none
Loopback GPO for Terminals

    Question

  • Each employee in our company has it's own office and dedicated computer, where we give them most flexibility. In our production areas, we have some terminal-computers setup, so everybody can access his stuff without having frequently head back to his own computer.

    People are always missing to logout on this machines, causing sensitive information to be accessable for persons without the proper permissions. (Dozens of memos to log off have been ignored, so we have to ensure that)

    So, we want to setup an automatic logout after x minutes for only THESE machines in the production area, no matter which user account uses it. 

    According to our research, a  loopback policy is exactly what we need: Apply a user-GPO to every user login in on a CERTAIN machine. (Their office-computers should remain unaffected, because it should not log out when you are on the phone for a while, etc...)

    So, we set up the gpo to act as a loopback-gpo with Mode "Merge" and removed the "Authenticated Users" from the security tab of the gpo. We added a Computer-Security Group instead containing all the public workstations. 

    GPO detail reports are now telling for the gpo named "Logout on terminals":

    - Computer Configuration / Denied GPOs: Access Denied (Security Filtering) 
    - User Configuration / Applied GPOs: (no error)

    However the gpo doesn't seem to take effect for the machines in questions. 

    We replaced the original GPO with a simple file-deployment to "C:\" (User Configuration, loopback again) just to see if it's working - nothing. The file is not deployed. As soon as "Authenticated Users" is added again both are working - but this is not what we want, we only want to deploy it to the machines inside the mentioned Computer-Group. (They are spread accross different OUs, so we want to use the Security Groups for that)

    We have ran "gpupdate /force", rebooted the machines in question as well as the responsible DCs, still not working.

    What are we Missing?



    • Edited by dognose Sunday, December 13, 2015 3:36 PM
    Sunday, December 13, 2015 3:33 PM

Answers

  • Okay, just watched this video: https://www.youtube.com/watch?v=2bZGMtOCXN0 and it seems like we missunderstood the Loopback mode.

    Rather than beeing independent from the OU - which we thought it is - it is just pulling the USER-Settings from the COMPUTERS OU rather than from the USERS OU. (in Replace Mode)

    So, as the solution to our problem: 

    - We moved the "Terminals" which are spread accross different OUs one OU "down", to a OU called "public computers". Then we linked a USER-GPO to that OUs, enabled loopback processing in merge mode - and there you go. Problem solved. 

    Sunday, December 13, 2015 4:56 PM

All replies

  • Okay, just watched this video: https://www.youtube.com/watch?v=2bZGMtOCXN0 and it seems like we missunderstood the Loopback mode.

    Rather than beeing independent from the OU - which we thought it is - it is just pulling the USER-Settings from the COMPUTERS OU rather than from the USERS OU. (in Replace Mode)

    So, as the solution to our problem: 

    - We moved the "Terminals" which are spread accross different OUs one OU "down", to a OU called "public computers". Then we linked a USER-GPO to that OUs, enabled loopback processing in merge mode - and there you go. Problem solved. 

    Sunday, December 13, 2015 4:56 PM
  • Hi,
     
    Thank you for sharing your solutions and experience here. It will be very beneficial for other community members who have similar questions.
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Monday, December 14, 2015 5:54 AM
    Moderator
  • > So, we set up the gpo to act as a loopback-gpo with Mode "Merge" and
    > removed the "Authenticated Users" from the security tab of the gpo. We
    > added a Computer-Security Group instead containing all the public
    > workstations.
     
    Did you reboot the workstations after they were added to this group?
    Otherwise, computer group membership changes are not picked up by the
    computer :)
     
    Monday, December 14, 2015 11:17 AM