user configuration on selected computers: Loopback processing not working ?

[picpic]

Hello,

I'm looking for help regarding a problem with a GPO that i can't quite solve. I will try to explain this as cleary as possible:

(my DC: Windows Server 2008 R2)

The goal is: deploying MSIs files on a selected range of computers while also filtering by user group. To make it short: selected users need to have some MSI deployed when they log on selected computers only.

So i set up the following:

- Set up a GPO with the MSIs to deploy in User Configuration/Software Settings/Software Installation
- This GPO is linked to an OU containting only selected Computer objects (which are the selected workstations)
- In the Security Filtering of the GPO, I deleted "Authenticated Users" and added the group of my selected users (apply group policy box is checked in the Delegation Tab --> Advanced)
- Enabled Loopback Processing in this GPO. According to Microsoft, activating this option a User Configuration to be applied when my users logs into computers which are located in the OU to which this GPO is linked.

Result: the GPO is not applied. GPResult tells me (under Computer Configuration) that the GPO is not applied due to security reasons.

This GPO is working when i leave "Authenticated User" in the Security Filtering menu. When I use a security group instead, it doesn't work.

I tried many different alternative solutions, but i can't find a way to reach my goal and apply this GPO only when selected users logs into selected computers. The only solution that would work would be using OUs as access lists (for example put the selected users in a particular OU) but I can't do that since i intend to create other deployment GPO for other users and I would be impossible to manager since one user cannot be present in two OU's at the same time.

So to make it short I will ask two simple questions:

- Is it possible to apply a User Configuration setting only to selected computers while filtering users with a security group ? Am I wrong when using the loopback option for that usage ?
- If it's impossible, do third party tools adressing this problem exists ? Does anyone has feedback no that subject ?


Thank you in advance for any help or advice, and sorry for my bad english (i'm from Belgium !) ;-)

have a nice day
picpic

[trekker]

So when you use loopback processing, the computer processes all of its policies in the GPO's assigned to it, sees that it is processing in loopback mode, and then decides whether it needs to replace (apply just the user policies assigned to the computer and not to the user account) or merge (use both the user polices assigned to the user and the user policies assigned to the computer). Your policy is failing because the computer itself can't read the GPO (you said you removed Authenticated User... which includes the account the computer uses to access the GPO); therefore, it doesn't have permissions to read the GPO and can't see that it needs to process in loopback mode and ignores all the user policies.

As a I see it, you've got two options: Option 1: Add Domain Computers to the security filtering (or create a security group for just those computers and add it). Probably not the best option, but should (without me actually trying to replicate your setup and test it myself) technically work. Option 2: For your sanity, separate the user and computer policies. As a general rule, I try to do this every time I'm using loopback processing... if not for my sanity, for my co-workers that might have to support my configurations. For the computer GPO, leave the normal permissions and include your loopback setting. For the user GPO, remove Authenticated Users and put your security group.

[picpic]

Thanks for you answer. In fact "Authenticated users" is a bit confusing to me (should be renamed "authenticated objects" I suppose ;-) ). I understand why my GPO can't be applied if I replace "authenticated users" with a user group since it is a user configuration applying to a computer-only OU.

Now I must say that unfortunately I can't set my deployment through Computer Configuration since the icons i deploy must be seen by selected users only.

I can't add the selected computers in the security filtering (like you suggested) either for the same reason: if i set the security filtering to allow domain (or selected) computers to apply the GPO, it would be applied on all those computers regardless of the user logging onto it Which is something i'd like to prevent.

The idea would be to really apply the GPO to a restricted group of users when they log only onto a restricted group of computers.

To be honest, I searched around for a while and it seems that unfortunately it cannot really be done through GPO security. I hope I'm wrong though ;-)

thanks for the help ;-)

[trekker]

It's totally possible, you just have to be a little creative. If you don't want to split up the GPO, create a security group and put all of the computers into the group that need to be able to apply the policy. Put your computer group and your user group into the Security Filtering and you should be set. When the GPO is processed, the computers in the group will process the computer policies, then switch to loopback mode. When the user login is processed, the user policies will only apply to that user if the account is in the other group.

[picpic]

Thanks for the tip ! That's a very clear explanation. I'll give it a try today and post feedback here ;-)

[picpic]

Works ! Thanks a lot, you really made my day ;-)

I will try to summarize for people who would like to do the same:


How to assign a GPO to a group of users only when they log on certain computers only ?

Note1: configure the security filtering before setting the different options to avoid any unwanted application of your GPO.
Note2: this is explained for Windows Server 2008 R2, but i'm sure you can find the same options on Windows Server 2003

1) Create two groups in your AD: one for the selected users (for example: "GPO Users") and another one for the selected computers (for example: GPO Computers) to which the GPO will be deployed to if a member of GPO Users logins into it.
2) In the GPO Management console, create a new GPO and link it to the OU where all your computers are located (for example: "Workstations").
3) Set the security filtering of the GPO as following: delete "Authenticated Users" and add your GPO Users group and your GPO Computers Group. Check that the option "Apply Group Policy" is enabled for those groups (Delegation tab -> Advanced)
4) In the Computer Configuration part of the GPO, go to Polices -> Administrative Templates -> System -> Group Policy. Set the option "Use Group Policy Loopback Processing Mode" to "Enabled".
5) In the User Configuration part of the GPO, set the options you need to deploy to the users

As explained by Trekker, the result will be the following: When the GPO is processed, the computers in the group will process the computer policies, then switch to loopback mode. When the user login is processed, the user policies will only apply to that user if the account is in the other group.

I'm glad I finally got it to work. Thanks to trekker and thanks to this great forum !

Greetings from Belgium ;-)

[trekker]

Yay! Good to see your issue is resolved!