2010
Jan 
13

Apply User Config GPO to Computer only OU

Filed under: Technical — admin @ 5:11 pm

So I wanted to add a login script to some servers that runs bginfo.exe, so that we can see what server we are on when we remote desktop, along with other useful info.  Tricky, because “logon script” applies to user configuration, not computer configuration, and we’re applying this GPO against computer in AD, not users.  If we applied it to users, it would run on every machine the user logged into, and this is not desired.

Filtered out

So I created my GPO and copied the login script to the right folder structure (\\domain.com\sysvol\domain.com\Policies\GPO GUID\Users\Scripts\Logon).  I linked the GPO to my “domain controllers” OU in AD and then logged into one of the DC’s remotely.  No bginfo, dammit.  So, I pull up a command prompt and enter “gpresult” to see my effective group policy, and I can see that my new GPO is not being applied because it is being filtered out!  I double checked the GPO and Authenticated Users were set up under the Security Filtering section.  What gives?

Enter Group Policy Loopback Processing

So in order to apply user configuration to computer objects in AD, you must turn on loopback processing according to the article found at http://support.microsoft.com/kb/231287.  The thing is, on what GPO do we add this?  I tried adding it to my BGInfo policy, to no avail, because why?  Because the policy was NOT being applied to the computers in question!  So I know that the domain controllers are using the Default Domain Controller policy by default, so I add the Loopback Processing there (using merge rather than replace), and lo and behold, when I perform a “gpupdate /force” and re-run “gpresult” I’m processing the BGInfo GPO, and the logon script is working!  When adding the loopback processing, do so on an active GPO for the machine.  I also linked the GPO to my servers OU, so I had to edit my GPO Local Machine Admins policy.

This MS article on technet describes the same thing as the support site, but at the end they mention

“If loopback is desired and it appears that it is not being applied, first verify the loopback policy setting (which is a computer configuration policy) has been applied to the computer through an appropriate GPO.

http://technet.microsoft.com/en-us/library/cc778618%28WS.10%29.aspx

No Comments »

Leave a comment