none
How to apply User Configuration policy to Computers

    Question

  • Hi Techies,

    Here is my requirement.  I have set of users where they work in 2 project (ex. ODC Project and General Project),  In General project they will use general PC  where they are NOT having any GP restriction like, Restriction to local drives, right click, Folder redirection, Mandatory profile etc. they have full access to their desktop.  

    Once they logoff from therer and go to ODC project they should get all restricted policy where they should not able to save files in drives, drives should be hidden and restricted, etc. It should be controlled through Group Policy.

    I have created normal GP and added  the Users in Filtering option and linked to OU where users and computers are contains, but it is getting applied to both the Project ODC and General.

    In this scenario, what can be done,  I have two different subnets for this,  I can not create site level policy as OU level policy will take precedence.  

    Request you all to help me out to make this work.


    With Regards, Raviraj Nagenhatti - System Administrator

    Thursday, February 11, 2016 6:59 PM

Answers

  • Hi

     You should check Loopback Processing

    Using Loopback Processing to Configure User Settings

    https://technet.microsoft.com/en-us/library/cc757470(v=ws.10).aspx

    Loopback processing of Group Policy, explained.

    http://kudratsapaev.blogspot.com.tr/2009/07/loopback-processing-of-group-policy.html

    OU where users and computers are contains >>> you should keep users and computers on seperate OU's..


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Thursday, February 11, 2016 7:14 PM
  • Hi,

    I agree with above, loopback processing may be useful to you.

    Here is an article about loopback for your reference.

    https://technet.microsoft.com/en-us/library/cc785074%28v=ws.10%29.aspx

     

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, February 12, 2016 2:05 AM
    Moderator
  • Loopback processing does not implicitly "block" DDP.
    Nor does it block any other inheritance.

    When you use Loopback Processing, this causes *all* GPOs which are linked+inherited for the computer object to be evaluated in loopback mode (either merge or replace, depending upon the choice you made).

    When Loopback Processing is enabled in *any* GPO for which a computer object is applicable, *ALL* GPOs (linked+inherited) for that computer will be processed in loopback mode.

    So, Loopback Processing does *not* "block' DDP.

    If there is a setting within your DDP, and you wish to "override" that setting, you must examine the GP Link Order (precedence) against the OU where the computer object resides. You can adjust the order of processing for "conflicting" settings, by modifying the precedence.


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Sunday, February 21, 2016 8:16 PM
  • Hi Raviraj,

    I have tested for it and succeed.

    Would you post gpresult to us for further research.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, February 22, 2016 3:26 AM
    Moderator
  • > Even i checked GP Modelling also showing DDP taking precedence.
    > Even i check Policy is enforced and in order it is set to 1st policy and
    > linked to computer OU and same computer added in security filtering.
     
    If GPOs at a higher level are enforced, they will overwrite those at
    lower OUs. If you enforce the DDP, it will always win.
     
    Tuesday, February 23, 2016 4:45 PM
  • Hi Martin,

    DDP is not enforced, and Loopback Processing GP is enforced and it is 1st No in Group Policy Link ordering.

    I tried GP modeling and check end user system.  Result is same DDP is taking precedence.  Yesterday when i check it was LBP was taking precedence.

    How we can see why DDP is taking precedence, Even i checked Group Policy inheritance the DDP is last policy.

     


    With Regards, Raviraj Nagenhatti - System Administrator

    Tuesday, February 23, 2016 6:46 PM
  • > DDP is not enforced, and Loopback Processing GP is enforced and it is
    > 1st No in Group Policy Link ordering.
     
    You enabled loopback "merge"? This means that GPOs in scope of the
    computer are applied _after_ GPOs in scope of the user...
     
    Read and try to understand the following :-))
     
     
    Wednesday, February 24, 2016 10:22 AM

All replies

  • Hi

     You should check Loopback Processing

    Using Loopback Processing to Configure User Settings

    https://technet.microsoft.com/en-us/library/cc757470(v=ws.10).aspx

    Loopback processing of Group Policy, explained.

    http://kudratsapaev.blogspot.com.tr/2009/07/loopback-processing-of-group-policy.html

    OU where users and computers are contains >>> you should keep users and computers on seperate OU's..


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Thursday, February 11, 2016 7:14 PM
  • Hi,

    I agree with above, loopback processing may be useful to you.

    Here is an article about loopback for your reference.

    https://technet.microsoft.com/en-us/library/cc785074%28v=ws.10%29.aspx

     

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, February 12, 2016 2:05 AM
    Moderator
  • HI Burak & Jay,

    Thanks for quick reply.  I will try this and let you know.  


    With Regards, Raviraj Nagenhatti - System Administrator

    Friday, February 12, 2016 8:50 AM
  • Hi Burak, Jay, and Don,

    I enabled User Group Policy loopback processing mode, as replaced and Linked to Computer OU, and also added Computer in Security Filtering.  

    When I checked it says only applied as below but other controlls are getting applied through default domain policy

    System/Group Policy
    Policy Setting Winning GPO
    Enabled GP_Agent

    Even I have Enforced the GP.  After I added the test users but still controlls are not getting applied which i required.

    I want whatever I applied settings from users configuration in same GP should apply on Computers in same GP.

    Please help me to get this done.

     

     


    With Regards, Raviraj Nagenhatti - System Administrator

    Friday, February 19, 2016 3:28 PM
  • Please explain the two departments or organization units?(OU) Are they in the same forest or domain(site). Does all users belong to both OU's/PRojects Please give more information because there is what we call item level targeting in WK12R2 GPO. Whether its OS/Groups/Computer type/OU
    Friday, February 19, 2016 9:18 PM
  • Hi Shakiel,

    Thanks for you reply.

    Users in One OU and Computers are in are one OU and both are in single forest Domain and one site. 

    My requirement is to apply the user configuration policy to these particular computers.  I have enable to the loopback policy with replaced option.  

    Also I have linked th GP to Computer OU and added the Test computer Host names.  

    Post testing I am not able to get the requireed GP, but when i Look the GP result it is showing only loopback policy got applied with the New test GP,  rest all controll settings are getting applied by Default Domain Policy.

    Could you please help me out here to meet the requirement. 


    With Regards, Raviraj Nagenhatti - System Administrator

    Saturday, February 20, 2016 6:41 PM
  • Hi Techies,

    Please help to fix this requirement.


    With Regards, Raviraj Nagenhatti - System Administrator

    Sunday, February 21, 2016 6:23 PM
  • Loopback processing does not implicitly "block" DDP.
    Nor does it block any other inheritance.

    When you use Loopback Processing, this causes *all* GPOs which are linked+inherited for the computer object to be evaluated in loopback mode (either merge or replace, depending upon the choice you made).

    When Loopback Processing is enabled in *any* GPO for which a computer object is applicable, *ALL* GPOs (linked+inherited) for that computer will be processed in loopback mode.

    So, Loopback Processing does *not* "block' DDP.

    If there is a setting within your DDP, and you wish to "override" that setting, you must examine the GP Link Order (precedence) against the OU where the computer object resides. You can adjust the order of processing for "conflicting" settings, by modifying the precedence.


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Sunday, February 21, 2016 8:16 PM
  • Hi Raviraj,

    I have tested for it and succeed.

    Would you post gpresult to us for further research.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, February 22, 2016 3:26 AM
    Moderator
  • Hi Jay, Don,

    Thanks for reply.  After adjusting order I can see the GP modeling result says group policy getting applied.

    Currently users not available to test end users.  I will update you tomorrow.


    With Regards, Raviraj Nagenhatti - System Administrator

    Monday, February 22, 2016 7:05 PM
  • Hi Team,

    Today, when i checked with users,  gpresult showing default domain controller policy taking precedence. 

    Even i checked GP Modelling also showing DDP taking precedence.  

    I am totally confused what happened here without any change.

    Even i check Policy is enforced and in order it is set to 1st policy and linked to computer OU and same computer added in security filtering.


    With Regards, Raviraj Nagenhatti - System Administrator

    Tuesday, February 23, 2016 1:56 PM
  • > Even i checked GP Modelling also showing DDP taking precedence.
    > Even i check Policy is enforced and in order it is set to 1st policy and
    > linked to computer OU and same computer added in security filtering.
     
    If GPOs at a higher level are enforced, they will overwrite those at
    lower OUs. If you enforce the DDP, it will always win.
     
    Tuesday, February 23, 2016 4:45 PM
  • Hi Martin,

    DDP is not enforced, and Loopback Processing GP is enforced and it is 1st No in Group Policy Link ordering.

    I tried GP modeling and check end user system.  Result is same DDP is taking precedence.  Yesterday when i check it was LBP was taking precedence.

    How we can see why DDP is taking precedence, Even i checked Group Policy inheritance the DDP is last policy.

     


    With Regards, Raviraj Nagenhatti - System Administrator

    Tuesday, February 23, 2016 6:46 PM
  • > DDP is not enforced, and Loopback Processing GP is enforced and it is
    > 1st No in Group Policy Link ordering.
     
    You enabled loopback "merge"? This means that GPOs in scope of the
    computer are applied _after_ GPOs in scope of the user...
     
    Read and try to understand the following :-))
     
     
    Wednesday, February 24, 2016 10:22 AM
  • Hi Team,

    Thanks for your support.

    Issue got resolved.  Below steps i performed to get loopback policy worked.

    I moved specific computers on which loopback policy should be applied.

    Then I linked the loopback policy to computer OU

    Then I added the Authenticated Users in Security Filtering.

    Reason : Why my policy was not getting applied when i add only computers in security filter. As It does not read user policy as being computer object in gpresult it was showing me as inaccessible and security filter denied.

     


    With Regards, Raviraj Nagenhatti - System Administrator

    Friday, March 04, 2016 6:54 PM