Guest Nick Posted August 8, 2007 Posted August 8, 2007 Can you please help resolve a loopback issue, my policy works but doesn't do the loopback element. I only want the policy to be applied when users logs into to Terminal server/Citrix servers OU but the policy is also being applied to their workstation. I have followed the recommendation from these Microsoft knowledgebase articles: http://support.microsoft.com/kb/231287 - Loopback processing of Group Policy http://support.microsoft.com/kb/260370 - How to apply Group Policy objects to Terminal Services servers http://support.microsoft.com/kb/278295 - How to lock down a Windows Server 2003 or Windows 2000 Terminal Server session I will create a simple loopback policy and I will go through this step-by-step and see if you can see if I'm doing anything wrong. Ok first of all here is our domain: (Single domain model and also I've blocked inheritance on the Citrix OU) ACME root I ACME.COM Domain I__ACME Country A I__ACME Country B I__ACME Country UK I__Users OU I__Groups OU I__Citrix OU I__Computers OU I__Laptops OU I__Servers OU Users will login to Citrix OU and policy will be applied to anyone in Security Group "UK Users Citrix Server Policy" Open GPMC.MSC > Goto Citrix OU > right-click > Create and Link GPO Here > Name new GPO "ACME UK Citrix Server Policy > OK > select > Scope > Security Filtering > Add "UK Users Citrix Server Policy" and remove Authenticated Users. Right-click policy > Edit > Computer Configuration > Administrative Templates > System >Group Policy > User Group Policy loopback > processing mode > Enabled > Mode Replace > OK User configuration > Administrative Templates > Start Menu and Taskbar > Remove Run menu from Start Menu > Enabled > OK Goto > Users OU > Right-click > Link an Existing GPO > select ACME UK Citrix Server Policy > OK Login to Citrix as user member of security group "UK Users Citrix Server Policy" and run command removed. Login to workstation as user member of security group "UK Users Citrix Server Policy" and run command removed. Why is policy being applied to the workstation, I only want it applied to Citrix OU Also how is the policy to know to apply to Citrix OU only and not to the workstation Many thanks for taking the time to read this and for your comments.
Guest Anthony Posted August 8, 2007 Posted August 8, 2007 Re: Help - Loopback cross posted and answered elsewhere "Nick" <plsnospam@mail.co.uk> wrote in message news:5huemtF3mhb1oU1@mid.individual.net... > Can you please help resolve a loopback issue, my policy works but doesn't > do the loopback element. I only want the policy to be applied when users > logs into to Terminal server/Citrix servers OU but the policy is also > being applied to their workstation. > > I have followed the recommendation from these Microsoft knowledgebase > articles: > http://support.microsoft.com/kb/231287 - Loopback processing of Group > Policy > http://support.microsoft.com/kb/260370 - How to apply Group Policy objects > to Terminal Services servers > http://support.microsoft.com/kb/278295 - How to lock down a Windows Server > 2003 or Windows 2000 Terminal Server session > > I will create a simple loopback policy and I will go through this > step-by-step and see if you can see if I'm doing anything wrong. > > Ok first of all here is our domain: (Single domain model and also I've > blocked inheritance on the Citrix OU) > > ACME root > I > ACME.COM Domain > I__ACME Country A > I__ACME Country B > I__ACME Country UK > I__Users OU > I__Groups OU > I__Citrix OU > I__Computers OU > I__Laptops OU > I__Servers OU > > Users will login to Citrix OU and policy will be applied to anyone in > Security Group > "UK Users Citrix Server Policy" > > > Open GPMC.MSC > Goto Citrix OU > right-click > Create and Link GPO Here > > Name new GPO "ACME UK Citrix Server Policy > OK > > > select > Scope > Security Filtering > Add "UK Users Citrix Server Policy" > and remove Authenticated Users. > > Right-click policy > Edit > > Computer Configuration > Administrative Templates > System >Group Policy > > User Group Policy loopback > processing mode > Enabled > Mode Replace > > OK > > User configuration > Administrative Templates > Start Menu and Taskbar > > Remove Run menu from Start Menu > Enabled > OK > > Goto > Users OU > Right-click > Link an Existing GPO > select ACME UK > Citrix Server Policy > OK > > Login to Citrix as user member of security group "UK Users Citrix Server > Policy" and run command removed. > > Login to workstation as user member of security group "UK Users Citrix > Server Policy" and run command removed. > > Why is policy being applied to the workstation, I only want it applied to > Citrix OU > > Also how is the policy to know to apply to Citrix OU only and not to the > workstation > > Many thanks for taking the time to read this and for your comments. >
Guest dsbrown10 Posted August 9, 2007 Posted August 9, 2007 Re: Help - Loopback On Aug 8, 7:01 pm, "Nick" <plsnos...@mail.co.uk> wrote: > Can you please help resolve a loopback issue, my policy works but doesn't do > the loopback element. I only want the policy to be applied when users logs > into to Terminal server/Citrix servers OU but the policy is also being > applied to their workstation. > > I have followed the recommendation from these Microsoft knowledgebase > articles:http://support.microsoft.com/kb/231287- Loopback processing of Group Policyhttp://support.microsoft.com/kb/260370- How to apply Group Policy objects > to Terminal Services servershttp://support.microsoft.com/kb/278295- How to lock down a Windows Server > 2003 or Windows 2000 Terminal Server session > > I will create a simple loopback policy and I will go through this > step-by-step and see if you can see if I'm doing anything wrong. > > Ok first of all here is our domain: (Single domain model and also I've > blocked inheritance on the Citrix OU) > > ACME root > I > ACME.COM Domain > I__ACME Country A > I__ACME Country B > I__ACME Country UK > I__Users OU > I__Groups OU > I__Citrix OU > I__Computers OU > I__Laptops OU > I__Servers OU > > Users will login to Citrix OU and policy will be applied to anyone in > Security Group > "UK Users Citrix Server Policy" > > Open GPMC.MSC > Goto Citrix OU > right-click > Create and Link GPO Here > > Name new GPO "ACME UK Citrix Server Policy > OK > > > select > Scope > Security Filtering > Add "UK Users Citrix Server Policy" > and remove Authenticated Users. > > Right-click policy > Edit > > Computer Configuration > Administrative Templates > System >Group Policy > > User Group Policy loopback > processing mode > Enabled > Mode Replace > OK > > User configuration > Administrative Templates > Start Menu and Taskbar > > Remove Run menu from Start Menu > Enabled > OK > > Goto > Users OU > Right-click > Link an Existing GPO > select ACME UK Citrix > Server Policy > OK > > Login to Citrix as user member of security group "UK Users Citrix Server > Policy" and run command removed. > > Login to workstation as user member of security group "UK Users Citrix > Server Policy" and run command removed. > > Why is policy being applied to the workstation, I only want it applied to > Citrix OU > > Also how is the policy to know to apply to Citrix OU only and not to the > workstation > > Many thanks for taking the time to read this and for your comments. hello nick. from your diagram it looks as if the workstations (and below) are inheriting the policy.are laptops affected?. try creating another OU in "Citrix" called servers, then move link the lookpack policy there. (move a server there to test aswell) dave
Guest ChrisB Posted August 9, 2007 Posted August 9, 2007 RE: Help - Loopback Nick, You shouldn't need to link the policy to the users OU only to the citrix OU. Chris "Nick" wrote: > Can you please help resolve a loopback issue, my policy works but doesn't do > the loopback element. I only want the policy to be applied when users logs > into to Terminal server/Citrix servers OU but the policy is also being > applied to their workstation. > > I have followed the recommendation from these Microsoft knowledgebase > articles: > http://support.microsoft.com/kb/231287 - Loopback processing of Group Policy > http://support.microsoft.com/kb/260370 - How to apply Group Policy objects > to Terminal Services servers > http://support.microsoft.com/kb/278295 - How to lock down a Windows Server > 2003 or Windows 2000 Terminal Server session > > I will create a simple loopback policy and I will go through this > step-by-step and see if you can see if I'm doing anything wrong. > > Ok first of all here is our domain: (Single domain model and also I've > blocked inheritance on the Citrix OU) > > ACME root > I > ACME.COM Domain > I__ACME Country A > I__ACME Country B > I__ACME Country UK > I__Users OU > I__Groups OU > I__Citrix OU > I__Computers OU > I__Laptops OU > I__Servers OU > > Users will login to Citrix OU and policy will be applied to anyone in > Security Group > "UK Users Citrix Server Policy" > > > Open GPMC.MSC > Goto Citrix OU > right-click > Create and Link GPO Here > > Name new GPO "ACME UK Citrix Server Policy > OK > > > select > Scope > Security Filtering > Add "UK Users Citrix Server Policy" > and remove Authenticated Users. > > Right-click policy > Edit > > Computer Configuration > Administrative Templates > System >Group Policy > > User Group Policy loopback > processing mode > Enabled > Mode Replace > OK > > User configuration > Administrative Templates > Start Menu and Taskbar > > Remove Run menu from Start Menu > Enabled > OK > > Goto > Users OU > Right-click > Link an Existing GPO > select ACME UK Citrix > Server Policy > OK > > Login to Citrix as user member of security group "UK Users Citrix Server > Policy" and run command removed. > > Login to workstation as user member of security group "UK Users Citrix > Server Policy" and run command removed. > > Why is policy being applied to the workstation, I only want it applied to > Citrix OU > > Also how is the policy to know to apply to Citrix OU only and not to the > workstation > > Many thanks for taking the time to read this and for your comments. > > >
Guest Nick Posted August 9, 2007 Posted August 9, 2007 Re: Help - Loopback Yes, any system users log into workstation & laptops all have the policy applied. "dsbrown10" <gm362@btinternet.com> wrote in message news:1186641252.880223.156590@o61g2000hsh.googlegroups.com... > On Aug 8, 7:01 pm, "Nick" <plsnos...@mail.co.uk> wrote: >> Can you please help resolve a loopback issue, my policy works but doesn't >> do >> the loopback element. I only want the policy to be applied when users >> logs >> into to Terminal server/Citrix servers OU but the policy is also being >> applied to their workstation. >> >> I have followed the recommendation from these Microsoft knowledgebase >> articles:http://support.microsoft.com/kb/231287- Loopback processing of >> Group Policyhttp://support.microsoft.com/kb/260370- How to apply Group >> Policy objects >> to Terminal Services servershttp://support.microsoft.com/kb/278295- How >> to lock down a Windows Server >> 2003 or Windows 2000 Terminal Server session >> >> I will create a simple loopback policy and I will go through this >> step-by-step and see if you can see if I'm doing anything wrong. >> >> Ok first of all here is our domain: (Single domain model and also I've >> blocked inheritance on the Citrix OU) >> >> ACME root >> I >> ACME.COM Domain >> I__ACME Country A >> I__ACME Country B >> I__ACME Country UK >> I__Users OU >> I__Groups OU >> I__Citrix OU >> I__Computers OU >> I__Laptops OU >> I__Servers OU >> >> Users will login to Citrix OU and policy will be applied to anyone in >> Security Group >> "UK Users Citrix Server Policy" >> >> Open GPMC.MSC > Goto Citrix OU > right-click > Create and Link GPO Here >> > >> Name new GPO "ACME UK Citrix Server Policy > OK > >> >> select > Scope > Security Filtering > Add "UK Users Citrix Server Policy" >> and remove Authenticated Users. >> >> Right-click policy > Edit > >> Computer Configuration > Administrative Templates > System >Group Policy >> > >> User Group Policy loopback > processing mode > Enabled > Mode Replace > >> OK >> >> User configuration > Administrative Templates > Start Menu and Taskbar > >> Remove Run menu from Start Menu > Enabled > OK >> >> Goto > Users OU > Right-click > Link an Existing GPO > select ACME UK >> Citrix >> Server Policy > OK >> >> Login to Citrix as user member of security group "UK Users Citrix Server >> Policy" and run command removed. >> >> Login to workstation as user member of security group "UK Users Citrix >> Server Policy" and run command removed. >> >> Why is policy being applied to the workstation, I only want it applied to >> Citrix OU >> >> Also how is the policy to know to apply to Citrix OU only and not to the >> workstation >> >> Many thanks for taking the time to read this and for your comments. > > hello nick. > > from your diagram it looks as if the workstations (and below) are > inheriting the policy.are laptops affected?. try creating another OU > in "Citrix" called servers, then move link the lookpack policy there. > (move a server there to test aswell) > > dave > >
Guest Nick Posted August 9, 2007 Posted August 9, 2007 Re: Help - Loopback As advised removed link to Users OU. did gpupdate /force. Deleted users profile. Logged as user and still applied GPO to PC. When AD was first rolled out, I do remember the main person involved was from the security team and he was hell bent on security, and locked down every thing. I was a very difficult migration to AD. I believe something from the root or domain level causing problem. I can I check if loopback has been disabled or another policy from the top overwriting mine. Thanks "ChrisB" <ChrisB@discussions.microsoft.com> wrote in message news:617A33B5-15A0-4DD0-8701-E0B8D9C55E33@microsoft.com... > Nick, > > You shouldn't need to link the policy to the users OU only to the citrix > OU. > > Chris > > "Nick" wrote: > >> Can you please help resolve a loopback issue, my policy works but doesn't >> do >> the loopback element. I only want the policy to be applied when users >> logs >> into to Terminal server/Citrix servers OU but the policy is also being >> applied to their workstation. >> >> I have followed the recommendation from these Microsoft knowledgebase >> articles: >> http://support.microsoft.com/kb/231287 - Loopback processing of Group >> Policy >> http://support.microsoft.com/kb/260370 - How to apply Group Policy >> objects >> to Terminal Services servers >> http://support.microsoft.com/kb/278295 - How to lock down a Windows >> Server >> 2003 or Windows 2000 Terminal Server session >> >> I will create a simple loopback policy and I will go through this >> step-by-step and see if you can see if I'm doing anything wrong. >> >> Ok first of all here is our domain: (Single domain model and also I've >> blocked inheritance on the Citrix OU) >> >> ACME root >> I >> ACME.COM Domain >> I__ACME Country A >> I__ACME Country B >> I__ACME Country UK >> I__Users OU >> I__Groups OU >> I__Citrix OU >> I__Computers OU >> I__Laptops OU >> I__Servers OU >> >> Users will login to Citrix OU and policy will be applied to anyone in >> Security Group >> "UK Users Citrix Server Policy" >> >> >> Open GPMC.MSC > Goto Citrix OU > right-click > Create and Link GPO Here >> > >> Name new GPO "ACME UK Citrix Server Policy > OK > >> >> select > Scope > Security Filtering > Add "UK Users Citrix Server Policy" >> and remove Authenticated Users. >> >> Right-click policy > Edit > >> Computer Configuration > Administrative Templates > System >Group Policy >> > >> User Group Policy loopback > processing mode > Enabled > Mode Replace > >> OK >> >> User configuration > Administrative Templates > Start Menu and Taskbar > >> Remove Run menu from Start Menu > Enabled > OK >> >> Goto > Users OU > Right-click > Link an Existing GPO > select ACME UK >> Citrix >> Server Policy > OK >> >> Login to Citrix as user member of security group "UK Users Citrix Server >> Policy" and run command removed. >> >> Login to workstation as user member of security group "UK Users Citrix >> Server Policy" and run command removed. >> >> Why is policy being applied to the workstation, I only want it applied to >> Citrix OU >> >> Also how is the policy to know to apply to Citrix OU only and not to the >> workstation >> >> Many thanks for taking the time to read this and for your comments. >> >> >>
Guest ChrisB Posted August 9, 2007 Posted August 9, 2007 Re: Help - Loopback Where are your user accounts and computer accounts located? From looking at the OU's I would expect users are in the users OU, Computers in the Computers OU and only the citrix servers are in the citrix OU. Is this correct? Can you also try running rsop.msc. This will give you a window displaying which policy settings you have applied and tell you which policy is applying the setting. Check which policy is making the settings you want/dont want. Last thing to check is that the ACME UK Citrix Server Policy is definatley only linked to the citrix OU. Chris "Nick" wrote: > As advised removed link to Users OU. did gpupdate /force. Deleted users > profile. Logged as user and still applied GPO to PC. > > When AD was first rolled out, I do remember the main person involved was > from the security team and he was hell bent on security, and locked down > every thing. I was a very difficult migration to AD. I believe something > from the root or domain level causing problem. I can I check if loopback > has been disabled or another policy from the top overwriting mine. > > Thanks > > > "ChrisB" <ChrisB@discussions.microsoft.com> wrote in message > news:617A33B5-15A0-4DD0-8701-E0B8D9C55E33@microsoft.com... > > Nick, > > > > You shouldn't need to link the policy to the users OU only to the citrix > > OU. > > > > Chris > > > > "Nick" wrote: > > > >> Can you please help resolve a loopback issue, my policy works but doesn't > >> do > >> the loopback element. I only want the policy to be applied when users > >> logs > >> into to Terminal server/Citrix servers OU but the policy is also being > >> applied to their workstation. > >> > >> I have followed the recommendation from these Microsoft knowledgebase > >> articles: > >> http://support.microsoft.com/kb/231287 - Loopback processing of Group > >> Policy > >> http://support.microsoft.com/kb/260370 - How to apply Group Policy > >> objects > >> to Terminal Services servers > >> http://support.microsoft.com/kb/278295 - How to lock down a Windows > >> Server > >> 2003 or Windows 2000 Terminal Server session > >> > >> I will create a simple loopback policy and I will go through this > >> step-by-step and see if you can see if I'm doing anything wrong. > >> > >> Ok first of all here is our domain: (Single domain model and also I've > >> blocked inheritance on the Citrix OU) > >> > >> ACME root > >> I > >> ACME.COM Domain > >> I__ACME Country A > >> I__ACME Country B > >> I__ACME Country UK > >> I__Users OU > >> I__Groups OU > >> I__Citrix OU > >> I__Computers OU > >> I__Laptops OU > >> I__Servers OU > >> > >> Users will login to Citrix OU and policy will be applied to anyone in > >> Security Group > >> "UK Users Citrix Server Policy" > >> > >> > >> Open GPMC.MSC > Goto Citrix OU > right-click > Create and Link GPO Here > >> > > >> Name new GPO "ACME UK Citrix Server Policy > OK > > >> > >> select > Scope > Security Filtering > Add "UK Users Citrix Server Policy" > >> and remove Authenticated Users. > >> > >> Right-click policy > Edit > > >> Computer Configuration > Administrative Templates > System >Group Policy > >> > > >> User Group Policy loopback > processing mode > Enabled > Mode Replace > > >> OK > >> > >> User configuration > Administrative Templates > Start Menu and Taskbar > > >> Remove Run menu from Start Menu > Enabled > OK > >> > >> Goto > Users OU > Right-click > Link an Existing GPO > select ACME UK > >> Citrix > >> Server Policy > OK > >> > >> Login to Citrix as user member of security group "UK Users Citrix Server > >> Policy" and run command removed. > >> > >> Login to workstation as user member of security group "UK Users Citrix > >> Server Policy" and run command removed. > >> > >> Why is policy being applied to the workstation, I only want it applied to > >> Citrix OU > >> > >> Also how is the policy to know to apply to Citrix OU only and not to the > >> workstation > >> > >> Many thanks for taking the time to read this and for your comments. > >> > >> > >> > > >
Guest Nick Posted August 9, 2007 Posted August 9, 2007 Re: Help - Loopback i.This is to confirm - users in USERS OU, servers in SERVERS OU, Citrix servers in CITRIX OU. ii. Thanks for the information on RSOP.MSC very useful never used this before. iii. Policy only linked to the Citrix OU. Also- I'm using a security group in security filtering for that bit of added safety, moved authenticated users. Thanks "ChrisB" <ChrisB@discussions.microsoft.com> wrote in message news:58706D4C-6360-4541-8D08-15B3221D63E6@microsoft.com... > Where are your user accounts and computer accounts located? > > From looking at the OU's I would expect users are in the users OU, > Computers > in the Computers OU and only the citrix servers are in the citrix OU. Is > this > correct? > > Can you also try running rsop.msc. This will give you a window displaying > which policy settings you have applied and tell you which policy is > applying > the setting. Check which policy is making the settings you want/dont want. > > Last thing to check is that the ACME UK Citrix Server Policy is definatley > only linked to the citrix OU. > > Chris > > "Nick" wrote: > >> As advised removed link to Users OU. did gpupdate /force. Deleted users >> profile. Logged as user and still applied GPO to PC. >> >> When AD was first rolled out, I do remember the main person involved was >> from the security team and he was hell bent on security, and locked down >> every thing. I was a very difficult migration to AD. I believe something >> from the root or domain level causing problem. I can I check if loopback >> has been disabled or another policy from the top overwriting mine. >> >> Thanks >> >> >> "ChrisB" <ChrisB@discussions.microsoft.com> wrote in message >> news:617A33B5-15A0-4DD0-8701-E0B8D9C55E33@microsoft.com... >> > Nick, >> > >> > You shouldn't need to link the policy to the users OU only to the >> > citrix >> > OU. >> > >> > Chris >> > >> > "Nick" wrote: >> > >> >> Can you please help resolve a loopback issue, my policy works but >> >> doesn't >> >> do >> >> the loopback element. I only want the policy to be applied when users >> >> logs >> >> into to Terminal server/Citrix servers OU but the policy is also being >> >> applied to their workstation. >> >> >> >> I have followed the recommendation from these Microsoft knowledgebase >> >> articles: >> >> http://support.microsoft.com/kb/231287 - Loopback processing of Group >> >> Policy >> >> http://support.microsoft.com/kb/260370 - How to apply Group Policy >> >> objects >> >> to Terminal Services servers >> >> http://support.microsoft.com/kb/278295 - How to lock down a Windows >> >> Server >> >> 2003 or Windows 2000 Terminal Server session >> >> >> >> I will create a simple loopback policy and I will go through this >> >> step-by-step and see if you can see if I'm doing anything wrong. >> >> >> >> Ok first of all here is our domain: (Single domain model and also I've >> >> blocked inheritance on the Citrix OU) >> >> >> >> ACME root >> >> I >> >> ACME.COM Domain >> >> I__ACME Country A >> >> I__ACME Country B >> >> I__ACME Country UK >> >> I__Users OU >> >> I__Groups OU >> >> I__Citrix OU >> >> I__Computers OU >> >> I__Laptops OU >> >> I__Servers OU >> >> >> >> Users will login to Citrix OU and policy will be applied to anyone in >> >> Security Group >> >> "UK Users Citrix Server Policy" >> >> >> >> >> >> Open GPMC.MSC > Goto Citrix OU > right-click > Create and Link GPO >> >> Here >> >> > >> >> Name new GPO "ACME UK Citrix Server Policy > OK > >> >> >> >> select > Scope > Security Filtering > Add "UK Users Citrix Server >> >> Policy" >> >> and remove Authenticated Users. >> >> >> >> Right-click policy > Edit > >> >> Computer Configuration > Administrative Templates > System >Group >> >> Policy >> >> > >> >> User Group Policy loopback > processing mode > Enabled > Mode Replace >> >> > >> >> OK >> >> >> >> User configuration > Administrative Templates > Start Menu and Taskbar >> >> > >> >> Remove Run menu from Start Menu > Enabled > OK >> >> >> >> Goto > Users OU > Right-click > Link an Existing GPO > select ACME UK >> >> Citrix >> >> Server Policy > OK >> >> >> >> Login to Citrix as user member of security group "UK Users Citrix >> >> Server >> >> Policy" and run command removed. >> >> >> >> Login to workstation as user member of security group "UK Users Citrix >> >> Server Policy" and run command removed. >> >> >> >> Why is policy being applied to the workstation, I only want it applied >> >> to >> >> Citrix OU >> >> >> >> Also how is the policy to know to apply to Citrix OU only and not to >> >> the >> >> workstation >> >> >> >> Many thanks for taking the time to read this and for your comments. >> >> >> >> >> >> >> >> >>
Guest Anthony Posted August 9, 2007 Posted August 9, 2007 Re: Help - Loopback Nick, Did you try the answer I gave you in the other group? I think the problem is that you are security-filtering the loopback policy so that it does not apply. You should put the Authenticated users (i.e including the computers) back on and leave the default security settings on the policy. Anthony http://www.airdesk.co.uk "Anthony" <anthony.spam@spammedout.com> wrote in message news:evGCJhe2HHA.1168@TK2MSFTNGP02.phx.gbl... > cross posted and answered elsewhere > "Nick" <plsnospam@mail.co.uk> wrote in message > news:5huemtF3mhb1oU1@mid.individual.net... >> Can you please help resolve a loopback issue, my policy works but doesn't >> do the loopback element. I only want the policy to be applied when users >> logs into to Terminal server/Citrix servers OU but the policy is also >> being applied to their workstation. >> >> I have followed the recommendation from these Microsoft knowledgebase >> articles: >> http://support.microsoft.com/kb/231287 - Loopback processing of Group >> Policy >> http://support.microsoft.com/kb/260370 - How to apply Group Policy >> objects to Terminal Services servers >> http://support.microsoft.com/kb/278295 - How to lock down a Windows >> Server 2003 or Windows 2000 Terminal Server session >> >> I will create a simple loopback policy and I will go through this >> step-by-step and see if you can see if I'm doing anything wrong. >> >> Ok first of all here is our domain: (Single domain model and also I've >> blocked inheritance on the Citrix OU) >> >> ACME root >> I >> ACME.COM Domain >> I__ACME Country A >> I__ACME Country B >> I__ACME Country UK >> I__Users OU >> I__Groups OU >> I__Citrix OU >> I__Computers OU >> I__Laptops OU >> I__Servers OU >> >> Users will login to Citrix OU and policy will be applied to anyone in >> Security Group >> "UK Users Citrix Server Policy" >> >> >> Open GPMC.MSC > Goto Citrix OU > right-click > Create and Link GPO Here >> > >> Name new GPO "ACME UK Citrix Server Policy > OK > >> >> select > Scope > Security Filtering > Add "UK Users Citrix Server Policy" >> and remove Authenticated Users. >> >> Right-click policy > Edit > >> Computer Configuration > Administrative Templates > System >Group Policy >> > User Group Policy loopback > processing mode > Enabled > Mode Replace > >> OK >> >> User configuration > Administrative Templates > Start Menu and Taskbar > >> Remove Run menu from Start Menu > Enabled > OK >> >> Goto > Users OU > Right-click > Link an Existing GPO > select ACME UK >> Citrix Server Policy > OK >> >> Login to Citrix as user member of security group "UK Users Citrix Server >> Policy" and run command removed. >> >> Login to workstation as user member of security group "UK Users Citrix >> Server Policy" and run command removed. >> >> Why is policy being applied to the workstation, I only want it applied to >> Citrix OU >> >> Also how is the policy to know to apply to Citrix OU only and not to the >> workstation >> >> Many thanks for taking the time to read this and for your comments. >> > >
Guest Vera Noest [MVP] Posted August 9, 2007 Posted August 9, 2007 Re: Help - Loopback "Nick" <plsnospam@mail.co.uk> wrote on 09 aug 2007 in microsoft.public.windows.terminal_services: > i.This is to confirm - users in USERS OU, servers in SERVERS OU, > Citrix servers in CITRIX OU. > ii. Thanks for the information on RSOP.MSC very useful never > used this before. > iii. Policy only linked to the Citrix OU. > > Also- I'm using a security group in security filtering for that > bit of added safety, moved authenticated users. And that's the culprit: when you remove Authenticated users, you have to add the machine accounts for the Citrix Servers in the security filtering. _________________________________________________________ Vera Noest MCSE, CCEA, Microsoft MVP - Terminal Server TS troubleshooting: http://ts.veranoest.net ___ please respond in newsgroup, NOT by private email ___
Guest Nick Posted August 9, 2007 Posted August 9, 2007 Re: Help - Loopback Hi Vera, Ok, can you please explain why removing the authenticated users is the culprit? I removed authenticated users and applied a security group just make sure, the policy only applies users in a specific group. Never done this before and I want to make sure it's done correctly, can you please in a few steps explain how do I, add the machine accounts for the Citrix Servers in the security filtering. Are you saying where I have security filtering with the security group also add the Citrix servers there? Bit confused - what do you mean by "machine accounts" for the Citrix server. What are machine accounts? Thanks "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote in message news:Xns9987E7850754Dveranoesthemutforsse@207.46.248.16... > "Nick" <plsnospam@mail.co.uk> wrote on 09 aug 2007 in > microsoft.public.windows.terminal_services: > >> i.This is to confirm - users in USERS OU, servers in SERVERS OU, >> Citrix servers in CITRIX OU. >> ii. Thanks for the information on RSOP.MSC very useful never >> used this before. >> iii. Policy only linked to the Citrix OU. >> >> Also- I'm using a security group in security filtering for that >> bit of added safety, moved authenticated users. > > And that's the culprit: when you remove Authenticated users, you have > to add the machine accounts for the Citrix Servers in the security > filtering. > > _________________________________________________________ > Vera Noest > MCSE, CCEA, Microsoft MVP - Terminal Server > TS troubleshooting: http://ts.veranoest.net > ___ please respond in newsgroup, NOT by private email ___
Guest Vera Noest [MVP] Posted August 10, 2007 Posted August 10, 2007 Re: Help - Loopback Computers have an account in Active Directory, exactly like users. Your client machine accounts will probably be in the OU "Computers", while user accounts usually are stored in the OU "Users". Domain Controllers are in a separate OU called "Domain Controller", and your Citrix server are placed in the OU called "Citrix OU". You moved them there yourself. The built-in group "Authenticated Users" comprises both users and computers accounts. When you remove that group and replace it with a security group which only contains user accounts, you have in effect removed the permission for the *computer* to apply the policy. That's why it doesn't work. Go to the security filtering tab and add the computer account for your server, just like you would do with individual user accounts (type the name, click Check, click Add). _________________________________________________________ Vera Noest MCSE, CCEA, Microsoft MVP - Terminal Server TS troubleshooting: http://ts.veranoest.net *----------- Please reply in newsgroup -------------* "Nick" <plsnospam@mail.co.uk> wrote on 10 aug 2007: > Hi Vera, > > Ok, can you please explain why removing the authenticated users > is the culprit? > I removed authenticated users and applied a security group just > make sure, the policy only applies users in a specific group. > > Never done this before and I want to make sure it's done > correctly, can you please in a few steps explain how do I, add > the machine accounts for the Citrix Servers in the security > filtering. Are you saying where I have security filtering with > the security group also add the Citrix servers there? Bit > confused - what do you mean by "machine accounts" for the Citrix > server. What are machine accounts? > > Thanks > > > > "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote > in message > news:Xns9987E7850754Dveranoesthemutforsse@207.46.248.16... >> "Nick" <plsnospam@mail.co.uk> wrote on 09 aug 2007 in >> microsoft.public.windows.terminal_services: >> >>> i.This is to confirm - users in USERS OU, servers in SERVERS >>> OU, Citrix servers in CITRIX OU. >>> ii. Thanks for the information on RSOP.MSC very useful never >>> used this before. >>> iii. Policy only linked to the Citrix OU. >>> >>> Also- I'm using a security group in security filtering for >>> that bit of added safety, moved authenticated users. >> >> And that's the culprit: when you remove Authenticated users, >> you have to add the machine accounts for the Citrix Servers in >> the security filtering. >> >> _________________________________________________________ >> Vera Noest >> MCSE, CCEA, Microsoft MVP - Terminal Server >> TS troubleshooting: http://ts.veranoest.net >> ___ please respond in newsgroup, NOT by private email ___
Guest ChrisB Posted August 10, 2007 Posted August 10, 2007 Re: Help - Loopback Nick, Think Vera is right. Are you still getting the applied settings on all machines you log on to? This bit doesn't really make sense. In essance what you should be doing is applying the policy to the citrix server computer accounts not the users (you can create a new group and add the citrix servers to this group - remember to change the object type to include computers when searching for the accounts to add to the group, this is the bit I tend to forget and wonder why I can't find the machines doh) Then apply this group as the security filter (remove the sec filter you have applied already) The policy should therefore only apply to the computer accounts that are members of your new group group. Let me know if this make doesn't sense and I will try and clarify it. Chris "Nick" wrote: > Hi Vera, > > Ok, can you please explain why removing the authenticated users is the > culprit? > I removed authenticated users and applied a security group just make sure, > the policy only applies users in a specific group. > > Never done this before and I want to make sure it's done correctly, can you > please in a few steps explain how do I, add the machine accounts for the > Citrix Servers in the security filtering. Are you saying where I have > security filtering with the security group also add the Citrix servers > there? Bit confused - what do you mean by "machine accounts" for the Citrix > server. What are machine accounts? > > Thanks > > > > "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote in message > news:Xns9987E7850754Dveranoesthemutforsse@207.46.248.16... > > "Nick" <plsnospam@mail.co.uk> wrote on 09 aug 2007 in > > microsoft.public.windows.terminal_services: > > > >> i.This is to confirm - users in USERS OU, servers in SERVERS OU, > >> Citrix servers in CITRIX OU. > >> ii. Thanks for the information on RSOP.MSC very useful never > >> used this before. > >> iii. Policy only linked to the Citrix OU. > >> > >> Also- I'm using a security group in security filtering for that > >> bit of added safety, moved authenticated users. > > > > And that's the culprit: when you remove Authenticated users, you have > > to add the machine accounts for the Citrix Servers in the security > > filtering. > > > > _________________________________________________________ > > Vera Noest > > MCSE, CCEA, Microsoft MVP - Terminal Server > > TS troubleshooting: http://ts.veranoest.net > > ___ please respond in newsgroup, NOT by private email ___ > > >
Guest Nick Posted August 13, 2007 Posted August 13, 2007 Re: Help - Loopback ChrisB and Vera Noest - Very big thank you for all your help to resolve my Loopback GPO issue. As you advised I have removed security groups from security filtering and put back authicated users, removed all other links and only have one link on the Citrix OU. Had a few users who still had a problem in the OU they resided in, with help of our AD admin we fine tuned this and all working as I wanted. I had four test users in: UK Users OU UK Citrix OU UK Citrix OU I_External Users OU US Users OU Blocked Inheritance on: UK Citrix OU Citrix PS Servers OU UK Citrix OU I_External Users OU ___________________________________________________________________ ACME root I ACME.COM Domain I__ACME Country A I__ACME Country B I__ACME Country UK I__Users OU I__Groups OU I__Citrix OU I__Citrix PS Servers (Only Citrix Servers here & Policy Linked here) I__External Clients I__Computers OU I__Laptops OU I __Servers OU I__ACME Country US I__Users OU I__Groups OU I__Computers OU I__Laptops OU I__Servers OU Thanks for staying with me. Nick "ChrisB" <ChrisB@discussions.microsoft.com> wrote in message news:4D02C4F5-B980-4397-87B2-B02B35E3A004@microsoft.com... > Nick, > > Think Vera is right. > > Are you still getting the applied settings on all machines you log on to? > This bit doesn't really make sense. > > In essance what you should be doing is applying the policy to the citrix > server computer accounts not the users (you can create a new group and add > the citrix servers to this group - remember to change the object type to > include computers when searching for the accounts to add to the group, > this > is the bit I tend to forget and wonder why I can't find the machines doh) > Then apply this group as the security filter (remove the sec filter you > have > applied already) The policy should therefore only apply to the computer > accounts that are members of your new group group. > > Let me know if this make doesn't sense and I will try and clarify it. > > Chris > > > "Nick" wrote: > >> Hi Vera, >> >> Ok, can you please explain why removing the authenticated users is the >> culprit? >> I removed authenticated users and applied a security group just make >> sure, >> the policy only applies users in a specific group. >> >> Never done this before and I want to make sure it's done correctly, can >> you >> please in a few steps explain how do I, add the machine accounts for the >> Citrix Servers in the security filtering. Are you saying where I have >> security filtering with the security group also add the Citrix servers >> there? Bit confused - what do you mean by "machine accounts" for the >> Citrix >> server. What are machine accounts? >> >> Thanks >> >> >> >> "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote in >> message >> news:Xns9987E7850754Dveranoesthemutforsse@207.46.248.16... >> > "Nick" <plsnospam@mail.co.uk> wrote on 09 aug 2007 in >> > microsoft.public.windows.terminal_services: >> > >> >> i.This is to confirm - users in USERS OU, servers in SERVERS OU, >> >> Citrix servers in CITRIX OU. >> >> ii. Thanks for the information on RSOP.MSC very useful never >> >> used this before. >> >> iii. Policy only linked to the Citrix OU. >> >> >> >> Also- I'm using a security group in security filtering for that >> >> bit of added safety, moved authenticated users. >> > >> > And that's the culprit: when you remove Authenticated users, you have >> > to add the machine accounts for the Citrix Servers in the security >> > filtering. >> > >> > _________________________________________________________ >> > Vera Noest >> > MCSE, CCEA, Microsoft MVP - Terminal Server >> > TS troubleshooting: http://ts.veranoest.net >> > ___ please respond in newsgroup, NOT by private email ___ >> >> >>
Guest Vera Noest [MVP] Posted August 13, 2007 Posted August 13, 2007 Re: Help - Loopback OK, I'm glad that your problem is solved, and thanks for reporting back here, Nick! _________________________________________________________ Vera Noest MCSE, CCEA, Microsoft MVP - Terminal Server TS troubleshooting: http://ts.veranoest.net *----------- Please reply in newsgroup -------------* "Nick" <plsnospam@mail.co.uk> wrote on 13 aug 2007: > ChrisB and Vera Noest - Very big thank you for all your help to > resolve my Loopback GPO issue. > > As you advised I have removed security groups from security > filtering and put back authicated users, removed all other links > and only have one link on the Citrix OU. > > Had a few users who still had a problem in the OU they resided > in, with help of our AD admin we fine tuned this and all working > as I wanted. > > I had four test users in: > UK Users OU > UK Citrix OU > UK Citrix OU > I_External Users OU > US Users OU > > Blocked Inheritance on: > UK Citrix OU > Citrix PS Servers OU > UK Citrix OU > I_External Users OU > _________________________________________________________________ > __ ACME root > I > ACME.COM Domain > I__ACME Country A > I__ACME Country B > I__ACME Country UK > I__Users OU > I__Groups OU > I__Citrix OU > I__Citrix PS Servers (Only Citrix Servers > here & > Policy Linked here) > I__External Clients > I__Computers OU > I__Laptops OU > I __Servers OU > I__ACME Country US > I__Users OU > I__Groups OU > I__Computers OU > I__Laptops OU > I__Servers OU > > Thanks for staying with me. > Nick > > "ChrisB" <ChrisB@discussions.microsoft.com> wrote in message > news:4D02C4F5-B980-4397-87B2-B02B35E3A004@microsoft.com... >> Nick, >> >> Think Vera is right. >> >> Are you still getting the applied settings on all machines you >> log on to? This bit doesn't really make sense. >> >> In essance what you should be doing is applying the policy to >> the citrix server computer accounts not the users (you can >> create a new group and add the citrix servers to this group - >> remember to change the object type to include computers when >> searching for the accounts to add to the group, this >> is the bit I tend to forget and wonder why I can't find the >> machines doh) Then apply this group as the security filter >> (remove the sec filter you have >> applied already) The policy should therefore only apply to the >> computer accounts that are members of your new group group. >> >> Let me know if this make doesn't sense and I will try and >> clarify it. >> >> Chris >> >> >> "Nick" wrote: >> >>> Hi Vera, >>> >>> Ok, can you please explain why removing the authenticated >>> users is the culprit? >>> I removed authenticated users and applied a security group >>> just make sure, >>> the policy only applies users in a specific group. >>> >>> Never done this before and I want to make sure it's done >>> correctly, can you >>> please in a few steps explain how do I, add the machine >>> accounts for the Citrix Servers in the security filtering. >>> Are you saying where I have security filtering with the >>> security group also add the Citrix servers there? Bit >>> confused - what do you mean by "machine accounts" for the >>> Citrix >>> server. What are machine accounts? >>> >>> Thanks >>> >>> >>> >>> "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> >>> wrote in message >>> news:Xns9987E7850754Dveranoesthemutforsse@207.46.248.16... >>> > "Nick" <plsnospam@mail.co.uk> wrote on 09 aug 2007 in >>> > microsoft.public.windows.terminal_services: >>> > >>> >> i.This is to confirm - users in USERS OU, servers in >>> >> SERVERS OU, Citrix servers in CITRIX OU. >>> >> ii. Thanks for the information on RSOP.MSC very useful >>> >> never used this before. >>> >> iii. Policy only linked to the Citrix OU. >>> >> >>> >> Also- I'm using a security group in security filtering for >>> >> that bit of added safety, moved authenticated users. >>> > >>> > And that's the culprit: when you remove Authenticated users, >>> > you have to add the machine accounts for the Citrix Servers >>> > in the security filtering. >>> > >>> > _________________________________________________________ >>> > Vera Noest >>> > MCSE, CCEA, Microsoft MVP - Terminal Server >>> > TS troubleshooting: http://ts.veranoest.net >>> > ___ please respond in newsgroup, NOT by private email ___ >>>
Recommended Posts