Home

Proper security setting for GPO with loopback

%3CLINGO-SUB%20id%3D%22lingo-sub-1289974%22%20slang%3D%22en-US%22%3EProper%20security%20setting%20for%20GPO%20with%20loopback%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1289974%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20stuck%20at%20what%20the%20proper%20security%20settings%20should%20be%20for%20loopback%20processing%20GPOs.%20This%20is%20specifically%20applicable%20to%20terminal%20servers%20as%20many%20articles%20point%20out.%20Assume%20a%20very%20simple%20situation%20based%20on%20the%20following%20ad%20schema%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22lespo_0-1586293703332.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F182919iE002C4A6C1B425F4%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22lespo_0-1586293703332.png%22%20alt%3D%22lespo_0-1586293703332.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUser%20U1%20is%20member%20of%20the%20Organisational%20Unit%20OU1%20and%20member%20of%20Security%20Group%20SG1.%20The%20Security%20Group%20SG1%20resides%20in%20Organisational%20Unit%20OU2%20(neither%20the%20same%20as%20OU1%20its%20subOU%20or%20vice%20versa).%20The%20terminal%20server%20redides%20in%20Organisation%20Unit%20OU3%20(again%2C%20neither%20the%20same%20nor%20sub%20as%20OU1%20or%20OU2).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20goal%20is%20simple%2C%20if%20any%20user%2C%20which%20is%20a%20member%20of%20SG1%2C%20logs%20to%20S1%2C%20User%20Settings%20of%20a%20particular%20GPO%20(Say%20GPO1)%20should%20merge%20into%20other%20GPOs%20applied%20to%20S1.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20initial%20assumption%20for%20Delegation%20of%20GPO1%3A%3C%2FP%3E%3CUL%3E%3CLI%3EAuthenticated%20Users%20-%20only%20read%20permission%2C%20not%20apply%20(otherwise%20this%20would%20apply%20to%20all%20other%20users%20as%20well%2C%20but%20at%20least%20read%20so%20that%20S1%20can%20actually%20read%20that%20policy)%3C%2FLI%3E%3CLI%3ESG1%20-%20Read%20and%20Apply.%3C%2FLI%3E%3C%2FUL%3E%3CP%3EBut%20this%20does%20not%20work.%20A%20test%20when%20both%20Authenticated%20Users%20as%20well%20as%20SG1%20have%20%22read%20and%20apply%22%20rights%20results%20in%20application%20of%20the%20said%20GPO.%20But%20this%20is%20not%20what%20is%20intended.%20So%20the%20question%20is%20really%20simple%2C%20how%20to%20achieve%20the%20goal%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20whole%20situation%20is%20no%20helped%20by%20erroneous%20information%20(in%20my%20world%2C%20I%20would%20call%20this%20a%20bug)%20provided%20by%20policy%20modelling%20and%20policy%20results%20wizards.%20Eg%20in%20the%20case%20when%20Authenticated%20users%20only%20have%20read%20on%20GPO1%20and%20SG1%20have%20read%20an%20apply%2C%20policy%20results%20does%20not%20report%20correctly%20the%20applied%20GPOs%3A%3C%2FP%3E%3CP%3EThis%20shows%20some%20applied%20settings%20in%20the%20GPO%20Results%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22lespo_0-1586295719486.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F182930i4E24B9BD4CFB91B1%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22lespo_0-1586295719486.png%22%20alt%3D%22lespo_0-1586295719486.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EAnd%20listing%20down%20to%20Applied%20GPOs%2C%20it%20shows%20(note%20that%20NOWHERE%20in%20the%20the%20applied%20GPOs%20there%20is%20Default%20Domain%20Policy%20while%20as%20you%20can%20see%20above%2C%20it%20IS%20applied)%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22lespo_1-1586295743738.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F182931i193ADD90F8DCEA1D%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22lespo_1-1586295743738.png%22%20alt%3D%22lespo_1-1586295743738.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1289974%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EActive%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EGroup%20Policy%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Highlighted
Frequent Visitor

I am stuck at what the proper security settings should be for loopback processing GPOs. This is specifically applicable to terminal servers as many articles point out. Assume a very simple situation based on the following ad schema:

lespo_0-1586293703332.png

 

User U1 is member of the Organisational Unit OU1 and member of Security Group SG1. The Security Group SG1 resides in Organisational Unit OU2 (neither the same as OU1 its subOU or vice versa). The terminal server redides in Organisation Unit OU3 (again, neither the same nor sub as OU1 or OU2).

 

The goal is simple, if any user, which is a member of SG1, logs to S1, User Settings of a particular GPO (Say GPO1) should merge into other GPOs applied to S1.

 

My initial assumption for Delegation of GPO1:

  • Authenticated Users - only read permission, not apply (otherwise this would apply to all other users as well, but at least read so that S1 can actually read that policy)
  • SG1 - Read and Apply.

But this does not work. A test when both Authenticated Users as well as SG1 have "read and apply" rights results in application of the said GPO. But this is not what is intended. So the question is really simple, how to achieve the goal?

 

The whole situation is no helped by erroneous information (in my world, I would call this a bug) provided by policy modelling and policy results wizards. Eg in the case when Authenticated users only have read on GPO1 and SG1 have read an apply, policy results does not report correctly the applied GPOs:

This shows some applied settings in the GPO Results:

lespo_0-1586295719486.png

And listing down to Applied GPOs, it shows (note that NOWHERE in the the applied GPOs there is Default Domain Policy while as you can see above, it IS applied)

lespo_1-1586295743738.png