Loopback - Replace Policy
Everlife
Member Posts: 253 ■■■□□□□□□□
Hi guys,
I have been working through the MS Press 70-640 2nd Edition book over the past month. The practice at the end of chapter 6 has you create a loopback policy with the replace option to configure some standard settings for a group of computers. You are further instructed to deny the "Apply Group Policy" permission a domain-level GPO which applies a screensaver lock to stop the screensaver lock from affecting the group of computers mentioned earlier.
Unfortunately, this alone is not effective in stopping the screensaver lock GPO from affecting the group of computers. After bashing my head against the wall for an hour or two, I took to Google to figure out why this was occurring. I came across a Technet post where one of the posters linked to this Microsoft KB article (Loopback processing of Group Policy) which states "You cannot filter the user settings that are applied by denying or removing the AGP and Read rights from the computer object specified for the loopback policy."
This becomes somewhat confusing because both the book and Technet state that using the replace option of the loopback policy will replace the User Configuration GPOs generated for the user with the User Configuration generated by the computer. Logically, by denying the group of computers access to the domain-level screensaver lock policy, you would think that policy would not apply to the users when they log into the special group of computers.
Here is the Technet forum post I mentioned: Loopback Processing applying setting to group with deny permission
Hopefully this will save someone attempting the practice from futily trying to get the practice working using the directions in the book.
I have been working through the MS Press 70-640 2nd Edition book over the past month. The practice at the end of chapter 6 has you create a loopback policy with the replace option to configure some standard settings for a group of computers. You are further instructed to deny the "Apply Group Policy" permission a domain-level GPO which applies a screensaver lock to stop the screensaver lock from affecting the group of computers mentioned earlier.
Unfortunately, this alone is not effective in stopping the screensaver lock GPO from affecting the group of computers. After bashing my head against the wall for an hour or two, I took to Google to figure out why this was occurring. I came across a Technet post where one of the posters linked to this Microsoft KB article (Loopback processing of Group Policy) which states "You cannot filter the user settings that are applied by denying or removing the AGP and Read rights from the computer object specified for the loopback policy."
This becomes somewhat confusing because both the book and Technet state that using the replace option of the loopback policy will replace the User Configuration GPOs generated for the user with the User Configuration generated by the computer. Logically, by denying the group of computers access to the domain-level screensaver lock policy, you would think that policy would not apply to the users when they log into the special group of computers.
Here is the Technet forum post I mentioned: Loopback Processing applying setting to group with deny permission
Hopefully this will save someone attempting the practice from futily trying to get the practice working using the directions in the book.