Cross forest users logon and Loopback policy security filtering
-
Wednesday, January 30, 2013 12:49 AM
Hello.
I have a question regarding loopback processing and security filtering.
My client requirement is that we have 3 citrix servers (windows 2003 SP2) on which my other Japanese forest's users will login through citrix URL and will work on Citrix server in my domain. I have external trust setup with other forest.
To complete this request, I have created one GPO with group policy preferences in control panel "Regional language settings” to change the keyboard language for Japanese forest's users as I have windows 2008 R2 DCs. Also changed the keyboard layout using the keyboard control panel applet via regedit.exe
Move to HKEY_USERS\.DEFAULT\Keyboard Layout\Preload
- Double click on 1 and change the number to your local layout (you could get this by looking at HKEY_CURRENT_USER\Keyboard Layout\Preload1). Click OK
Additionally, I have enabled following policy: Computer Configuration\Administrative Templates\System\Group Policy\Allow Cross-Forest User Policy and Roaming Profiles for external trust users to get the "Regional language settings" policy.
I applied this policy on Citrix server OU and added security group and computer accounts in security filtering and removed the authenticated users. Also I have enabled the Loopback processing with replace mode.
Now, MY policy is applying on citrix server with the accounts which are member of Regional language settings group.
But if I remove any user from this group, the group policy settings remain same for those users. Ideally it should be removed after GPP is not applying on that user.
Another thing, I have lots of confusion with Loop back processing with security filtering as I got help from below link about Loop back process but still in doubt..
http://social.technet.microsoft.com/Forums/en/winserverGP/thread/a8432a90-46a6-474e-b3eb-1e228cf53884
======
If you use loopback merge:
The user or user group needs to have read and apply access.
Additional (regardless if there are computer settings in this policy) the computer account needs
at least read permissions on the policy. This was not needed before Vista.
If there are also computer settings in the policy, the computer account needs also apply permissions.
-------------------------------------------
If you use loopbackup replace:
The user or user group needs to have read and apply access.
If there are computer settings in the policy, the computer account needs read and apply.
------------------------------------------------------------------
- Edited by Mr. Raj Wednesday, January 30, 2013 1:16 AM
- Moved by Cicely FengMicrosoft Contingent Staff, Moderator Thursday, January 31, 2013 8:08 AM
All Replies
-
Wednesday, January 30, 2013 6:22 AM
See these,
http://technet.microsoft.com/en-us/library/cc785691(WS.10).aspx
&
http://technet.microsoft.com/en-us/library/cc738810(WS.10).aspx
Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin
-
Wednesday, January 30, 2013 10:53 AM
After removing the users from groups you need to wait for sometime for AD replication to complete or force replication from AD sites and services or repadmin /AdeP for the group membership to update.Also run gpupdate /force on the server as the policy is user based you need to relogin and if it is compter based you need to take reboot.
For better assistance related to GPO ask in GP forum:http://social.technet.microsoft.com/Forums/en/winserverGP/threads
Best Regards,
Sandesh Dubey.
MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. -
Wednesday, January 30, 2013 9:41 PM
But One more issue occurring from regional setting language group policy.
I have changed the Japanese language for security group users on the critix servers.
But other users on which group policy is not applying, they are getting some Japanese character like \ is showing in Japanese language.
-
Thursday, January 31, 2013 8:40 AMModerator
Hi,
>> Ideally it should be removed after GPP is not applying on that user.
No, it wouldn't. GPP is registry-based, when a GPO goes out of scope, the preference settings will remain in the registry (not like the policy settings). You need to clear or reset the related registry keys if you want the preference setting removed.
Please read the below article which states this:
GP Policy vs. Preference vs. GP preferences
http://blogs.technet.com/b/grouppolicy/archive/2008/03/04/gp-policy-vs-preference-vs-gp-preferences.aspxRegards,
Cicely- Marked As Answer by Cicely FengMicrosoft Contingent Staff, Moderator Tuesday, February 05, 2013 6:10 AM
-
Thursday, January 31, 2013 8:50 AMModerator
Hi,
>>But other users on which group policy is not applying, they are getting some Japanese character like \ is showing in Japanese language.
That's because you enabled loopback processing with replace mode for this server.If loopback processing has enabled, users no matter who log on to this server will not apply their own GPOs but apply the user configuration settings defined for this server(with Replace mode).
Details you can go through:
Loopback processing with merge or replace
http://technet.microsoft.com/en-us/library/cc782810(v=WS.10).aspxRegards,
Cicely- Marked As Answer by Cicely FengMicrosoft Contingent Staff, Moderator Tuesday, February 05, 2013 6:10 AM
-
Thursday, January 31, 2013 8:28 PM > //That's because you enabled loopback processing with replace mode for> this server.Perfect answer :-)> http://technet.microsoft.com/en-us/library/cc782810(v=WS.10).aspxOr - if you like:The user part is identical for cross forest logons if you enable "crossforest policy processing". Only the policy origin for user GPOs changes.regards, Martin
NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!- Marked As Answer by Cicely FengMicrosoft Contingent Staff, Moderator Tuesday, February 05, 2013 6:11 AM
-
Friday, February 01, 2013 6:01 PM
Thanks Feng..
And what about this :
If you use loopbackup replace:
The user or user group needs to have read and apply access.
If there are computer settings in the policy, the computer account needs read and apply.
================
Can you give me any link where I can understand the loop-back complex environment, like filtering?
Also I have added the citrix servers in the security filtering due to loopback policy was not applying through security group.- Edited by Mr. Raj Friday, February 01, 2013 6:26 PM
-
Saturday, February 02, 2013 4:20 PM Am 01.02.2013 19:01, schrieb Mr. RajKumar:>> / If you use loopbackup replace:/>> /The user or user group needs to have read and apply access./>/That's correct./>> /If there are computer settings in the policy, the computer account> needs read and apply./>That's partially true: If you use "loopback replace", the computer'srights on the GPO don't matter. BUT if you use "loopback merge", thecomputer needs read access (not "apply", of course - the computerdoesn't apply the user part...)
NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!- Marked As Answer by Cicely FengMicrosoft Contingent Staff, Moderator Tuesday, February 05, 2013 6:11 AM
-
Monday, February 04, 2013 2:00 AMModerator
Hi,
>>Can you give me any link where I can understand the loop-back complex environment, like filtering?
Security Filtering and Loopback processing are different features, if you apply both, please make sure the users are able to access the group policies that configured to be applied by loopback processing.
Links:
http://technet.microsoft.com/en-us/library/cc779291(v=WS.10).aspx
http://technet.microsoft.com/en-us/library/cc782810(v=WS.10).aspxRegards,
Cicely- Marked As Answer by Cicely FengMicrosoft Contingent Staff, Moderator Tuesday, February 05, 2013 6:11 AM
.png)
