Setting Up Loopback GPO

mattmylander · 2016-02-09T14:04:23.000Z

What I am trying to setup is the ability to remove the shutdown, restart, etc. for all users who log into servers (2008/2012) to prevent any accidents as we have had already. Apparently, the gpo to remove the shutdown is a user policy and I researched that loopback is something that is necessary for it to apply to users that log into the servers. I have a fairly good understanding of group policy, but before I started group policy was non-existent so doing this from scratch is a challenge.

This is the policy I have created with the research I have done, which has not worked.

gpo.PNG800×306 49.7 KB

lukemaslany · 2016-02-09T14:11:51.000Z

That looks file - just make sure that the GPO is applied to the computer account OU.

ds52 · 2016-02-09T14:13:47.000Z

I run this exact GPO in my environment without a loopback GPO. Haven’t had any issues with it at all. However, if you do need to run loopback mode, you’re using “Merge”, when you should probably just use “replace” for the policy specific to the servers. “In Merge mode, if there is a conflict, for example two policies provide different values for the same configuration setting, the Computer’s policy has more privilege” - Per some random IT blog.

This is stolen from another post located here .

Enable the following settings:

Disable and remove links to Windows Update

Remove common program groups from Start Menu

Disable programs on Settings Menu

Remove Network & Dial-up Connections from Start Menu

Remove Search menu from Start Menu

Remove Help menu from Start Menu

Remove Run menu from Start Menu

Add Logoff to Start Menu

Disable changes to Taskbar and Start Menu Settings

Disable and remove the Shut Down command or Remove and prevent access to the Shut Down command

Cheers,

JR

semicolon · 2016-02-09T14:19:13.000Z

Then…keep in mind that the loopback setting is now on for any computer targeted by this GPO.

A common misconception is that you are enabling loopback policy processing for this particular GPO - you’re not - you’re enabling loopback policy processing for the computer. So every GPO that is applied to this computer will be looped back upon the user – not an issue if there are no user settings in any of the GPOs.

lukemaslany · 2016-02-09T14:20:33.000Z

As you want the policy to apply only to particular machines, the servers, then merge should be fine.

Rob-Dunn · 2016-02-09T14:21:42.000Z

What does your scope tab look like - - specifically, the delegation pane?

I usually leave mine set to ‘authenticated users’ and then pare that down if need be later.

mattmylander · 2016-02-09T14:26:54.000Z

The delegation pane.

gpo2.PNG800×190 36.7 KB

lukemaslany · 2016-02-09T14:36:24.000Z

Semicolon:

Then…keep in mind that the loopback setting is now on for any computer targeted by this GPO.

A common misconception is that you are enabling loopback policy processing for this particular GPO - you’re not - you’re enabling loopback policy processing for the computer. So every GPO that is applied to this computer will be looped back upon the user – not an issue if there are no user settings in any of the GPOs.

Except if they’ve blocked inheritance.

Also as the computer account is an authenticated user the default permissions should be fine.

Edit: have you already used RSoP to confirm which policies are applying an which one is winning any conflicts?

mattmylander · 2016-02-09T14:51:14.000Z

I checked the RSoP and I don’t even see the loopback policy hitting anything in this OU even though it is applied directly to this OU.

semicolon · 2016-02-09T14:55:55.000Z

Rabbert Klein:

I checked the RSoP and I don’t even see the loopback policy hitting anything in this OU even though it is applied directly to this OU.

And you’re linking it to an OU which contains the pertinent computer objects, correct?

lukemaslany · 2016-02-09T14:56:27.000Z

Can you confirm that it is applied to the OU containing the Computer object? (up to this point that has not been stated)

semicolon · 2016-02-09T14:56:38.000Z

Rabbert Klein:

The delegation pane.

You may also want to delegate a “Deny: Apply Group Policy” permission to the Domain Admins security group (and maybe a few others), so that at least Domain Admins can shutdown/restart the affected computers.

mattmylander · 2016-02-09T15:04:44.000Z

Yes, this policy is linked to the OU containing the objects I want it to address. Also, right now we want to remove the option for domain admins as this was the problem in the first place. Active Directory is a mess since it wasn’t utilized properly and in order to fix the issues, other permissions need to be changed to move certain users from the domain admins group.

lukemaslany · 2016-02-09T15:09:01.000Z

How long have you left the policy to replicate? Or have you forced replication?

Have you tried forcing GP refresh on the servers that will use this policy?

Have you already restarted the servers that will use this policy?

mattmylander · 2016-02-09T15:11:58.000Z

I rebooted one server and also ran gpupdate /force several times to no avail.

mattmylander · 2016-02-09T16:05:27.000Z

Okay, I have it working now. I took off link enabled and re-added it then did a gpudate /force and now the only option is disconnect. For some reason I was getting the message in the picture when link enabled was active.

image.png702×333 52.9 KB

From what I was reading, link enabled should always be active if you want the gpo to work right? I ask this because I was getting the error above also when trying to apply a different group policy until I removed link enabled on a particular gpo. Then, enforced is only used if you know that there is going to be a conflict with gpo settings that will override a previous setting?