Loopback Group Policy with Security Filtering

Loopback Group Policies are very nice because you can apply a specific user policy if they logon to specified computers (Remote Desktop servers in my case).

But there are two settings you should take care of, or it will not work:

1. Enable “User Group Policy loopback processing”

Create a new OU where you can put in your remote desktop server(s), to which the special user policy should be applied. After you moved the server(s) into this group, create e new policy and create a link to it within the new OU.

Edit the new policy and go to:
Computer Configuration >> Policies >> Administrative Templates >> System >> Group Policy

Now, enable “User Group Policy loopback processing mode” and choose “Merge” as mode. If you want to completely replace the users policy, you can use “Replace”, but for most cases, merge should be fine.

2. Adjust Security Filtering

If you leave the default “Authenticated Users” for security filtering, you will run into the problem that the user policy is applied to Administrator users too. And that’s definitely not what we want to happen.

Because i have a group for all remote desktop users anyway, i replaced the “Authenticated Users” with my remote desktop users group. But then the policy wasn’t applied anymore…

In this case you also have to add the remote desktop server (or a group with all RDSs) to the “Security Filtering” list to give them permissions to access the policy. thats because the policy initially is a computer, and not a user policy.

This entry was posted in Group Policy, Windows Server and tagged , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *