Loopback policies - Domain admins ??

[Chris]

Hi,

We use loopback policies on the laptops within our
company, so that we can have the laptops less locked down
than the desktops within the company. Basically the
loopback policy forces alternate user settings on the
computer as oppose to the user that logs in.

This works well, but it also locks down the Domain Admins
which I'd like to stop happening. It can be a hassle
trying to administrate them if you're locked down to the
same extent as your users.

Does anybody know how to stop the loopback affecting
Domain Admins?

Chris

 

[Chriss3]

You have to filter the scope of Group Policy according to security group
membership

1.. Open the Group Policy object whose scope you want to filter.
2.. In the console tree, right-click the icon or name of the Group Policy
object, and then click Properties.
3.. Click the Security tab, and then click the security group through
which you want to filter this Group Policy object. If you want to change the
list of security groups through which to filter this Group Policy object,
use the Add and Remove buttons to add or remove security groups.
4.. In the Permissions box for the selected security group, select or
clear the appropriate check boxes to set permissions as shown in the
following table, and then click OK.

I recommend you to deny apply policy for Domain Admins Group.

--
Regards,

Christoffer Andersson
No email replies please - reply in the newsgroup
If the information was help full, you can let me know at:
http://www.itsystem.se/employers.asp?ID=1

 

[Derek Melber [MVP]]

Chris, I am not 100% sure if this will work. The Loopback is for the
computer account, not the user account. So, setting permissions for the
group of users won't affect the application of the GPO that is applying to a
user. If this does work, let me know for certain. I have not tested it, but
based on how GPOs apply, it might not give the desired results.

I honestly can't think of a way to get around this. maybe have the admins
logon with a local account?

 

[Chriss3]

Derek I'm pretty 100% sure this going to work, I did this on a terminal
server last week.

Take care, are you an AD MVP?

--
Regards,

Christoffer Andersson
No email replies please - reply in the newsgroup
If the information was help full, you can let me know at:
http://www.itsystem.se/employers.asp?ID=1

 

[Derek Melber [MVP]]

Chris,

I will have to check it out myself then. Learning new tricks are great!

Yeah, I am a Server 2000 - AD MVP.

 

[Charlie]

The reason that filtering by using ACLs does work with
loopback, is because the whole idea of loopback is so the
User configuration applies even to users who are outside
of the container that the policy applies to.
Regardles of whether they are part of that container,
choosing Deny for the Admins does keep the User
configuration from applying. In other words, loopback
causes the GPO to ignore who is in the container, but no
object is immune from ACLs. Obviously, the Computer
configuration still applies since the ACLs on the user
object don't affect that part.

 

[Chris - Original question asker!]

This solution worked perfectly!

Saved a lot of hassle with administration as we were
having to either log in locally, or spend half our time
mapping drives using cmd scripes and the like to get to
network shares.

-----Original Message-----
Chris,

I will have to check it out myself then. Learning new tricks are great!

Yeah, I am a Server 2000 - AD MVP.

--
Derek Melber

Derek I'm pretty 100% sure this going to work, I did this on a terminal
server last week.

Take care, are you an AD MVP?

--
Regards,

Christoffer Andersson
No email replies please - reply in the newsgroup
If the information was help full, you can let me know at:
http://www.itsystem.se/employers.asp?ID=1

"Derek Melber [MVP]" <[email protected]> skrev i meddelandet

GPO that is applying
to

a have not tested it,
but

maybe have the
admins according to security
group security group
through If you want to
change

this Group Policy
object,

security group, select
or

.