Wednesday, June 27, 2012

Preventing Active Directory user and computer policies being applied to a server object with block inheritance and loopback policies in replace mode

One of the most frequent issues I’ve had with Microsoft terminal and Citrix XenApp servers is preventing Active Directory user and computer policies from being applied to these servers.  The computer policies are easy enough to block with the Block Inheritance feature within the Group Policy Management Console but blocking user policies isn’t as straight forward and since I’ve been asked enough times on how to do it and how it works, this post will serve as something I can point other colleagues to reference. 

**Note that I don’t have any screenshots with servers as examples so I’m going to use workstation computer objects instead.

The following screenshot shows the OU named Bunch of User Policies followed with a sub OU named Prevent User Policies.  There is also an account named CCS Admin in the Bunch of User Policies OU:

image

The idea here is that the OU named Bunch of User Policies has various user and computer policies applied to it as shown in the following:

  • Office 2010 <— User policy
  • Office 2010 Customizations <— User policy
  • View Client Customizations <— User and Computer policy

image

Executing gpresult on the Windows 7 desktop in the OU named Prevent User Policies will show that following user policies are applied to the CCS Admin account:

  • Office 2010 <— User policy
  • Office 2010 Customizations <— User policy
  • View Client Customizations <— User and Computer policy
  • Default Domain Policy
  • Local Group Policy

image

Blocking Computer Policies

The computer policy View Client Customizations is easy enough to block by using the Block Inheritance feature on the OU named Prevent User Policies (sorry about the name, this should have been named Prevent User and Computer Policies) and moving the computer object CCSAdmin into the OU:

image

image

image

image

Note how a gpresult now shows that only the:

  • Local Group Policy

… is applied:

image

Blocking User Policies

With the computer policies blocked, the next step is to block out the user specific policies as shown from the gpresult:

  • Office 2010 <— User policy
  • Office 2010 Customizations <— User policy
  • View Client Customizations <— User and Computer policy
  • Default Domain Policy
  • Local Group Policy

image

What we need to do is to create a new GPO loopback policy and configure it in replace mode then apply it to the OU containing the computer object that you do not want user policies applied to:

image

image

Navigate to Computer Configuration –> Administrative Templates –> System –> Group Policy –> User Group Policy loopback processing mode:

image

Enable the policy and set the Mode to Replace:

image

image

image

With the loopback policy applied, a gpresult will show the following:

Computer Settings

  • Loopback Replace Mode
  • Local Group Policy

image

User Settings

  • Local Group Policy

image

Notice how we have successfully removed both the computer and user policies from this computer object for any user that logs in.  One of the other questions that come up quite often is how we can block user logon scripts configured in the Active Directory account’s Profile tab and unfortunately, there is no easy way to do this with policies.  The only alternative I know of is to actually modify the logon script to check what computer object the user is logging onto and then filter it.

No comments: