Windows NT Help - Loopback

  • Thread starter Thread starter Nick
  • Start date Start date
N

Nick

Can you please help resolve a loopback issue, my policy works but doesn't do
the loopback element. I only want the policy to be applied when users logs
into to Terminal server/Citrix servers OU but the policy is also being
applied to their workstation.

I have followed the recommendation from these Microsoft knowledgebase
articles:
http://support.microsoft.com/kb/231287 - Loopback processing of Group Policy
http://support.microsoft.com/kb/260370 - How to apply Group Policy objects
to Terminal Services servers
http://support.microsoft.com/kb/278295 - How to lock down a Windows Server
2003 or Windows 2000 Terminal Server session

I will create a simple loopback policy and I will go through this
step-by-step and see if you can see if I'm doing anything wrong.

Ok first of all here is our domain: (Single domain model and also I've
blocked inheritance on the Citrix OU)

ACME root
I
ACME.COM Domain
I__ACME Country A
I__ACME Country B
I__ACME Country UK
I__Users OU
I__Groups OU
I__Citrix OU
I__Computers OU
I__Laptops OU
I__Servers OU

Users will login to Citrix OU and policy will be applied to anyone in
Security Group
"UK Users Citrix Server Policy"


Open GPMC.MSC > Goto Citrix OU > right-click > Create and Link GPO Here >
Name new GPO "ACME UK Citrix Server Policy > OK >

select > Scope > Security Filtering > Add "UK Users Citrix Server Policy"
and remove Authenticated Users.

Right-click policy > Edit >
Computer Configuration > Administrative Templates > System >Group Policy >
User Group Policy loopback > processing mode > Enabled > Mode Replace > OK

User configuration > Administrative Templates > Start Menu and Taskbar >
Remove Run menu from Start Menu > Enabled > OK

Goto > Users OU > Right-click > Link an Existing GPO > select ACME UK Citrix
Server Policy > OK

Login to Citrix as user member of security group "UK Users Citrix Server
Policy" and run command removed.

Login to workstation as user member of security group "UK Users Citrix
Server Policy" and run command removed.

Why is policy being applied to the workstation, I only want it applied to
Citrix OU

Also how is the policy to know to apply to Citrix OU only and not to the
workstation

Many thanks for taking the time to read this and for your comments.
 
cross posted and answered elsewhere
"Nick" wrote in message
news:5huemtF3mhb1oU1@mid.individual.net...
> Can you please help resolve a loopback issue, my policy works but doesn't
> do the loopback element. I only want the policy to be applied when users
> logs into to Terminal server/Citrix servers OU but the policy is also
> being applied to their workstation.
>
> I have followed the recommendation from these Microsoft knowledgebase
> articles:
> http://support.microsoft.com/kb/231287 - Loopback processing of Group
> Policy
> http://support.microsoft.com/kb/260370 - How to apply Group Policy objects
> to Terminal Services servers
> http://support.microsoft.com/kb/278295 - How to lock down a Windows Server
> 2003 or Windows 2000 Terminal Server session
>
> I will create a simple loopback policy and I will go through this
> step-by-step and see if you can see if I'm doing anything wrong.
>
> Ok first of all here is our domain: (Single domain model and also I've
> blocked inheritance on the Citrix OU)
>
> ACME root
> I
> ACME.COM Domain
> I__ACME Country A
> I__ACME Country B
> I__ACME Country UK
> I__Users OU
> I__Groups OU
> I__Citrix OU
> I__Computers OU
> I__Laptops OU
> I__Servers OU
>
> Users will login to Citrix OU and policy will be applied to anyone in
> Security Group
> "UK Users Citrix Server Policy"
>
>
> Open GPMC.MSC > Goto Citrix OU > right-click > Create and Link GPO Here >
> Name new GPO "ACME UK Citrix Server Policy > OK >
>
> select > Scope > Security Filtering > Add "UK Users Citrix Server Policy"
> and remove Authenticated Users.
>
> Right-click policy > Edit >
> Computer Configuration > Administrative Templates > System >Group Policy
> > User Group Policy loopback > processing mode > Enabled > Mode Replace >
> OK
>
> User configuration > Administrative Templates > Start Menu and Taskbar >
> Remove Run menu from Start Menu > Enabled > OK
>
> Goto > Users OU > Right-click > Link an Existing GPO > select ACME UK
> Citrix Server Policy > OK
>
> Login to Citrix as user member of security group "UK Users Citrix Server
> Policy" and run command removed.
>
> Login to workstation as user member of security group "UK Users Citrix
> Server Policy" and run command removed.
>
> Why is policy being applied to the workstation, I only want it applied to
> Citrix OU
>
> Also how is the policy to know to apply to Citrix OU only and not to the
> workstation
>
> Many thanks for taking the time to read this and for your comments.
>
 
Last edited by a moderator:
On Aug 8, 7:01 pm, "Nick" wrote:
> Can you please help resolve a loopback issue, my policy works but doesn't do
> the loopback element. I only want the policy to be applied when users logs
> into to Terminal server/Citrix servers OU but the policy is also being
> applied to their workstation.
>
> I have followed the recommendation from these Microsoft knowledgebase
> articles:http://support.microsoft.com/kb/231287- Loopback processing of Group Policyhttp://support.microsoft.com/kb/260370- How to apply Group Policy objects
> to Terminal Services servershttp://support.microsoft.com/kb/278295- How to lock down a Windows Server
> 2003 or Windows 2000 Terminal Server session
>
> I will create a simple loopback policy and I will go through this
> step-by-step and see if you can see if I'm doing anything wrong.
>
> Ok first of all here is our domain: (Single domain model and also I've
> blocked inheritance on the Citrix OU)
>
> ACME root
> I
> ACME.COM Domain
> I__ACME Country A
> I__ACME Country B
> I__ACME Country UK
> I__Users OU
> I__Groups OU
> I__Citrix OU
> I__Computers OU
> I__Laptops OU
> I__Servers OU
>
> Users will login to Citrix OU and policy will be applied to anyone in
> Security Group
> "UK Users Citrix Server Policy"
>
> Open GPMC.MSC > Goto Citrix OU > right-click > Create and Link GPO Here >
> Name new GPO "ACME UK Citrix Server Policy > OK >
>
> select > Scope > Security Filtering > Add "UK Users Citrix Server Policy"
> and remove Authenticated Users.
>
> Right-click policy > Edit >
> Computer Configuration > Administrative Templates > System >Group Policy >
> User Group Policy loopback > processing mode > Enabled > Mode Replace > OK
>
> User configuration > Administrative Templates > Start Menu and Taskbar >
> Remove Run menu from Start Menu > Enabled > OK
>
> Goto > Users OU > Right-click > Link an Existing GPO > select ACME UK Citrix
> Server Policy > OK
>
> Login to Citrix as user member of security group "UK Users Citrix Server
> Policy" and run command removed.
>
> Login to workstation as user member of security group "UK Users Citrix
> Server Policy" and run command removed.
>
> Why is policy being applied to the workstation, I only want it applied to
> Citrix OU
>
> Also how is the policy to know to apply to Citrix OU only and not to the
> workstation
>
> Many thanks for taking the time to read this and for your comments.

hello nick.

from your diagram it looks as if the workstations (and below) are
inheriting the policy.are laptops affected?. try creating another OU
in "Citrix" called servers, then move link the lookpack policy there.
(move a server there to test aswell)

dave
 
Last edited by a moderator:
Nick,

You shouldn't need to link the policy to the users OU only to the citrix OU.

Chris

"Nick" wrote:

> Can you please help resolve a loopback issue, my policy works but doesn't do
> the loopback element. I only want the policy to be applied when users logs
> into to Terminal server/Citrix servers OU but the policy is also being
> applied to their workstation.
>
> I have followed the recommendation from these Microsoft knowledgebase
> articles:
> http://support.microsoft.com/kb/231287 - Loopback processing of Group Policy
> http://support.microsoft.com/kb/260370 - How to apply Group Policy objects
> to Terminal Services servers
> http://support.microsoft.com/kb/278295 - How to lock down a Windows Server
> 2003 or Windows 2000 Terminal Server session
>
> I will create a simple loopback policy and I will go through this
> step-by-step and see if you can see if I'm doing anything wrong.
>
> Ok first of all here is our domain: (Single domain model and also I've
> blocked inheritance on the Citrix OU)
>
> ACME root
> I
> ACME.COM Domain
> I__ACME Country A
> I__ACME Country B
> I__ACME Country UK
> I__Users OU
> I__Groups OU
> I__Citrix OU
> I__Computers OU
> I__Laptops OU
> I__Servers OU
>
> Users will login to Citrix OU and policy will be applied to anyone in
> Security Group
> "UK Users Citrix Server Policy"
>
>
> Open GPMC.MSC > Goto Citrix OU > right-click > Create and Link GPO Here >
> Name new GPO "ACME UK Citrix Server Policy > OK >
>
> select > Scope > Security Filtering > Add "UK Users Citrix Server Policy"
> and remove Authenticated Users.
>
> Right-click policy > Edit >
> Computer Configuration > Administrative Templates > System >Group Policy >
> User Group Policy loopback > processing mode > Enabled > Mode Replace > OK
>
> User configuration > Administrative Templates > Start Menu and Taskbar >
> Remove Run menu from Start Menu > Enabled > OK
>
> Goto > Users OU > Right-click > Link an Existing GPO > select ACME UK Citrix
> Server Policy > OK
>
> Login to Citrix as user member of security group "UK Users Citrix Server
> Policy" and run command removed.
>
> Login to workstation as user member of security group "UK Users Citrix
> Server Policy" and run command removed.
>
> Why is policy being applied to the workstation, I only want it applied to
> Citrix OU
>
> Also how is the policy to know to apply to Citrix OU only and not to the
> workstation
>
> Many thanks for taking the time to read this and for your comments.
>
>
>
 
Yes, any system users log into workstation & laptops all have the policy
applied.




"dsbrown10" <gm362@btinternet.com> wrote in message
news:1186641252.880223.156590@o61g2000hsh.googlegroups.com...
> On Aug 8, 7:01 pm, "Nick" wrote:
>> Can you please help resolve a loopback issue, my policy works but doesn't
>> do
>> the loopback element. I only want the policy to be applied when users
>> logs
>> into to Terminal server/Citrix servers OU but the policy is also being
>> applied to their workstation.
>>
>> I have followed the recommendation from these Microsoft knowledgebase
>> articles:http://support.microsoft.com/kb/231287- Loopback processing of
>> Group Policyhttp://support.microsoft.com/kb/260370- How to apply Group
>> Policy objects
>> to Terminal Services servershttp://support.microsoft.com/kb/278295- How
>> to lock down a Windows Server
>> 2003 or Windows 2000 Terminal Server session
>>
>> I will create a simple loopback policy and I will go through this
>> step-by-step and see if you can see if I'm doing anything wrong.
>>
>> Ok first of all here is our domain: (Single domain model and also I've
>> blocked inheritance on the Citrix OU)
>>
>> ACME root
>> I
>> ACME.COM Domain
>> I__ACME Country A
>> I__ACME Country B
>> I__ACME Country UK
>> I__Users OU
>> I__Groups OU
>> I__Citrix OU
>> I__Computers OU
>> I__Laptops OU
>> I__Servers OU
>>
>> Users will login to Citrix OU and policy will be applied to anyone in
>> Security Group
>> "UK Users Citrix Server Policy"
>>
>> Open GPMC.MSC > Goto Citrix OU > right-click > Create and Link GPO Here
>> >
>> Name new GPO "ACME UK Citrix Server Policy > OK >
>>
>> select > Scope > Security Filtering > Add "UK Users Citrix Server Policy"
>> and remove Authenticated Users.
>>
>> Right-click policy > Edit >
>> Computer Configuration > Administrative Templates > System >Group Policy
>> >
>> User Group Policy loopback > processing mode > Enabled > Mode Replace >
>> OK
>>
>> User configuration > Administrative Templates > Start Menu and Taskbar >
>> Remove Run menu from Start Menu > Enabled > OK
>>
>> Goto > Users OU > Right-click > Link an Existing GPO > select ACME UK
>> Citrix
>> Server Policy > OK
>>
>> Login to Citrix as user member of security group "UK Users Citrix Server
>> Policy" and run command removed.
>>
>> Login to workstation as user member of security group "UK Users Citrix
>> Server Policy" and run command removed.
>>
>> Why is policy being applied to the workstation, I only want it applied to
>> Citrix OU
>>
>> Also how is the policy to know to apply to Citrix OU only and not to the
>> workstation
>>
>> Many thanks for taking the time to read this and for your comments.
>
> hello nick.
>
> from your diagram it looks as if the workstations (and below) are
> inheriting the policy.are laptops affected?. try creating another OU
> in "Citrix" called servers, then move link the lookpack policy there.
> (move a server there to test aswell)
>
> dave
>
>
 
Last edited by a moderator:
As advised removed link to Users OU. did gpupdate /force. Deleted users
profile. Logged as user and still applied GPO to PC.

When AD was first rolled out, I do remember the main person involved was
from the security team and he was hell bent on security, and locked down
every thing. I was a very difficult migration to AD. I believe something
from the root or domain level causing problem. I can I check if loopback
has been disabled or another policy from the top overwriting mine.

Thanks


"ChrisB" <ChrisB@discussions.microsoft.com> wrote in message
news:617A33B5-15A0-4DD0-8701-E0B8D9C55E33@microsoft.com...
> Nick,
>
> You shouldn't need to link the policy to the users OU only to the citrix
> OU.
>
> Chris
>
> "Nick" wrote:
>
>> Can you please help resolve a loopback issue, my policy works but doesn't
>> do
>> the loopback element. I only want the policy to be applied when users
>> logs
>> into to Terminal server/Citrix servers OU but the policy is also being
>> applied to their workstation.
>>
>> I have followed the recommendation from these Microsoft knowledgebase
>> articles:
>> http://support.microsoft.com/kb/231287 - Loopback processing of Group
>> Policy
>> http://support.microsoft.com/kb/260370 - How to apply Group Policy
>> objects
>> to Terminal Services servers
>> http://support.microsoft.com/kb/278295 - How to lock down a Windows
>> Server
>> 2003 or Windows 2000 Terminal Server session
>>
>> I will create a simple loopback policy and I will go through this
>> step-by-step and see if you can see if I'm doing anything wrong.
>>
>> Ok first of all here is our domain: (Single domain model and also I've
>> blocked inheritance on the Citrix OU)
>>
>> ACME root
>> I
>> ACME.COM Domain
>> I__ACME Country A
>> I__ACME Country B
>> I__ACME Country UK
>> I__Users OU
>> I__Groups OU
>> I__Citrix OU
>> I__Computers OU
>> I__Laptops OU
>> I__Servers OU
>>
>> Users will login to Citrix OU and policy will be applied to anyone in
>> Security Group
>> "UK Users Citrix Server Policy"
>>
>>
>> Open GPMC.MSC > Goto Citrix OU > right-click > Create and Link GPO Here
>> >
>> Name new GPO "ACME UK Citrix Server Policy > OK >
>>
>> select > Scope > Security Filtering > Add "UK Users Citrix Server Policy"
>> and remove Authenticated Users.
>>
>> Right-click policy > Edit >
>> Computer Configuration > Administrative Templates > System >Group Policy
>> >
>> User Group Policy loopback > processing mode > Enabled > Mode Replace >
>> OK
>>
>> User configuration > Administrative Templates > Start Menu and Taskbar >
>> Remove Run menu from Start Menu > Enabled > OK
>>
>> Goto > Users OU > Right-click > Link an Existing GPO > select ACME UK
>> Citrix
>> Server Policy > OK
>>
>> Login to Citrix as user member of security group "UK Users Citrix Server
>> Policy" and run command removed.
>>
>> Login to workstation as user member of security group "UK Users Citrix
>> Server Policy" and run command removed.
>>
>> Why is policy being applied to the workstation, I only want it applied to
>> Citrix OU
>>
>> Also how is the policy to know to apply to Citrix OU only and not to the
>> workstation
>>
>> Many thanks for taking the time to read this and for your comments.
>>
>>
>>
 
Where are your user accounts and computer accounts located?

From looking at the OU's I would expect users are in the users OU, Computers
in the Computers OU and only the citrix servers are in the citrix OU. Is this
correct?

Can you also try running rsop.msc. This will give you a window displaying
which policy settings you have applied and tell you which policy is applying
the setting. Check which policy is making the settings you want/dont want.

Last thing to check is that the ACME UK Citrix Server Policy is definatley
only linked to the citrix OU.

Chris

"Nick" wrote:

> As advised removed link to Users OU. did gpupdate /force. Deleted users
> profile. Logged as user and still applied GPO to PC.
>
> When AD was first rolled out, I do remember the main person involved was
> from the security team and he was hell bent on security, and locked down
> every thing. I was a very difficult migration to AD. I believe something
> from the root or domain level causing problem. I can I check if loopback
> has been disabled or another policy from the top overwriting mine.
>
> Thanks
>
>
> "ChrisB" <ChrisB@discussions.microsoft.com> wrote in message
> news:617A33B5-15A0-4DD0-8701-E0B8D9C55E33@microsoft.com...
> > Nick,
> >
> > You shouldn't need to link the policy to the users OU only to the citrix
> > OU.
> >
> > Chris
> >
> > "Nick" wrote:
> >
> >> Can you please help resolve a loopback issue, my policy works but doesn't
> >> do
> >> the loopback element. I only want the policy to be applied when users
> >> logs
> >> into to Terminal server/Citrix servers OU but the policy is also being
> >> applied to their workstation.
> >>
> >> I have followed the recommendation from these Microsoft knowledgebase
> >> articles:
> >> http://support.microsoft.com/kb/231287 - Loopback processing of Group
> >> Policy
> >> http://support.microsoft.com/kb/260370 - How to apply Group Policy
> >> objects
> >> to Terminal Services servers
> >> http://support.microsoft.com/kb/278295 - How to lock down a Windows
> >> Server
> >> 2003 or Windows 2000 Terminal Server session
> >>
> >> I will create a simple loopback policy and I will go through this
> >> step-by-step and see if you can see if I'm doing anything wrong.
> >>
> >> Ok first of all here is our domain: (Single domain model and also I've
> >> blocked inheritance on the Citrix OU)
> >>
> >> ACME root
> >> I
> >> ACME.COM Domain
> >> I__ACME Country A
> >> I__ACME Country B
> >> I__ACME Country UK
> >> I__Users OU
> >> I__Groups OU
> >> I__Citrix OU
> >> I__Computers OU
> >> I__Laptops OU
> >> I__Servers OU
> >>
> >> Users will login to Citrix OU and policy will be applied to anyone in
> >> Security Group
> >> "UK Users Citrix Server Policy"
> >>
> >>
> >> Open GPMC.MSC > Goto Citrix OU > right-click > Create and Link GPO Here
> >> >
> >> Name new GPO "ACME UK Citrix Server Policy > OK >
> >>
> >> select > Scope > Security Filtering > Add "UK Users Citrix Server Policy"
> >> and remove Authenticated Users.
> >>
> >> Right-click policy > Edit >
> >> Computer Configuration > Administrative Templates > System >Group Policy
> >> >
> >> User Group Policy loopback > processing mode > Enabled > Mode Replace >
> >> OK
> >>
> >> User configuration > Administrative Templates > Start Menu and Taskbar >
> >> Remove Run menu from Start Menu > Enabled > OK
> >>
> >> Goto > Users OU > Right-click > Link an Existing GPO > select ACME UK
> >> Citrix
> >> Server Policy > OK
> >>
> >> Login to Citrix as user member of security group "UK Users Citrix Server
> >> Policy" and run command removed.
> >>
> >> Login to workstation as user member of security group "UK Users Citrix
> >> Server Policy" and run command removed.
> >>
> >> Why is policy being applied to the workstation, I only want it applied to
> >> Citrix OU
> >>
> >> Also how is the policy to know to apply to Citrix OU only and not to the
> >> workstation
> >>
> >> Many thanks for taking the time to read this and for your comments.
> >>
> >>
> >>
>
>
>
 
i.This is to confirm - users in USERS OU, servers in SERVERS OU, Citrix
servers in CITRIX OU.
ii. Thanks for the information on RSOP.MSC very useful never used this
before.
iii. Policy only linked to the Citrix OU.

Also- I'm using a security group in security filtering for that bit of added
safety, moved authenticated users.

Thanks



"ChrisB" <ChrisB@discussions.microsoft.com> wrote in message
news:58706D4C-6360-4541-8D08-15B3221D63E6@microsoft.com...
> Where are your user accounts and computer accounts located?
>
> From looking at the OU's I would expect users are in the users OU,
> Computers
> in the Computers OU and only the citrix servers are in the citrix OU. Is
> this
> correct?
>
> Can you also try running rsop.msc. This will give you a window displaying
> which policy settings you have applied and tell you which policy is
> applying
> the setting. Check which policy is making the settings you want/dont want.
>
> Last thing to check is that the ACME UK Citrix Server Policy is definatley
> only linked to the citrix OU.
>
> Chris
>
> "Nick" wrote:
>
>> As advised removed link to Users OU. did gpupdate /force. Deleted users
>> profile. Logged as user and still applied GPO to PC.
>>
>> When AD was first rolled out, I do remember the main person involved was
>> from the security team and he was hell bent on security, and locked down
>> every thing. I was a very difficult migration to AD. I believe something
>> from the root or domain level causing problem. I can I check if loopback
>> has been disabled or another policy from the top overwriting mine.
>>
>> Thanks
>>
>>
>> "ChrisB" <ChrisB@discussions.microsoft.com> wrote in message
>> news:617A33B5-15A0-4DD0-8701-E0B8D9C55E33@microsoft.com...
>> > Nick,
>> >
>> > You shouldn't need to link the policy to the users OU only to the
>> > citrix
>> > OU.
>> >
>> > Chris
>> >
>> > "Nick" wrote:
>> >
>> >> Can you please help resolve a loopback issue, my policy works but
>> >> doesn't
>> >> do
>> >> the loopback element. I only want the policy to be applied when users
>> >> logs
>> >> into to Terminal server/Citrix servers OU but the policy is also being
>> >> applied to their workstation.
>> >>
>> >> I have followed the recommendation from these Microsoft knowledgebase
>> >> articles:
>> >> http://support.microsoft.com/kb/231287 - Loopback processing of Group
>> >> Policy
>> >> http://support.microsoft.com/kb/260370 - How to apply Group Policy
>> >> objects
>> >> to Terminal Services servers
>> >> http://support.microsoft.com/kb/278295 - How to lock down a Windows
>> >> Server
>> >> 2003 or Windows 2000 Terminal Server session
>> >>
>> >> I will create a simple loopback policy and I will go through this
>> >> step-by-step and see if you can see if I'm doing anything wrong.
>> >>
>> >> Ok first of all here is our domain: (Single domain model and also I've
>> >> blocked inheritance on the Citrix OU)
>> >>
>> >> ACME root
>> >> I
>> >> ACME.COM Domain
>> >> I__ACME Country A
>> >> I__ACME Country B
>> >> I__ACME Country UK
>> >> I__Users OU
>> >> I__Groups OU
>> >> I__Citrix OU
>> >> I__Computers OU
>> >> I__Laptops OU
>> >> I__Servers OU
>> >>
>> >> Users will login to Citrix OU and policy will be applied to anyone in
>> >> Security Group
>> >> "UK Users Citrix Server Policy"
>> >>
>> >>
>> >> Open GPMC.MSC > Goto Citrix OU > right-click > Create and Link GPO
>> >> Here
>> >> >
>> >> Name new GPO "ACME UK Citrix Server Policy > OK >
>> >>
>> >> select > Scope > Security Filtering > Add "UK Users Citrix Server
>> >> Policy"
>> >> and remove Authenticated Users.
>> >>
>> >> Right-click policy > Edit >
>> >> Computer Configuration > Administrative Templates > System >Group
>> >> Policy
>> >> >
>> >> User Group Policy loopback > processing mode > Enabled > Mode Replace
>> >> >
>> >> OK
>> >>
>> >> User configuration > Administrative Templates > Start Menu and Taskbar
>> >> >
>> >> Remove Run menu from Start Menu > Enabled > OK
>> >>
>> >> Goto > Users OU > Right-click > Link an Existing GPO > select ACME UK
>> >> Citrix
>> >> Server Policy > OK
>> >>
>> >> Login to Citrix as user member of security group "UK Users Citrix
>> >> Server
>> >> Policy" and run command removed.
>> >>
>> >> Login to workstation as user member of security group "UK Users Citrix
>> >> Server Policy" and run command removed.
>> >>
>> >> Why is policy being applied to the workstation, I only want it applied
>> >> to
>> >> Citrix OU
>> >>
>> >> Also how is the policy to know to apply to Citrix OU only and not to
>> >> the
>> >> workstation
>> >>
>> >> Many thanks for taking the time to read this and for your comments.
>> >>
>> >>
>> >>
>>
>>
>>
 
Nick,
Did you try the answer I gave you in the other group? I think the problem is
that you are security-filtering the loopback policy so that it does not
apply. You should put the Authenticated users (i.e including the computers)
back on and leave the default security settings on the policy.
Anthony
http://www.airdesk.co.uk


"Anthony" <anthony.spam@spammedout.com> wrote in message
news:evGCJhe2HHA.1168@TK2MSFTNGP02.phx.gbl...
> cross posted and answered elsewhere
> "Nick" wrote in message
> news:5huemtF3mhb1oU1@mid.individual.net...
>> Can you please help resolve a loopback issue, my policy works but doesn't
>> do the loopback element. I only want the policy to be applied when users
>> logs into to Terminal server/Citrix servers OU but the policy is also
>> being applied to their workstation.
>>
>> I have followed the recommendation from these Microsoft knowledgebase
>> articles:
>> http://support.microsoft.com/kb/231287 - Loopback processing of Group
>> Policy
>> http://support.microsoft.com/kb/260370 - How to apply Group Policy
>> objects to Terminal Services servers
>> http://support.microsoft.com/kb/278295 - How to lock down a Windows
>> Server 2003 or Windows 2000 Terminal Server session
>>
>> I will create a simple loopback policy and I will go through this
>> step-by-step and see if you can see if I'm doing anything wrong.
>>
>> Ok first of all here is our domain: (Single domain model and also I've
>> blocked inheritance on the Citrix OU)
>>
>> ACME root
>> I
>> ACME.COM Domain
>> I__ACME Country A
>> I__ACME Country B
>> I__ACME Country UK
>> I__Users OU
>> I__Groups OU
>> I__Citrix OU
>> I__Computers OU
>> I__Laptops OU
>> I__Servers OU
>>
>> Users will login to Citrix OU and policy will be applied to anyone in
>> Security Group
>> "UK Users Citrix Server Policy"
>>
>>
>> Open GPMC.MSC > Goto Citrix OU > right-click > Create and Link GPO Here
>> >
>> Name new GPO "ACME UK Citrix Server Policy > OK >
>>
>> select > Scope > Security Filtering > Add "UK Users Citrix Server Policy"
>> and remove Authenticated Users.
>>
>> Right-click policy > Edit >
>> Computer Configuration > Administrative Templates > System >Group Policy
>> > User Group Policy loopback > processing mode > Enabled > Mode Replace >
>> OK
>>
>> User configuration > Administrative Templates > Start Menu and Taskbar >
>> Remove Run menu from Start Menu > Enabled > OK
>>
>> Goto > Users OU > Right-click > Link an Existing GPO > select ACME UK
>> Citrix Server Policy > OK
>>
>> Login to Citrix as user member of security group "UK Users Citrix Server
>> Policy" and run command removed.
>>
>> Login to workstation as user member of security group "UK Users Citrix
>> Server Policy" and run command removed.
>>
>> Why is policy being applied to the workstation, I only want it applied to
>> Citrix OU
>>
>> Also how is the policy to know to apply to Citrix OU only and not to the
>> workstation
>>
>> Many thanks for taking the time to read this and for your comments.
>>
>
>
 
Last edited by a moderator:
"Nick" wrote on 09 aug 2007 in
microsoft.public.windows.terminal_services:

> i.This is to confirm - users in USERS OU, servers in SERVERS OU,
> Citrix servers in CITRIX OU.
> ii. Thanks for the information on RSOP.MSC very useful never
> used this before.
> iii. Policy only linked to the Citrix OU.
>
> Also- I'm using a security group in security filtering for that
> bit of added safety, moved authenticated users.

And that's the culprit: when you remove Authenticated users, you have
to add the machine accounts for the Citrix Servers in the security
filtering.

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
 
Last edited by a moderator:
Hi Vera,

Ok, can you please explain why removing the authenticated users is the
culprit?
I removed authenticated users and applied a security group just make sure,
the policy only applies users in a specific group.

Never done this before and I want to make sure it's done correctly, can you
please in a few steps explain how do I, add the machine accounts for the
Citrix Servers in the security filtering. Are you saying where I have
security filtering with the security group also add the Citrix servers
there? Bit confused - what do you mean by "machine accounts" for the Citrix
server. What are machine accounts?

Thanks



"Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote in message
news:Xns9987E7850754Dveranoesthemutforsse@207.46.248.16...
> "Nick" wrote on 09 aug 2007 in
> microsoft.public.windows.terminal_services:
>
>> i.This is to confirm - users in USERS OU, servers in SERVERS OU,
>> Citrix servers in CITRIX OU.
>> ii. Thanks for the information on RSOP.MSC very useful never
>> used this before.
>> iii. Policy only linked to the Citrix OU.
>>
>> Also- I'm using a security group in security filtering for that
>> bit of added safety, moved authenticated users.
>
> And that's the culprit: when you remove Authenticated users, you have
> to add the machine accounts for the Citrix Servers in the security
> filtering.
>
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> ___ please respond in newsgroup, NOT by private email ___
 
Last edited by a moderator:
Computers have an account in Active Directory, exactly like users.
Your client machine accounts will probably be in the OU
"Computers", while user accounts usually are stored in the OU
"Users". Domain Controllers are in a separate OU called "Domain
Controller", and your Citrix server are placed in the OU called
"Citrix OU". You moved them there yourself.

The built-in group "Authenticated Users" comprises both users and
computers accounts. When you remove that group and replace it with
a security group which only contains user accounts, you have in
effect removed the permission for the *computer* to apply the
policy. That's why it doesn't work.

Go to the security filtering tab and add the computer account for
your server, just like you would do with individual user accounts
(type the name, click Check, click Add).

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
*----------- Please reply in newsgroup -------------*

"Nick" wrote on 10 aug 2007:

> Hi Vera,
>
> Ok, can you please explain why removing the authenticated users
> is the culprit?
> I removed authenticated users and applied a security group just
> make sure, the policy only applies users in a specific group.
>
> Never done this before and I want to make sure it's done
> correctly, can you please in a few steps explain how do I, add
> the machine accounts for the Citrix Servers in the security
> filtering. Are you saying where I have security filtering with
> the security group also add the Citrix servers there? Bit
> confused - what do you mean by "machine accounts" for the Citrix
> server. What are machine accounts?
>
> Thanks
>
>
>
> "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote
> in message
> news:Xns9987E7850754Dveranoesthemutforsse@207.46.248.16...
>> "Nick" wrote on 09 aug 2007 in
>> microsoft.public.windows.terminal_services:
>>
>>> i.This is to confirm - users in USERS OU, servers in SERVERS
>>> OU, Citrix servers in CITRIX OU.
>>> ii. Thanks for the information on RSOP.MSC very useful never
>>> used this before.
>>> iii. Policy only linked to the Citrix OU.
>>>
>>> Also- I'm using a security group in security filtering for
>>> that bit of added safety, moved authenticated users.
>>
>> And that's the culprit: when you remove Authenticated users,
>> you have to add the machine accounts for the Citrix Servers in
>> the security filtering.
>>
>> _________________________________________________________
>> Vera Noest
>> MCSE, CCEA, Microsoft MVP - Terminal Server
>> TS troubleshooting: http://ts.veranoest.net
>> ___ please respond in newsgroup, NOT by private email ___
 
Last edited by a moderator:
Nick,

Think Vera is right.

Are you still getting the applied settings on all machines you log on to?
This bit doesn't really make sense.

In essance what you should be doing is applying the policy to the citrix
server computer accounts not the users (you can create a new group and add
the citrix servers to this group - remember to change the object type to
include computers when searching for the accounts to add to the group, this
is the bit I tend to forget and wonder why I can't find the machines doh)
Then apply this group as the security filter (remove the sec filter you have
applied already) The policy should therefore only apply to the computer
accounts that are members of your new group group.

Let me know if this make doesn't sense and I will try and clarify it.

Chris


"Nick" wrote:

> Hi Vera,
>
> Ok, can you please explain why removing the authenticated users is the
> culprit?
> I removed authenticated users and applied a security group just make sure,
> the policy only applies users in a specific group.
>
> Never done this before and I want to make sure it's done correctly, can you
> please in a few steps explain how do I, add the machine accounts for the
> Citrix Servers in the security filtering. Are you saying where I have
> security filtering with the security group also add the Citrix servers
> there? Bit confused - what do you mean by "machine accounts" for the Citrix
> server. What are machine accounts?
>
> Thanks
>
>
>
> "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote in message
> news:Xns9987E7850754Dveranoesthemutforsse@207.46.248.16...
> > "Nick" wrote on 09 aug 2007 in
> > microsoft.public.windows.terminal_services:
> >
> >> i.This is to confirm - users in USERS OU, servers in SERVERS OU,
> >> Citrix servers in CITRIX OU.
> >> ii. Thanks for the information on RSOP.MSC very useful never
> >> used this before.
> >> iii. Policy only linked to the Citrix OU.
> >>
> >> Also- I'm using a security group in security filtering for that
> >> bit of added safety, moved authenticated users.
> >
> > And that's the culprit: when you remove Authenticated users, you have
> > to add the machine accounts for the Citrix Servers in the security
> > filtering.
> >
> > _________________________________________________________
> > Vera Noest
> > MCSE, CCEA, Microsoft MVP - Terminal Server
> > TS troubleshooting: http://ts.veranoest.net
> > ___ please respond in newsgroup, NOT by private email ___
>
>
>
 
Last edited by a moderator:
ChrisB and Vera Noest - Very big thank you for all your help to resolve my
Loopback GPO issue.

As you advised I have removed security groups from security filtering and
put back authicated users, removed all other links and only have one link on
the Citrix OU.

Had a few users who still had a problem in the OU they resided in, with help
of our AD admin we fine tuned this and all working as I wanted.

I had four test users in:
UK Users OU
UK Citrix OU
UK Citrix OU
I_External Users OU
US Users OU

Blocked Inheritance on:
UK Citrix OU
Citrix PS Servers OU
UK Citrix OU
I_External Users OU
___________________________________________________________________
ACME root
I
ACME.COM Domain
I__ACME Country A
I__ACME Country B
I__ACME Country UK
I__Users OU
I__Groups OU
I__Citrix OU
I__Citrix PS Servers (Only Citrix Servers here &
Policy Linked here)
I__External Clients
I__Computers OU
I__Laptops OU
I __Servers OU
I__ACME Country US
I__Users OU
I__Groups OU
I__Computers OU
I__Laptops OU
I__Servers OU

Thanks for staying with me.
Nick

"ChrisB" <ChrisB@discussions.microsoft.com> wrote in message
news:4D02C4F5-B980-4397-87B2-B02B35E3A004@microsoft.com...
> Nick,
>
> Think Vera is right.
>
> Are you still getting the applied settings on all machines you log on to?
> This bit doesn't really make sense.
>
> In essance what you should be doing is applying the policy to the citrix
> server computer accounts not the users (you can create a new group and add
> the citrix servers to this group - remember to change the object type to
> include computers when searching for the accounts to add to the group,
> this
> is the bit I tend to forget and wonder why I can't find the machines doh)
> Then apply this group as the security filter (remove the sec filter you
> have
> applied already) The policy should therefore only apply to the computer
> accounts that are members of your new group group.
>
> Let me know if this make doesn't sense and I will try and clarify it.
>
> Chris
>
>
> "Nick" wrote:
>
>> Hi Vera,
>>
>> Ok, can you please explain why removing the authenticated users is the
>> culprit?
>> I removed authenticated users and applied a security group just make
>> sure,
>> the policy only applies users in a specific group.
>>
>> Never done this before and I want to make sure it's done correctly, can
>> you
>> please in a few steps explain how do I, add the machine accounts for the
>> Citrix Servers in the security filtering. Are you saying where I have
>> security filtering with the security group also add the Citrix servers
>> there? Bit confused - what do you mean by "machine accounts" for the
>> Citrix
>> server. What are machine accounts?
>>
>> Thanks
>>
>>
>>
>> "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote in
>> message
>> news:Xns9987E7850754Dveranoesthemutforsse@207.46.248.16...
>> > "Nick" wrote on 09 aug 2007 in
>> > microsoft.public.windows.terminal_services:
>> >
>> >> i.This is to confirm - users in USERS OU, servers in SERVERS OU,
>> >> Citrix servers in CITRIX OU.
>> >> ii. Thanks for the information on RSOP.MSC very useful never
>> >> used this before.
>> >> iii. Policy only linked to the Citrix OU.
>> >>
>> >> Also- I'm using a security group in security filtering for that
>> >> bit of added safety, moved authenticated users.
>> >
>> > And that's the culprit: when you remove Authenticated users, you have
>> > to add the machine accounts for the Citrix Servers in the security
>> > filtering.
>> >
>> > _________________________________________________________
>> > Vera Noest
>> > MCSE, CCEA, Microsoft MVP - Terminal Server
>> > TS troubleshooting: http://ts.veranoest.net
>> > ___ please respond in newsgroup, NOT by private email ___
>>
>>
>>
 
Last edited by a moderator:
OK, I'm glad that your problem is solved, and thanks for reporting
back here, Nick!
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
*----------- Please reply in newsgroup -------------*

"Nick" wrote on 13 aug 2007:

> ChrisB and Vera Noest - Very big thank you for all your help to
> resolve my Loopback GPO issue.
>
> As you advised I have removed security groups from security
> filtering and put back authicated users, removed all other links
> and only have one link on the Citrix OU.
>
> Had a few users who still had a problem in the OU they resided
> in, with help of our AD admin we fine tuned this and all working
> as I wanted.
>
> I had four test users in:
> UK Users OU
> UK Citrix OU
> UK Citrix OU
> I_External Users OU
> US Users OU
>
> Blocked Inheritance on:
> UK Citrix OU
> Citrix PS Servers OU
> UK Citrix OU
> I_External Users OU
> _________________________________________________________________
> __ ACME root
> I
> ACME.COM Domain
> I__ACME Country A
> I__ACME Country B
> I__ACME Country UK
> I__Users OU
> I__Groups OU
> I__Citrix OU
> I__Citrix PS Servers (Only Citrix Servers
> here &
> Policy Linked here)
> I__External Clients
> I__Computers OU
> I__Laptops OU
> I __Servers OU
> I__ACME Country US
> I__Users OU
> I__Groups OU
> I__Computers OU
> I__Laptops OU
> I__Servers OU
>
> Thanks for staying with me.
> Nick
>
> "ChrisB" <ChrisB@discussions.microsoft.com> wrote in message
> news:4D02C4F5-B980-4397-87B2-B02B35E3A004@microsoft.com...
>> Nick,
>>
>> Think Vera is right.
>>
>> Are you still getting the applied settings on all machines you
>> log on to? This bit doesn't really make sense.
>>
>> In essance what you should be doing is applying the policy to
>> the citrix server computer accounts not the users (you can
>> create a new group and add the citrix servers to this group -
>> remember to change the object type to include computers when
>> searching for the accounts to add to the group, this
>> is the bit I tend to forget and wonder why I can't find the
>> machines doh) Then apply this group as the security filter
>> (remove the sec filter you have
>> applied already) The policy should therefore only apply to the
>> computer accounts that are members of your new group group.
>>
>> Let me know if this make doesn't sense and I will try and
>> clarify it.
>>
>> Chris
>>
>>
>> "Nick" wrote:
>>
>>> Hi Vera,
>>>
>>> Ok, can you please explain why removing the authenticated
>>> users is the culprit?
>>> I removed authenticated users and applied a security group
>>> just make sure,
>>> the policy only applies users in a specific group.
>>>
>>> Never done this before and I want to make sure it's done
>>> correctly, can you
>>> please in a few steps explain how do I, add the machine
>>> accounts for the Citrix Servers in the security filtering.
>>> Are you saying where I have security filtering with the
>>> security group also add the Citrix servers there? Bit
>>> confused - what do you mean by "machine accounts" for the
>>> Citrix
>>> server. What are machine accounts?
>>>
>>> Thanks
>>>
>>>
>>>
>>> "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se>
>>> wrote in message
>>> news:Xns9987E7850754Dveranoesthemutforsse@207.46.248.16...
>>> > "Nick" wrote on 09 aug 2007 in
>>> > microsoft.public.windows.terminal_services:
>>> >
>>> >> i.This is to confirm - users in USERS OU, servers in
>>> >> SERVERS OU, Citrix servers in CITRIX OU.
>>> >> ii. Thanks for the information on RSOP.MSC very useful
>>> >> never used this before.
>>> >> iii. Policy only linked to the Citrix OU.
>>> >>
>>> >> Also- I'm using a security group in security filtering for
>>> >> that bit of added safety, moved authenticated users.
>>> >
>>> > And that's the culprit: when you remove Authenticated users,
>>> > you have to add the machine accounts for the Citrix Servers
>>> > in the security filtering.
>>> >
>>> > _________________________________________________________
>>> > Vera Noest
>>> > MCSE, CCEA, Microsoft MVP - Terminal Server
>>> > TS troubleshooting: http://ts.veranoest.net
>>> > ___ please respond in newsgroup, NOT by private email ___
>>>
 
Last edited by a moderator:
Back
Top