Ce site est optimisé pour être consulté depuis un navigateur moderne dans lequel JavaScript est activé.

Comment contourner le traitement en boucle GPO pour certains utilisateurs ?

ayi

As you probably know, <a href="https://support.microsoft.com/en-us/kb/231287" rel="noopener nofollow ugc">loopback processing</a> is a feature of Active Directory Group Policies which applies user settings in a GPO to any user who logs on to computers in the GPO’s scope (whereas the standard behavior would be to apply user settings only if l’utilisateur account is actually located whithin the GPO’s scope). This is useful when you want all users logging on to a specific computer to receive some user policy, regardless of where their user accounts are actually located in AD.
The problem: when loopback processing is enabled, a GPO containing user settings is applied to everyone using those computers, and you can’t bypass this by using ACLs on the GPO, because it’s not actually applied to users, but to computers.
The question: how can loopback processing be bypassed for specific users who need to log on to those computers but should not be subject to those policy settings?
Case in point: tVoici several terminal servers where GPOs with loopback processing are used to enforce heavy user restrictions on everyone who logs on to them (they should basically only be able to run a bunch of company-approved applications); but this applies even to Domain Admins, which are thus rendered unable to even launch a command prompt or open the task manager. In this scenario, how can I tell AD to not enforce those settings if l’utilisateur logging on belongs to a specific group (tel que Domain Admins)? Alternativement, even the opposite solution (“only apply those settings to users belonging to a specific group”) would be fine.
But please, remember that we are talking about loopback processing here. The policies are applied to computers, and l’utilisateur settings inside them are applied to users only because they are logging on to those computers (yes, Je sais it’s confusing, loopback processing is one of the trickiest things to get right about Group Policies).
<hr>
Source : <a href="https://support.microsoft.com/en-us/kb/231287" rel="noopener nofollow ugc">Server Fault</a>

ayi_2

Je pense la solution would be WMI filtering (that’s how I did it in my place).
You create a WMI filter that catches those workstations you want.
You create a GPO with l’utilisateur settings only, and with security filtering.
You put the two together, and place the GPO on l’utilisateurs container.
So the WMI filtering specifies the comptuer it applies to, and the security filtering l’utilisateurs it applies to.
And drop the loopback.
It will give you more headaches than you bargained for, as it doesn’t apply only to the specified GPO that it is configured in, but to all policies applied to the computers.
Update
Si vous have <a href="https://support.microsoft.com/en-us/kb/3163622">kb3163622</a> installed on your workstations, you can do le même by using security groups only.
This update changes the way user policies are applied.
From now on, user policies are actually applied under both the computer and l’utilisateur security context.
So si vous’ll put in the security filtering of that GPO the computers and users you want it to apply to, that will do le même trick as the WMI (assuming you’re not going for some complex query).