Group Policy Loop back??
-
Tuesday, January 26, 2010 1:52 PMHi Guys, Floren kindly helped me out a couple of weeks back by telling me about gpo loop back. (Thanks Floren :-) ) Im having a few problems however. Here is how i currently have it in place.
I have an OU with child OU's containing different types of workstations. i want to extend the screen saver lock out time through out the structure on specific workstations. what i have done is created a computer GPO at the top of the structure of desktops enabling loop back applied to a group called "Extended" containing all the computers i want to extend and enable loop back on. this works fine in that it is enabling loop back on them. i have clarified this by checking the registry key "Userpolicymode" which is set to 1.
I next created a GPO at the same level with the settings i wanted imposed on the machnes. E.g. the longer lock out time on the screen saver under user configuration. i then applied this to the same group i created for the loop back ("Extended")
Tis GPO however does not get applied. Iwonder if someone could point out where im going wrong.
Cheers
Adam
Answers
-
Tuesday, January 26, 2010 4:10 PM Hi Reggie,The policy containing the required user settings (in this case the screen saver lockout) must also have the loopback setting enabled. Make sure that you understand the two different modes of loopback, replace vs. merge and use the correct one as they can have a significant implication on the result.Authenticated users is a special group that includes every computer as well as every user so that might be too broad if you only want specific computers to get the policy. I would suggest using the Extended group and the Domain Users group to apply rights to the policy. Make sure that the rights include the right to apply the GPO. The correct rights are displayed on the delegation tab as Read (from Security Filtering) or if using the advanced button to view the full permissions, make sure that both Read and Apply group policy are checked.Thanks,Guy
- Marked As Answer by Reggie_D Wednesday, January 27, 2010 8:40 PM
-
Wednesday, January 27, 2010 8:18 PM thanks for the post, adam. i started to write a reply to your post yesterday and realized that it might be easier to post this with a similar example with images for clarity. since i have had problems in the past getting pictures into replies, i went ahead and created a blog post instead, which can be found here. i apologize in advance if the page is slow to load - the images are the original size (too big) because i wanted to get it up quickly for your consumption.if that is close to what you are looking to do, validate that your configuration is similar to the configuration in the blog post. let us know if it is not working if configured in this way or let us know where your config is different as it will give us a good idea of where to go from there.thx./rich
http://cbfive.com/blog- Marked As Answer by Reggie_D Wednesday, January 27, 2010 8:40 PM
- Edited by Rich Crandall Wednesday, January 27, 2010 8:55 PM fixed error in name
All Replies
-
Tuesday, January 26, 2010 2:21 PMEnsure that besides the computers,
the affected users do have "Read" permission on the GPO.
Patrick -
Tuesday, January 26, 2010 2:37 PMI have "authenticated users" in the delegation section as having read permissions (by default). would this suffice??
-
Tuesday, January 26, 2010 4:10 PM Hi Reggie,The policy containing the required user settings (in this case the screen saver lockout) must also have the loopback setting enabled. Make sure that you understand the two different modes of loopback, replace vs. merge and use the correct one as they can have a significant implication on the result.Authenticated users is a special group that includes every computer as well as every user so that might be too broad if you only want specific computers to get the policy. I would suggest using the Extended group and the Domain Users group to apply rights to the policy. Make sure that the rights include the right to apply the GPO. The correct rights are displayed on the delegation tab as Read (from Security Filtering) or if using the advanced button to view the full permissions, make sure that both Read and Apply group policy are checked.Thanks,Guy
- Marked As Answer by Reggie_D Wednesday, January 27, 2010 8:40 PM
-
Tuesday, January 26, 2010 6:39 PMHi Guy,
thanks for your reply. So, the second GPO i have created to actually extend the lockout peiod needs to have the loopback GPO turned on within it too?? So i would actually only need to create one GPO??
Thanks
Adam -
Tuesday, January 26, 2010 9:18 PMthat's correct.Thanks,Guy
-
Tuesday, January 26, 2010 9:57 PM
Thanks Guy, Ill try this first thing tomorrow.
Cheers :-) -
Wednesday, January 27, 2010 9:17 AMHi Guy,
I had a look at the GPOs again as they still dont appear to be applying. I did a group policy model and checked the settings and this is what I have as the winning GPO for the screen saver lockout.
So it would appear that loop back is definately turned on and it is inherriting the policy for the lock out. but not applying it. not much information but im at a complete loss as to why its not being applied??Policy Setting Winning GPO Screen Saver timeout Enabled 30 min Extended
Number of seconds to wait to enable the Screen SaverSeconds: 1800
Thnaks
Adam -
Wednesday, January 27, 2010 11:40 AMHi Adam,
Could you please explain what do you need to get in the end, in simple words. I am sorry but it is a bit unclear.
Just for you information, you can create two policies and enable Loopback Processing in oth of them. Then apply this policies to the same OU and filter from applying to computers or users.
сила в справедливости -
Wednesday, January 27, 2010 12:09 PMSorry i think i confused myself.
We have a group of computers that need extended lock out times for every user that logs in (30 minutes) I have created a GPO with the user settings i want in and enabled loop back under computer config and applied it ot the top of our desktop OU. I have created a group for the computers i want this to happen on and added this to the security filtering section of the gpo. The desktops happily recieve the gpo to enable loop back.
the problem is the user side of the gpo is not being applied when users log in. I presume this is because the gpo needs permissions set up for the users to have read access to the gpo also?? if i add "domain users"to the delegation tab with "read" and "apply gpo" permissions it all works as expected. is this how it should be set up if i want it to apply to all users who log in on these computers??
Thanks,
Adam -
Wednesday, January 27, 2010 12:30 PMHi Adam,
As far as I undesrtand you need a Loopback in Merge mode. Currently, when user logs on to those computers with 30 minutes setting he gets User Configuration from that 30 minutes policy and not getting the User Configuration from the policy applied to the OU where user's account reside.
If you enable Loopback in the Merge mode those two User Configurations will be merged and the the policy applied to the Computers will take presidence in case of any conflict.
Have a look at this article to understand how different Loppback Processing modes work:
http://kudratsapaev.blogspot.com/2009/07/loopback-processing-of-group-policy.html
сила в справедливости -
Wednesday, January 27, 2010 5:09 PMAdam,
Based on the last sentence of your reply, it sounds like you have this working if you give domain users rights to apply the policy, what is the remaining issue?If you need further assistance, please execute gpresult and rsop.msc on the client system to see what is actually applied? You can post the results here or through skydrive (skydrive.live.com) if you would like us to review the status.In general, the following steps should be required:1. Create a GPO with user settings and loopback enabled (recommended in merge mode)2. Link the GPO to a container holding the computer accounts that should be impacted.3. If needed, use security policy to ensure that only the desired computers and all users have right to read and apply the GPO.Thanks,Guy -
Wednesday, January 27, 2010 8:18 PM thanks for the post, adam. i started to write a reply to your post yesterday and realized that it might be easier to post this with a similar example with images for clarity. since i have had problems in the past getting pictures into replies, i went ahead and created a blog post instead, which can be found here. i apologize in advance if the page is slow to load - the images are the original size (too big) because i wanted to get it up quickly for your consumption.if that is close to what you are looking to do, validate that your configuration is similar to the configuration in the blog post. let us know if it is not working if configured in this way or let us know where your config is different as it will give us a good idea of where to go from there.thx./rich
http://cbfive.com/blog- Marked As Answer by Reggie_D Wednesday, January 27, 2010 8:40 PM
- Edited by Rich Crandall Wednesday, January 27, 2010 8:55 PM fixed error in name
-
Wednesday, January 27, 2010 8:39 PM
Thanks for the posts guys. this is much appreciated. I basically neglected to read guys post correctly. apologies. I was also thinking to far ahead instead of trying to just get the basics working.....
All working fine now. much appreciated all of you.Rich thanks for your Blog. a great guide. made things clearer for me.
Once again thanks very much. good to see people that help out so quickly. Cheers
Adam -
Wednesday, January 27, 2010 8:54 PMthat's great Adam. glad to hear that it's working now./rich
http://cbfive.com/blog
.png){kind=spacer}
