none
Issues with Loopback Processing

    Question

  • I have a GPO configured to lock down our RDS server. The GPO contains settings such as blocking users from accessing the C volume, as shown below. 

    

    Since this is a user setting, I have enabled Group Policy loopback processing as shown below:

    This GPO is linked to an OU containing the RDS server. I have filtered the scope to apply only to a group called Test-rds.

    When I log in to an RDS server with a user who is a member of the test-rds group, and force gpupdate, I can still access the C volume. 

    When I run gpresult /h I am showing the policies are not applying.

    When I link the same GPO to the domain, and force gpupdate, I do not have access to the C volume. When I run gpresult /h now I am affected by the policies.

    I have configured a central store and verified replication is working properly. 

    Am I doing something wrong? Thanks in advance. 


    • Edited by commdudeaf Tuesday, February 17, 2015 12:03 AM
    Tuesday, February 17, 2015 12:02 AM

Answers

  • It looks like adding the individual computers to the scope resolved the issue. It may have just took a while to replicate but policy is applied now. 
    Tuesday, February 17, 2015 2:46 AM

All replies

  • I have been doing some more troubleshooting. When I remove the test-rds group from the scope and add the Authenticated Users, The policy applies. I have verified the user is a member of the test-rds group so I'm not sure what is blocking the policy. Maybe this info is helpful. 

    If I include the test-rds group in the scope and run gpresult as the user, I do not see the policy applied. However, if I run gpresult in the command prompt as an administrator, I see the RDS Tweaks policy is denied:

    

    I thought this was because I am running the command prompt as a domain admin user, who is not a member of the test-rds group. So, I added domain admins group to the scope and when I run gpupdate /force, and check gpresult again, I still get the same result pictured above. 

    Now if I remove test-rds group and add Authenticated Users to the scope, the policy is again applied and is no longer denied:

    I have also added the individual RDS server computer names to the scope as well. 

    What would cause this to happen, where the GPO applies to authenticated users but not the user when I filter the scope to a group the user is in? 


    • Edited by commdudeaf Tuesday, February 17, 2015 2:36 AM
    Tuesday, February 17, 2015 1:55 AM
  • It looks like adding the individual computers to the scope resolved the issue. It may have just took a while to replicate but policy is applied now. 
    Tuesday, February 17, 2015 2:46 AM
  • Hi,

    >>It looks like adding the individual computers to the scope resolved the issue

    Before going further, I glad to hear that you have figured it out. Yes, this is the reason. For the setting Configure user Group Policy loopback processing mode is computer part setting,  the computer accounts must have Read and Apply access permissions to the GPO to apply the setting.

    Best regards,
    Frank Shen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Wednesday, February 18, 2015 2:34 AM
    Moderator