I was thinking about something I did the other day and realized that there might be a better way of doing it. A few months back I created some GPO’s domain wide but didn’t want them to apply to a specific OU.<\/p>\n
I tried a lot of different things but eventually found an article on loopback processing which when added to the OU allows me to then set OU specific GPOs which override the domain wide GPOs.<\/p>\n
But I was wondering if this could’ve been done differently by using the block inheritance option? But if you do chose that option do you then have to add the domain wide GPOs that you actually want to apply to the OU?<\/p>\n
Or should I be using GPO security filtering instead?<\/p>","upvoteCount":4,"answerCount":5,"datePublished":"2019-02-05T15:02:12.000Z","author":{"@type":"Person","name":"jasongooljar4","url":"https://community.spiceworks.com/u/jasongooljar4"},"acceptedAnswer":{"@type":"Answer","text":"
Typically Loopback Processing is used to apply User settings to a computer object or vice versa. It shouldn’t be used as a method to override global settings - you should structure out your OU’s and block inheritance or force policies accordingly.<\/p>\n
In this case I would definitely recommend security filtering over loopback, if able.<\/p>","upvoteCount":0,"datePublished":"2019-02-05T15:16:48.000Z","url":"https://community.spiceworks.com/t/block-inheritance-or-loopback-processing/696065/2","author":{"@type":"Person","name":"dimforest","url":"https://community.spiceworks.com/u/dimforest"}},"suggestedAnswer":[{"@type":"Answer","text":"
I was thinking about something I did the other day and realized that there might be a better way of doing it. A few months back I created some GPO’s domain wide but didn’t want them to apply to a specific OU.<\/p>\n
I tried a lot of different things but eventually found an article on loopback processing which when added to the OU allows me to then set OU specific GPOs which override the domain wide GPOs.<\/p>\n
But I was wondering if this could’ve been done differently by using the block inheritance option? But if you do chose that option do you then have to add the domain wide GPOs that you actually want to apply to the OU?<\/p>\n
Or should I be using GPO security filtering instead?<\/p>","upvoteCount":4,"datePublished":"2019-02-05T15:02:12.000Z","url":"https://community.spiceworks.com/t/block-inheritance-or-loopback-processing/696065/1","author":{"@type":"Person","name":"jasongooljar4","url":"https://community.spiceworks.com/u/jasongooljar4"}},{"@type":"Answer","text":"\n\n
<\/div>\n
jasongooljar4:<\/div>\n
\nBut I was wondering if this could’ve been done differently by using the block inheritance option? But if you do chose that option do you then have to add the domain wide GPOs that you actually want to apply to the OU?<\/p>\n
Or should I be using GPO security filtering instead?<\/p>\n<\/blockquote>\n<\/aside>\n
As noted above, either security filtering or delegating the “deny: Apply Group Policy” permission are usually my choices. Though, in some scenarios, I may opt for a Block Inheritance, with an “enforce” on selected Domain-level GPOs that need to apply downlevel. It usually comes down to my tree structure at the time, where the affected objects are located, and how many GPOs I would have to re-link to the OU.<\/p>\n
Its a mixed bag for me, as GPO application is not my top criterion when designing AD structures.<\/p>\n\n\n
<\/div>\n
dimforest:<\/div>\n
\nTypically Loopback Processing is used to apply User settings to a computer object or vice versa.<\/p>\n<\/blockquote>\n<\/aside>\n
Sorry I have to call this out - but I’m a stickler.<\/p>\n
\nOne cannot<\/strong><\/em> apply User settings to a computer object.<\/li>\nOne cannot<\/strong><\/em> apply computer settings to a user object.<\/li>\nLoopback policy processing allows an administrator to configure user<\/em> settings for all users<\/em> of an affected computer.<\/li>\n<\/ul>","upvoteCount":1,"datePublished":"2019-02-05T15:33:24.000Z","url":"https://community.spiceworks.com/t/block-inheritance-or-loopback-processing/696065/3","author":{"@type":"Person","name":"semicolon","url":"https://community.spiceworks.com/u/semicolon"}},{"@type":"Answer","text":"\n\n
<\/div>\n
jasongooljar4:<\/div>\n
\nBut I was wondering if this could’ve been done differently by using the block inheritance option? But if you do chose that option do you then have to add the domain wide GPOs that you actually want to apply to the OU?<\/p>\n
Or should I be using GPO security filtering instead?<\/p>\n<\/blockquote>\n<\/aside>\n
Both? Neither? It depends on what you are trying to do.<\/p>\n
Specific settings may yield different responses. Especially where GPPs come in. You also have access to Item Level Targeting.<\/p>\n
Typically you only use loopback for things like RDS farms and kiosks. As loopback is global to a machine. Once it is on it is on. It can make trying to do certain things very difficult.<\/p>\n
The main trouble with GPOs is there are many ways to skin the proverbial cat.<\/p>\n
Pros and Cons to certain methods–<\/p>\n
Security filtering-<\/strong><\/p>\nPros-Apply what you want to objects you want<\/p>\n
Cons- You manually have to maintain groups of objects.<\/p>\n
Inheritance blocking & enforcement<\/strong><\/strong>-<\/strong><\/p>\nPros- Easy to identify in the GPMC. Allows whole OUs of objects to be excluded.<\/p>\n
Cons- Can be very tricky if you have multiple combinations of blocks and enforcements.<\/p>\n
Security Filtering Object Deny Delegation<\/strong><\/p>\nPro- Easy to exclude a group of objects<\/p>\n
Cons- Not obvious there is a deny in place. The only place to see this deny is on the delegation tab. Manual group maintenance.<\/p>\n
OU Structuring and Specific linking.<\/strong><\/p>\nPros- Easily link and identify OUs and the applied GPOs in the GPMC. Ability to specifically apply GPOs to the objects in the OU.<\/p>\n
Con- A massive OU structure can be confusing and hard to deal with and manage.<\/p>\n
It really comes down to what works for your environment.<\/p>","upvoteCount":0,"datePublished":"2019-02-05T16:02:37.000Z","url":"https://community.spiceworks.com/t/block-inheritance-or-loopback-processing/696065/4","author":{"@type":"Person","name":"justin1250","url":"https://community.spiceworks.com/u/justin1250"}},{"@type":"Answer","text":"
Thanks that was very helpful. I’ll start experimenting with inheritance blocking and enforcement. We’re a really small shop.<\/p>","upvoteCount":0,"datePublished":"2019-02-05T16:07:06.000Z","url":"https://community.spiceworks.com/t/block-inheritance-or-loopback-processing/696065/5","author":{"@type":"Person","name":"jasongooljar4","url":"https://community.spiceworks.com/u/jasongooljar4"}}]}}
I was thinking about something I did the other day and realized that there might be a better way of doing it. A few months back I created some GPO’s domain wide but didn’t want them to apply to a specific OU.
I tried a lot of different things but eventually found an article on loopback processing which when added to the OU allows me to then set OU specific GPOs which override the domain wide GPOs.
But I was wondering if this could’ve been done differently by using the block inheritance option? But if you do chose that option do you then have to add the domain wide GPOs that you actually want to apply to the OU?
Or should I be using GPO security filtering instead?
4 Spice ups
dimforest
February 5, 2019, 3:16pm
2
Typically Loopback Processing is used to apply User settings to a computer object or vice versa. It shouldn’t be used as a method to override global settings - you should structure out your OU’s and block inheritance or force policies accordingly.
In this case I would definitely recommend security filtering over loopback, if able.
semicolon
February 5, 2019, 3:33pm
3
jasongooljar4:
But I was wondering if this could’ve been done differently by using the block inheritance option? But if you do chose that option do you then have to add the domain wide GPOs that you actually want to apply to the OU?
Or should I be using GPO security filtering instead?
As noted above, either security filtering or delegating the “deny: Apply Group Policy” permission are usually my choices. Though, in some scenarios, I may opt for a Block Inheritance, with an “enforce” on selected Domain-level GPOs that need to apply downlevel. It usually comes down to my tree structure at the time, where the affected objects are located, and how many GPOs I would have to re-link to the OU.
Its a mixed bag for me, as GPO application is not my top criterion when designing AD structures.
Sorry I have to call this out - but I’m a stickler.
One cannot
One cannot
Loopback policy processing allows an administrator to configure user settings for all users of an affected computer.
1 Spice up
justin1250
February 5, 2019, 4:02pm
4
jasongooljar4:
But I was wondering if this could’ve been done differently by using the block inheritance option? But if you do chose that option do you then have to add the domain wide GPOs that you actually want to apply to the OU?
Or should I be using GPO security filtering instead?
Both? Neither? It depends on what you are trying to do.
Specific settings may yield different responses. Especially where GPPs come in. You also have access to Item Level Targeting.
Typically you only use loopback for things like RDS farms and kiosks. As loopback is global to a machine. Once it is on it is on. It can make trying to do certain things very difficult.
The main trouble with GPOs is there are many ways to skin the proverbial cat.
Pros and Cons to certain methods–
Security filtering-
Pros-Apply what you want to objects you want
Cons- You manually have to maintain groups of objects.
Inheritance blocking & enforcement
Pros- Easy to identify in the GPMC. Allows whole OUs of objects to be excluded.
Cons- Can be very tricky if you have multiple combinations of blocks and enforcements.
Security Filtering Object Deny Delegation
Pro- Easy to exclude a group of objects
Cons- Not obvious there is a deny in place. The only place to see this deny is on the delegation tab. Manual group maintenance.
OU Structuring and Specific linking.
Pros- Easily link and identify OUs and the applied GPOs in the GPMC. Ability to specifically apply GPOs to the objects in the OU.
Con- A massive OU structure can be confusing and hard to deal with and manage.
It really comes down to what works for your environment.
Thanks that was very helpful. I’ll start experimenting with inheritance blocking and enforcement. We’re a really small shop.
