locked
2 trusted domains, block user GPO's for "second" domain RRS feed

  • Question

  • Here is my scenario:

    Abc.com (domain)

    • OU Containing users and normal computers
    • Multiple user and computer GPO’s

    Lab.abc.com (domain)

    • OU Containing LAB computers ONLY
    • No GPO’s whatsoever

    Both domains are trusted to so abc.com users can log into lab.abc.com computers. All users and normal computers reside on the abc.com domain. Lab computers reside in the lab domain and that domain has no GPO’s.

    Basically, I don’t want to the user GPO’s (like drive mappings, etc..) from the abc.com OU to apply when abc.com user log into the lab computers.

    I created an abc.com\LAB_Computers group and threw all the lab computer into it. Then I went into the GPO delegations area and denied the applying of each user GPO to that computer group. That did not work. I have also tried disabling inheritance within the lab OU, and tested the loopback processing with no luck.

    I would think the “Deny” applying GPO setting would work, but I am unsure why it is not.

    Thursday, August 29, 2013 1:05 PM

Answers

  • Both domains in the same forest? Then enable http://gpsearch.azurewebsites.net/#348 in replace mode.

    Martin

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))

    Restore the forum design - my user defined Cascading Style Sheet!

    • Marked as answer by Matthew 1313 Thursday, August 29, 2013 7:09 PM
    Thursday, August 29, 2013 1:38 PM
  • Hello,

    If the loopback replace mode is enabled. Then you shouldn't see any user policy getting applied

    Check GPresult and RSOP on the clients to make sure that policy is getting applied.


    Devaraj G | Technical solution architect

    • Marked as answer by Matthew 1313 Thursday, August 29, 2013 7:09 PM
    Thursday, August 29, 2013 3:51 PM

All replies

  • Both domains in the same forest? Then enable http://gpsearch.azurewebsites.net/#348 in replace mode.

    Martin

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))

    Restore the forum design - my user defined Cascading Style Sheet!

    • Marked as answer by Matthew 1313 Thursday, August 29, 2013 7:09 PM
    Thursday, August 29, 2013 1:38 PM
  • Yes, in the same forest. 

    I have a drive mapping policy I just enabled Loopback - replace mode on on the abc.com domain. I still get the mapped drives on the lab computers. 

    Not sure what's going on?

    Thursday, August 29, 2013 2:01 PM
  • Hello,

    If the loopback replace mode is enabled. Then you shouldn't see any user policy getting applied

    Check GPresult and RSOP on the clients to make sure that policy is getting applied.


    Devaraj G | Technical solution architect

    • Marked as answer by Matthew 1313 Thursday, August 29, 2013 7:09 PM
    Thursday, August 29, 2013 3:51 PM
  • Just to be clear, I have added the loopback - replace setting to my drive mapping policy on abc.com domain. When I log in to a lab.abc.com computer using my abc.com account. The drives show up. I ran an gpresult and it says the policy was "Applied".

    I also confirmed that both user and computer settings are enabled in the GPO.

    Thursday, August 29, 2013 6:16 PM
  • Delete the user profile and check again... Drive mappings usually persist. In addition, run gpmc.msc, create a RSoP Report and check if your foreign domain GPOs are still applied. I don't believe so.

    Martin

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))

    Restore the forum design - my user defined Cascading Style Sheet!

    Thursday, August 29, 2013 6:53 PM
  • The loopback policy was the answer, but I had to create it on the lab domain, not the main (abc.com) domain. Thanks for your help all.
    Thursday, August 29, 2013 7:11 PM
  • That's a computer policy, so sure it has to be applied to the lab computers, not the lab users :-)

    BTW: You can mark more than one post as answer...


    Martin

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))

    Restore the forum design - my user defined Cascading Style Sheet!

    Thursday, August 29, 2013 7:46 PM