Ce site est optimisé pour être consulté depuis un navigateur moderne dans lequel JavaScript est activé.

Comment contourner le traitement en boucle GPO pour certains utilisateurs ?

ayi

As you probably know, loopback processing is a feature of Active Directory Group Policies which applies user settings in a GPO to any user who logs on to computers in the GPO's scope (whereas the standard behavior would be to apply user settings only if the user account is actually located whithin the GPO's scope). This is useful when you want all users logging on to a specific computer to receive some user policy, regardless of where their user accounts are actually located in AD.

The problem: when loopback processing is enabled, a GPO containing user settings is applied to everyone using those computers, and you can't bypass this by using ACLs on the GPO, because it's not actually applied to users, but to computers.

The question: how can loopback processing be bypassed for specific users who need to log on to those computers but should not be subject to those policy settings?

Case in point: there are several terminal servers where GPOs with loopback processing are used to enforce heavy user restrictions on everyone who logs on to them (they should basically only be able to run a bunch of company-approved applications); but this applies even to Domain Admins, which are thus rendered unable to even launch a command prompt or open the task manager. In this scenario, how can I tell AD to not enforce those settings if the user logging on belongs to a specific group (such as Domain Admins)? Alternatively, even the opposite solution ("only apply those settings to users belonging to a specific group") would be fine.

But please, remember that we are talking about loopback processing here. The policies are applied to computers, and the user settings inside them are applied to users only because they are logging on to those computers (yes, I know it's confusing, loopback processing is one of the trickiest things to get right about Group Policies).

ayi

I think the solution would be WMI filtering (that's how I did it in my place).

You create a WMI filter that catches those workstations you want.

You create a GPO with the user settings only, and with security filtering.

You put the two together, and place the GPO on the users container.

So the WMI filtering specifies the comptuer it applies to, and the security filtering the users it applies to.

And drop the loopback.

It will give you more headaches than you bargained for, as it doesn't apply only to the specified GPO that it is configured in, but to all policies applied to the computers.

Update

If you have kb3163622 installed on your workstations, you can do the same by using security groups only.

This update changes the way user policies are applied.

From now on, user policies are actually applied under both the computer and the user security context.

So if you'll put in the security filtering of that GPO the computers and users you want it to apply to, that will do the same trick as the WMI (assuming you're not going for some complex query).