none
Loopback processing mode, will this work?

    Question

  • hey all,

    i have a situation where i need to apply a Computer configuration (Windows Firewall: Define inbound port exceptions) to specific users in our AD.  on top of this, all of our computers are in a singe AD OU, so the ideal solution would be to add the firewall configuration to the computers OU, but only have it apply to users in a separate OU.

    from what i understand, Loopback processing mode is only applicable to User configurations, so i'm guessing this won't work for my needs?

    is there a way to accomplish this?

    thanks!

    Thursday, July 02, 2015 2:45 PM

Answers

  • > actually it does appear to be working.. looks like the computer objects
    > (to have the GPO applied) need to be included in the security filtering,
     
    Yes, the computers will apply the computer part of your GPO if they are
    in scope and have apply access.
     
    > the problem i'm running into now is that the GPO settings will remain
    > applied if i remove the user from the security group, and the GPO needs
     
    That is NOT how it works. Computers apply computer settings, users apply
    user settings. Not vice versa.
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Monday, July 06, 2015 8:04 AM

All replies

  • Hi

     Loopback proccessing -Replace mode,

    Check to details;

    https://technet.microsoft.com/en-us/library/cc757470(v=ws.10).aspx

    Thursday, July 02, 2015 2:50 PM
  • > i have a situation where i need to apply a Computer configuration
    > (Windows Firewall: Define inbound port exceptions) to specific users in
     
    No, this will not work - imagine a computer booting, there is no user
    logged on when GPO processing runs.
     
    I never played around with it, but in Firewall rules, you CAN assign
    users. You might give it a try. This requires IPSEC rules, too, but as
    basic authentication is sufficient, it should be setup quite easily :)
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Thursday, July 02, 2015 4:11 PM
  • i also looked into Security Filtering on the GPO; in theory i should be able to specify the users that this GPO will apply to, correct?

    i've been playing with the filtering, but can't get it to work; i do a gpupdate /force after making the changes and the firewall rules don't update.  i know the GPO works because i can simply link it to the OU without any other changes and the firewall rules will update..

    i have the GPO linked to the OU where the computer object resides

    the user object is also located in the same OU

    i've set the Security Filtering to the one user, removed Authenticated Users

    i've set both Read and Apply permissions for the user on the Delegation tab

    am i missing something?  if this should work i think this is probably the best way to address my issue.

    Friday, July 03, 2015 12:55 PM
  • > am i missing something?  if this should work i think this is probably
    > the best way to address my issue.
     
    It will not work. Users do not apply settings in the computer part of
    GPOs. As I said above...
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Friday, July 03, 2015 3:37 PM
  • actually it does appear to be working.. looks like the computer objects (to have the GPO applied) need to be included in the security filtering, not just the user objects.  i tested by adding a security group (with both computers and users).. the GPO settings get updated as i add or remove the security group.

    the problem i'm running into now is that the GPO settings will remain applied if i remove the user from the security group, and the GPO needs to be applied to specific users (ie, if the user no longer needs this GPO applied, they are removed from the security group); isn't that the idea behind security filtering?

    if i'm not understanding things, please feel free to clarify.  thanks!

    Friday, July 03, 2015 6:38 PM
  • > actually it does appear to be working.. looks like the computer objects
    > (to have the GPO applied) need to be included in the security filtering,
     
    Yes, the computers will apply the computer part of your GPO if they are
    in scope and have apply access.
     
    > the problem i'm running into now is that the GPO settings will remain
    > applied if i remove the user from the security group, and the GPO needs
     
    That is NOT how it works. Computers apply computer settings, users apply
    user settings. Not vice versa.
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Monday, July 06, 2015 8:04 AM