none
Loop Back Processing

    Question

  • Hello All,

    We have 2 business domain in which all windows 7 users are residing, We have one more domain specially for manufacturing.

    The manufacturing server contains many application servers mostly with windows 2008 r2 operating system.

    Now we are planning to implement instead of creating users in manufacturing domain, they will use their business domain AD id for logging to application server in manufacturing domain. but after their loging user level policy from business domain shouldn't be applied on the application server.

    I would like to know, if this can be possible?


    Thanks HA

    Monday, May 4, 2015 2:19 PM

Answers

All replies

  • Hi

    If the user policy level is not  on root level(i mean Default Domain Policy)

    On GPMC ->OU where the application server on->expand see the GPO's and select->on Details tab->GPO status configure it "User configuration settings disable"

    Or you can right click OU where  application server on,select "Block Inheritance"

    Monday, May 4, 2015 2:33 PM
  • > Now we are planning to implement instead of creating users in
    > manufacturing domain, they will use their business domain AD id for
    > logging to application server in manufacturing domain. but after their
    > loging user level policy from business domain shouldn't be applied on
    > the application server.
     
    By default, this is as it works. Unless you explicitly enable cross
    forest policy and profile processing, GPO will switch to loopback
    replace for users from different forests which means that NO GPOs from
    your business domain will apply.
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Monday, May 4, 2015 2:37 PM
  • Thank you for the reply.

    So does that mean I have to modify/create a GPO in manufacturing domain to disable the "User Configuration Settings disable"

    Not in business domain, where the windows 7 users actually resides.


    Thanks HA

    Monday, May 4, 2015 2:53 PM
  • Hi Martin,

    Thank you for the reply. we haven't mentioned anything , this would be the first time we are doing a user from one domain login to another domain server.


    Thanks HA

    Monday, May 4, 2015 2:54 PM
  • Hi

     Clarify;

    if user is created On domain A,and logon a computer on DOmain B,do not need configure anything,GPOs apply just own domain.

    If user is created Domain B and logon comuter on DOmain B,need to configure "User configuratin settings disable"

    Monday, May 4, 2015 3:26 PM
  • > if user is created On domain A,and logon a computer on DOmain B,do not
    > need configure anything,GPOs apply just own domain.
     
    No.
     
    If nothing is configured, User from Domain A will receive all User (!)
    policies that are linked to the computer scope in Domain B (and that he
    has access to, of course).
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Tuesday, May 5, 2015 7:51 AM
  • Hello,

    I have created a new user in our Business domain.. user located in the OU has IE policy configured via GPO.

    created a universal group in Manufacturing domain and added the group for security filtering  in GPO in manfucaturing domain.

    When I tested

    1. I have to add the user in remote desktop user group to enable the remote permissions

    2. I can see the IE settings after logging which is from Business domain.

    Can you please guide


    Thanks HA

    Monday, May 11, 2015 1:58 PM
  • Hi,

    >>1. I have to add the user in remote desktop user group to enable the remote permissions

    If the user connect the server remotely then it is a expected behavior to add the user account in the remote desktop user group.

    >>2. I can see the IE settings after logging which is from Business domain.

    Please run a gpresult / h user.html report and then we can have a check which policy settings applied on the user account and the computer.

    Best Regards,

    Elaine


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, May 22, 2015 2:03 AM
    Moderator