none
GPO Delegation

    Question

  • If I understand the process correctly, a GPO with computer policies will apply to that computer regardless of whether the logon  user is excluded from the Scope Security Filtering or even denied access under the Delegation Tab.

    If so:

    1. Does the statement above also apply to a GPO with loopback, or are the User policies affected by Scope or Delegation?

    2. How do I prevent Computer policies from applying for the Administrator? Use WMI filtering?

    Thanks >> Joe

    Friday, March 04, 2016 3:54 AM

Answers

  • > Wouldn't "Loopback - Replace" simplify things in that it restricts GPO
    > application to those assigned to the computer OU involved?
     
    If you know what you're doing and if you are aware of how loopback
    works: Yes. Most people miss that - at least partially :)
     
    Wednesday, March 09, 2016 12:25 PM
  • > 1. Does the statement above also apply to a GPO with loopback, or are
    > the User policies affected by Scope or Delegation?
     
    To add to Mikes replies:
     
     
    > 2. How do I prevent Computer policies from applying for the
    > Administrator? Use WMI filtering?
     
    Don't implement your setting in a computer policy, but in a user policy.
     
    • Marked as answer by JAGP Thursday, March 10, 2016 2:16 PM
    Friday, March 04, 2016 10:51 AM
  • > Martin, the evilgpo link really cleared up misconceptions we had WRT
    > "Merge" versus "Replace". Thanks.
     
    U'r welcome ;)
     
    > (#1 Link on the OU), the remaining User policies apply to a specific AD
    > group of which the Administrator is NOT a member. The Scope for these
    > policies includes both the AD group & RDS Server.  Logons show that
    > they ARE being applied to the members of the AD group but NOT the
    > Administrator.  Unless I am misunderstanding this thread, these user
    > policies should be applied to anyone that logs onto the RDS, correct?
     
    No. Loopback does not change "Security filtering", it changes "GPO
    Scope". If the user doesn't have "apply GPO", it will not apply.
     
    • Marked as answer by JAGP Thursday, March 10, 2016 2:16 PM
    Friday, March 04, 2016 3:14 PM
  • I'd use loopback only if you have to. It complicates troubleshooting and is less commonly implemented.

    Mike Crowley | MVP
    My Blog -- Baseline Technologies

    Friday, March 04, 2016 10:35 PM

All replies

    • Statement 0 is correct.
    • Q1: Since loopback is a system gpo setting, it too doesn't care who logs in. It will merge or replace the settings laid down by the user policies, regardless if the user's security object is within the scope of the computer's GPO.
    • Q2: Well, "computer policies" apply to the computer, so by definition they already don't apply to the administrator. If you mean: "Hey, I've disabled X, via computer policy, but I don't want X disabled when an administrator logs in" - then we'd need to know what X is to understand the nature of the setting. For example, a computer policy that says enable bitlocker won't roll back bitlocker simply because a certain user logs in. 

    Mike Crowley | MVP
    My Blog -- Baseline Technologies

    Friday, March 04, 2016 4:50 AM
  • Mike,

    Does Loopback only apply to the GPO in which it is invoked or does it stay turned on for a machine until the setting is reversed?  I am wondering if we should be applying Loopback as a standalone GPO and moving it to the top of the Link Order rather than embedding it with a combination of computer and user policies?

    Regarding Q2, we have a GPO that disables the Win installer & Win updates on a terminal server, but it was only intended for non-admin users - we are learning the hard way.  I only see the settings under the Computer Config.  Any suggestions on how to have an Admin logon enable these keys?

    Thanks >> Joe

    Friday, March 04, 2016 5:24 AM
  • If you have 10 GPOs applied to the computer, and the effective result of those GPOs enables loop back processing, the values from all 10 GPOs will be re-applied once a user logs in.

    Q2 again - The Windows installer service is a system wide service. It would have had to been written to understand the difference between users. There may be a way to solve this, but aim your research at the nature and capabilities of those services, not GPO per se.

    Most programs require admin rights to install anyway - are you having issues with windows installers that don't require this? If so, I'd move to applocker instead. It's really spiffy and included in Windows Enterprise and server editions.


    Mike Crowley | MVP
    My Blog -- Baseline Technologies

    Friday, March 04, 2016 6:06 AM
  • > 1. Does the statement above also apply to a GPO with loopback, or are
    > the User policies affected by Scope or Delegation?
     
    To add to Mikes replies:
     
     
    > 2. How do I prevent Computer policies from applying for the
    > Administrator? Use WMI filtering?
     
    Don't implement your setting in a computer policy, but in a user policy.
     
    • Marked as answer by JAGP Thursday, March 10, 2016 2:16 PM
    Friday, March 04, 2016 10:51 AM
  • Again, my thanks for the information.

    Martin, the evilgpo link really cleared up misconceptions we had WRT "Merge" versus "Replace". Thanks.

    I agree we went a little overboard on the lockdown policy. We will remove that GPO. Based on your responses to another thread, we will have to undo the registry changes on the terminal server itself.

    I am still puzzled by the following GPO assignments though.  Aside from the first GPO on the list and the dedicated one I created for loopback (#1 Link on the OU), the remaining User policies apply to a specific AD group of which the Administrator is NOT a member. The Scope for these policies includes both the AD group & RDS Server.  Logons show that they ARE being applied to the members of the AD group but NOT the Administrator.  Unless I am misunderstanding this thread, these user policies should be applied to anyone that logs onto the RDS, correct?

    Thanks >> Joe

    Friday, March 04, 2016 3:02 PM
  • > Martin, the evilgpo link really cleared up misconceptions we had WRT
    > "Merge" versus "Replace". Thanks.
     
    U'r welcome ;)
     
    > (#1 Link on the OU), the remaining User policies apply to a specific AD
    > group of which the Administrator is NOT a member. The Scope for these
    > policies includes both the AD group & RDS Server.  Logons show that
    > they ARE being applied to the members of the AD group but NOT the
    > Administrator.  Unless I am misunderstanding this thread, these user
    > policies should be applied to anyone that logs onto the RDS, correct?
     
    No. Loopback does not change "Security filtering", it changes "GPO
    Scope". If the user doesn't have "apply GPO", it will not apply.
     
    • Marked as answer by JAGP Thursday, March 10, 2016 2:16 PM
    Friday, March 04, 2016 3:14 PM
  • OK, that clarifies a lot.

    Many of the loopback GPOs that I have seen include both Computer & User settings.  Is it better housekeeping policy to apply loopback as a standalone GPO?

    Friday, March 04, 2016 3:37 PM
  • I'd use loopback only if you have to. It complicates troubleshooting and is less commonly implemented.

    Mike Crowley | MVP
    My Blog -- Baseline Technologies

    Friday, March 04, 2016 10:35 PM
  • > I'd use loopback only if you have to. It complicates troubleshooting and
    > is less commonly implemented.
     
    I absolutely second that :)
     
    Monday, March 07, 2016 9:37 AM
  • Wouldn't "Loopback - Replace" simplify things in that it restricts GPO application to those assigned to the computer OU involved?

    In my case I am dealing with a Terminal Server.  The way I interpret your guidance "Loopback - Replace" would ensure that I could not inadvertently assign a GPO to a user container that I don't want on that server.

    On a forum etiquette question, is it OK to mark each of you as having answered my question? You both have provided a wealth of information.

    Thanks >> Joe

    Monday, March 07, 2016 2:21 PM
  • Hi,

    It is appreciated to mark the replies as answers if they help. This will benefit other partners who read the forums regularly can learn from your interaction with us. 

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, March 08, 2016 2:14 AM
    Moderator
  • > Wouldn't "Loopback - Replace" simplify things in that it restricts GPO
    > application to those assigned to the computer OU involved?
     
    If you know what you're doing and if you are aware of how loopback
    works: Yes. Most people miss that - at least partially :)
     
    Wednesday, March 09, 2016 12:25 PM