Sorry, that should say:
Thanks Alan and Darren,
Since this is a lot of users on machines that are in OUs that are not
necessarily getting the settings applied at OU level; I am using an AD
group that contains both users and computers. The GPO is applied at the
\corp\ computer\standard\ OU. Does this sound like a workable solution?
Thanks for the help.
~ Mary ~
________________________________
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Alan and Margaret
Cuthbertson
Sent: Thursday, August 05, 2010 6:17 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Loopback question
Hi Mary,
Darren's simple answer is absolutely correct (what else would you
expect), but the more complex answer can help in people's understanding.
For a computer to process in Loop Back mode, it must have the registry
value UserPolicyMode set in the machine key
Software\Policies\Microsoft\Windows\System. Normally you would do this
by creating a GPO which contains the registry key on the machine side
and ensure the machine receives that GPO. So the registry key must be in
a GPO that is applied to the machine based on the Machine's OU
membership and the Machine's security membership. You could get the
machine registry in place by security filtering, or you could do it by
OU filtering, or both. You could even do it by site filtering, i.e "when
the machine is connected to this site, activate loop back processing,
otherwise don't". In fact if you are an administrator on the machine you
could set the registry key manually (provided policies don't reset it).
Once the machine key is in place, any user will have their policy
processing behaviour changed when they use that machine. Normally, they
would get the settings in the GPO's that are selected based on the
User's OU and User's security membership.
If the registry key is set to REPLACE then the user behaves as if they
were a member of the Machine's OU. That is they would get the settings
in the GPO's that are selected based on the Machine's OU and User's
security membership.
If the registry key is set to MERGE, then the user gets a dual
personality. They act as if they were a member of the User's OU and the
Machine's OU. That is they would get the settings in the GPO's that are
selected based on the User's OU and User's security membership, followed
by the settings in the GPO's that are selected based on the Machine's OU
and User's security membership.
So, you could get the user settings by security filtering, or you could
do it by OU filtering, or both. For instance you could create an OU
which contains all of the machines for which Loop Back processing is to
be enabled and connect a GPO that contains both the machine registry key
and the user settings.
It really comes down to what you want. If you want all users on a given
machine, just add the machine to the security filter (or place the
machine in an OU that receives the GPO, or place the machine at a site
that receives the GPO)
If you just want some users on a given machine, just add the machine and
the user to the security filter (or place the machine in an OU that
receives the GPO and add the user to the security filtering, or place
the machine at a site that receives the GPO and add the user to the
security filtering)
If you just want all users except some users on a given machine, just
add the machine to the ENABLE security filter and the user to the DENY
security filter (or place the machine in an OU that receives the GPO and
add the user to the DENY security filtering, or place the machine at a
site that receives the GPO and add the user to the DENY security
filtering).
I hope that this enhances your understanding rather than totally confuse
you.
Alan Cuthbertson
Policy Management Software (Now with ADMX and Preference support):-
http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml
ADM Template Editor(Now with ADMX support):-
http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml
Policy Log Reporter - including Preference logging(Free)
http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary
Sent: Friday, 6 August 2010 7:01 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Loopback question
Thanks Darren. Then can I use an AD group that contains both the
computer and the user IDs as the filter?
~ Mary ~
________________________________
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: Thursday, August 05, 2010 3:31 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Loopback question
Mary-
The simple answer is "both". The computer has to be able to process the
per-computer loopback setting itself, but any users who log onto that
loopback computer need read and apply GP rights on the computer GPOs
that contain the user settings, if that makes sense.
Darren
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary
Sent: Thursday, August 05, 2010 12:39 PM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Loopback question
Hello,
When creating a loopback GPO does the filter have to contain both the
user and the computer IDs or just the computer ID?
Thanks for your help.
Mary Winter
| | | |
| dmarelia
Posts:394
| | 08/06/2010 9:58 PM |
| Ok. Yes, you can do that. My earlier point was that I like to segregate groups by type. So I would make a separate group for computer accounts than for user accounts.
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary
Sent: Friday, August 06, 2010 1:52 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Loopback question
Yes, I'm asking if it is OK to filter on a group with both users and computers. There are too many of both to add to the GPO filter singly.
Will it work as if the GPO was applied to the OU on the computer side?
~ Mary ~
________________________________
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: Friday, August 06, 2010 3:44 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Loopback question
Mary-
So, are you asking if its ok to have a group with both users and computers in it? Or something else?
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary
Sent: Friday, August 06, 2010 9:51 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Loopback question
Sorry, that should say:
Thanks Alan and Darren,
Since this is a lot of users on machines that are in OUs that are not necessarily getting the settings applied at OU level; I am using an AD group that contains both users and computers. The GPO is applied at the \corp\ computer\standard\ OU. Does this sound like a workable solution?
Thanks for the help.
~ Mary ~
________________________________
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Alan and Margaret Cuthbertson
Sent: Thursday, August 05, 2010 6:17 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Loopback question
Hi Mary,
Darren's simple answer is absolutely correct (what else would you expect), but the more complex answer can help in people's understanding.
For a computer to process in Loop Back mode, it must have the registry value UserPolicyMode set in the machine key Software\Policies\Microsoft\Windows\System. Normally you would do this by creating a GPO which contains the registry key on the machine side and ensure the machine receives that GPO. So the registry key must be in a GPO that is applied to the machine based on the Machine's OU membership and the Machine's security membership. You could get the machine registry in place by security filtering, or you could do it by OU filtering, or both. You could even do it by site filtering, i.e "when the machine is connected to this site, activate loop back processing, otherwise don't". In fact if you are an administrator on the machine you could set the registry key manually (provided policies don't reset it).
Once the machine key is in place, any user will have their policy processing behaviour changed when they use that machine. Normally, they would get the settings in the GPO's that are selected based on the User's OU and User's security membership.
If the registry key is set to REPLACE then the user behaves as if they were a member of the Machine's OU. That is they would get the settings in the GPO's that are selected based on the Machine's OU and User's security membership.
If the registry key is set to MERGE, then the user gets a dual personality. They act as if they were a member of the User's OU and the Machine's OU. That is they would get the settings in the GPO's that are selected based on the User's OU and User's security membership, followed by the settings in the GPO's that are selected based on the Machine's OU and User's security membership.
So, you could get the user settings by security filtering, or you could do it by OU filtering, or both. For instance you could create an OU which contains all of the machines for which Loop Back processing is to be enabled and connect a GPO that contains both the machine registry key and the user settings.
It really comes down to what you want. If you want all users on a given machine, just add the machine to the security filter (or place the machine in an OU that receives the GPO, or place the machine at a site that receives the GPO)
If you just want some users on a given machine, just add the machine and the user to the security filter (or place the machine in an OU that receives the GPO and add the user to the security filtering, or place the machine at a site that receives the GPO and add the user to the security filtering)
If you just want all users except some users on a given machine, just add the machine to the ENABLE security filter and the user to the DENY security filter (or place the machine in an OU that receives the GPO and add the user to the DENY security filtering, or place the machine at a site that receives the GPO and add the user to the DENY security filtering).
I hope that this enhances your understanding rather than totally confuse you.
Alan Cuthbertson
Policy Management Software (Now with ADMX and Preference support):-
http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml
ADM Template Editor(Now with ADMX support):-
http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml
Policy Log Reporter - including Preference logging(Free)
http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary
Sent: Friday, 6 August 2010 7:01 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Loopback question
Thanks Darren. Then can I use an AD group that contains both the computer and the user IDs as the filter?
~ Mary ~
________________________________
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: Thursday, August 05, 2010 3:31 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Loopback question
Mary-
The simple answer is "both". The computer has to be able to process the per-computer loopback setting itself, but any users who log onto that loopback computer need read and apply GP rights on the computer GPOs that contain the user settings, if that makes sense.
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary
Sent: Thursday, August 05, 2010 12:39 PM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Loopback question
Hello,
When creating a loopback GPO does the filter have to contain both the user and the computer IDs or just the computer ID?
Thanks for your help.
Mary Winter
| | | |
| dmarelia
Posts:394
| | 08/06/2010 11:08 PM |
| Right.
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary
Sent: Friday, August 06, 2010 1:58 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Loopback question
Then you would filter on both groups, right?
~ Mary ~
________________________________
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: Friday, August 06, 2010 3:55 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Loopback question
Ok. Yes, you can do that. My earlier point was that I like to segregate groups by type. So I would make a separate group for computer accounts than for user accounts.
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary
Sent: Friday, August 06, 2010 1:52 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Loopback question
Yes, I'm asking if it is OK to filter on a group with both users and computers. There are too many of both to add to the GPO filter singly.
Will it work as if the GPO was applied to the OU on the computer side?
~ Mary ~
________________________________
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: Friday, August 06, 2010 3:44 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Loopback question
Mary-
So, are you asking if its ok to have a group with both users and computers in it? Or something else?
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary
Sent: Friday, August 06, 2010 9:51 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Loopback question
Sorry, that should say:
Thanks Alan and Darren,
Since this is a lot of users on machines that are in OUs that are not necessarily getting the settings applied at OU level; I am using an AD group that contains both users and computers. The GPO is applied at the \corp\ computer\standard\ OU. Does this sound like a workable solution?
Thanks for the help.
~ Mary ~
________________________________
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Alan and Margaret Cuthbertson
Sent: Thursday, August 05, 2010 6:17 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Loopback question
Hi Mary,
Darren's simple answer is absolutely correct (what else would you expect), but the more complex answer can help in people's understanding.
For a computer to process in Loop Back mode, it must have the registry value UserPolicyMode set in the machine key Software\Policies\Microsoft\Windows\System. Normally you would do this by creating a GPO which contains the registry key on the machine side and ensure the machine receives that GPO. So the registry key must be in a GPO that is applied to the machine based on the Machine's OU membership and the Machine's security membership. You could get the machine registry in place by security filtering, or you could do it by OU filtering, or both. You could even do it by site filtering, i.e "when the machine is connected to this site, activate loop back processing, otherwise don't". In fact if you are an administrator on the machine you could set the registry key manually (provided policies don't reset it).
Once the machine key is in place, any user will have their policy processing behaviour changed when they use that machine. Normally, they would get the settings in the GPO's that are selected based on the User's OU and User's security membership.
If the registry key is set to REPLACE then the user behaves as if they were a member of the Machine's OU. That is they would get the settings in the GPO's that are selected based on the Machine's OU and User's security membership.
If the registry key is set to MERGE, then the user gets a dual personality. They act as if they were a member of the User's OU and the Machine's OU. That is they would get the settings in the GPO's that are selected based on the User's OU and User's security membership, followed by the settings in the GPO's that are selected based on the Machine's OU and User's security membership.
So, you could get the user settings by security filtering, or you could do it by OU filtering, or both. For instance you could create an OU which contains all of the machines for which Loop Back processing is to be enabled and connect a GPO that contains both the machine registry key and the user settings.
It really comes down to what you want. If you want all users on a given machine, just add the machine to the security filter (or place the machine in an OU that receives the GPO, or place the machine at a site that receives the GPO)
If you just want some users on a given machine, just add the machine and the user to the security filter (or place the machine in an OU that receives the GPO and add the user to the security filtering, or place the machine at a site that receives the GPO and add the user to the security filtering)
If you just want all users except some users on a given machine, just add the machine to the ENABLE security filter and the user to the DENY security filter (or place the machine in an OU that receives the GPO and add the user to the DENY security filtering, or place the machine at a site that receives the GPO and add the user to the DENY security filtering).
I hope that this enhances your understanding rather than totally confuse you.
Alan Cuthbertson
Policy Management Software (Now with ADMX and Preference support):-
http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml
ADM Template Editor(Now with ADMX support):-
http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml
Policy Log Reporter - including Preference logging(Free)
http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary
Sent: Friday, 6 August 2010 7:01 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Loopback question
Thanks Darren. Then can I use an AD group that contains both the computer and the user IDs as the filter?
~ Mary ~
________________________________
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: Thursday, August 05, 2010 3:31 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Loopback question
Mary-
The simple answer is "both". The computer has to be able to process the per-computer loopback setting itself, but any users who log onto that loopback computer need read and apply GP rights on the computer GPOs that contain the user settings, if that makes sense.
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary
Sent: Thursday, August 05, 2010 12:39 PM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Loopback question
Hello,
When creating a loopback GPO does the filter have to contain both the user and the computer IDs or just the computer ID?
Thanks for your help.
Mary Winter
| | | |
|
|