locked
Server 2016 user side GPOs apply but dont work RRS feed

  • Question

  • Windows Server 2016 Standard Version 1607

    RDS sessions

    we are configuring the Group policy to control access to USB drives on a per user basis and although we have confirmed through the GPresult /h that the GPOs apply correctly and individual settings apply as per below, it doesn't actually make any difference to drive access. The drives are recognised no problem but the users can access even when we have the user GPOs set to deny. We are also using the loopback processing mode.

    User Configuration > Policies >  Administrative Templates > System > Removable Storage Access:

        Removable Disks: Deny Read Access

        Removable Disks: Deny Write Access

        All Removable Storage classes: Deny All Access

    If we configure via the Computer policy it works OK, but this doesn't fit our goal of determining access via user groups set up for this purpose.

    There are a lot of reports of this happening through forums on the internet but I have seen no fix. It feels like a bug in Microsoft rather than any misconfiguration. does anyone have any knowledge/articles or suggestions in getting this to work?

    thanks

    Friday, September 4, 2020 9:16 AM

All replies

  • Hi,

    Loopback is tough because normally, to achioeve selective access, you would

    - allow access at computer level

    - deny access for everybody at user level

    - allow access to users in question by a winning GPO

    which you cannot easily achieve by loopback (short of moving the "USB-enabled users" in a separate OU).


    Evgenij Smirnov

    http://evgenij.smirnov.de

    Friday, September 4, 2020 12:12 PM
  • Thanks for your response.

    Can you expand on how this would look so I can test in Dev?

    - allow access at computer level - This is in place

    - deny access for everybody at user level Why the deny here? would this not override any allow?

     allow access to users in question by a winning GPO - would this be the separate GPO applied to users in another OU

    thanks for helping

    open to all suggestions and solutions

    Friday, September 4, 2020 12:37 PM
  • Troubleshooting: Group Policy (GPO) Not Being Applied

    In this manual I will try to tell you about typical reasons why a Group Policy object (GPO) may not be applied to an organizational unit (OU), specific computer or domain user. I think, this article will be useful both to newbies and IT-pros to understand the GPO operation and architecture. First of all, I’ll tell about possible problems of applying GPO related to the policy settings on the domain level instead of troubleshooting GPO on the clients. Almost all settings described in the article are configured using the Group Policy Management Console (GPMC.msc).
     
    If a policy setting is not applied on a client, check your GPO scope. If you configure the setting in the Computer Configuration section, your Group Policy must be linked to an OU with computer objects. The same is true, if you set your parameters in the User configuration section.

    view gpo scope

    Also make sure that the object you are trying to apply your GPO to is in the right computers or users AD container (OU). You can search your domain for object. The OU that contains your object is specified in the Object tab in the ADUC (dsa.msc) console.

    check AD object OU in properties

    It means that the target object must be located in the OU the policy is linked to (or in a nested AD container).

    Security Filtering in GPO
    Check the Security Filtering settings in your policy. By default, all new GPO objects in the domain have the permissions for the Authenticated Users group enabled. This group includes all users and computers in the domain. It means the policy will be applied to all users and PCs within its scope.

    GPO Security Filtering - authenticated users by default

    If you want to change the Security Filtering in order to apply the policy only to the members of the specific security group (or certain users/computers), remove the “Authenticated Users” from the Security Filtering list and make sure that the target object (a user or a computer) has been added to the AD group you need. Also make sure that the group you have added to the Security Filtering has Read and Apply group policy permissions with the Allow option checked in the GPO -> Delegation -> Advanced tab.

    gpo permissions - read and apply group policy

    If you are using non-standard GPO security filters, check that there is no explicit prohibition on the use of GPO for target groups (Deny).
    Friday, September 4, 2020 1:20 PM
  • Troubleshooting: Group Policy (GPO) Not Being Applied

    In this manual I will try to tell you about typical reasons why a Group Policy object (GPO) may not be applied to an organizational unit (OU), specific computer or domain user. I think, this article will be useful both to newbies and IT-pros to understand the GPO operation and architecture. First of all, I’ll tell about possible problems of applying GPO related to the policy settings on the domain level instead of troubleshooting GPO on the clients. Almost all settings described in the article are configured using the Group Policy Management Console (GPMC.msc).
     
    If a policy setting is not applied on a client, check your GPO scope. If you configure the setting in the Computer Configuration section, your Group Policy must be linked to an OU with computer objects. The same is true, if you set your parameters in the User configuration section.

    view gpo scope

    Also make sure that the object you are trying to apply your GPO to is in the right computers or users AD container (OU). You can search your domain for object. The OU that contains your object is specified in the Object tab in the ADUC (dsa.msc) console.

    check AD object OU in properties

    It means that the target object must be located in the OU the policy is linked to (or in a nested AD container).

    Security Filtering in GPO
    Check the Security Filtering settings in your policy. By default, all new GPO objects in the domain have the permissions for the Authenticated Users group enabled. This group includes all users and computers in the domain. It means the policy will be applied to all users and PCs within its scope.

    GPO Security Filtering - authenticated users by default

    If you want to change the Security Filtering in order to apply the policy only to the members of the specific security group (or certain users/computers), remove the “Authenticated Users” from the Security Filtering list and make sure that the target object (a user or a computer) has been added to the AD group you need. Also make sure that the group you have added to the Security Filtering has Read and Apply group policy permissions with the Allow option checked in the GPO -> Delegation -> Advanced tab.

    gpo permissions - read and apply group policy

    If you are using non-standard GPO security filters, check that there is no explicit prohibition on the use of GPO for target groups (Deny).
    This is basic stuff, but thanks anyway
    Monday, September 7, 2020 8:05 AM