Loopback replace mode

[Simon Geary]

My situation is this:
Windows 2000 domain with a GPO set at the domain level. No override is
enabled on this policy.
One of the settings in the domain level policy allows Authenticated Users to
shut down the system.
For one of the OUs that holds some Citrix servers, I want to change this so
that only Domain Admins can shut down servers in that OU.

My plan is this:
On the OU, enable loopback replace mode with a setting that only Domain
Admins can shut down servers.

Will this work? The end result I want is for only Domain Admins to be able
to shut down the servers in that OU. I believe that the replace mode will
remove Authenticated Users' rights to shut down the servers but am not so
sure because of the no override setting on the domain level policy.

 

[Mark Renoden [MSFT]]

Hi Simon

User Rights Assignment takes place in the computer configuration section of
the GPO. Based on this, loopback shouldn't be required (I would have
thought anyway). From the Windows Server 2003 help:

For security settings which are defined by more than one policy, the
following order of precedence, from highest to lowest, is observed:

Organizational Unit Policy
Domain Policy
Site Policy
Local computer Policy

For example, a workstation that is joined to a domain will have its local
security settings overridden by the domain policy wherever there is a
conflict. Likewise, if the same workstation is a member of an Organizational
Unit, the settings applied from the Organizational Unit's policy will
override both the domain and local settings. If the workstation is a member
of more than one Organizational Unit, then the Organizational Unit that
immediately contains the workstation has the highest order of precedence.

Based on this, the OU settings should win.

The only problem comes from the "No override". My guess would be that this
prevents you from successfully setting the User Rights at the OU level. I'm
only unsure because I've only ever had to worry about it for Administrative
Template policy bits in the past but common sense says it would work the
same.

You might be better to either turn off "No override" or separate the
shutdown setting from the existing domain level policy, create a new GPO
that sets shutdown at the domain level and don't set "No override" for this
new GPO.

HTH
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Roger Abell [MVP]]

It will not fly. No override mean just that.

You need to either filter the application of the GPO linked to
the domain with no override so that it does not apply onto the
Citrix servers (and then replace its desired settings in some
way, such as by linking the same GPO without no override at
a low priority directly on the OU of the Citrix servers) and then
provide a policy that provides the desired setting for the
shutdown user right.

Alternatively, you could look into factoring apart that domain
linked and enforced GPO into parts that are still set for no
override and another the is not (which contains the shutdown
setting). Then you could simply link an overwriting GPO onto
the OU of the Citrix servers.

The user right to shut down the system is a computer policy.
As such loopback processing will have nothing to do with it
whetther in replace or merge mode.

 

[Simon Geary]

Thanks both. I will go with the suggestion of creating a new GPO with just
that one setting and then not setting no override on it. There was me trying
to find a fancy solution and the really obvious one never even occurred!