Page 1 of 1 1
Topic Options
#155239 - 2006-01-13 01:14 PM OT: Which accounts are used to apply computer policies?
Richard H. Administrator Offline
Administrator
*****

Registered: 2000-01-24
Posts: 4946
Loc: Leatherhead, Surrey, UK
I've got a problem with computer policies, and I think it's down to permissions - any help from AD Gurus would be appreciated.

It's a slightly complex scenario.

My users may log in either via a standard desktop, or via Citrix (Terminal Server). When they log into the Citrix environment and run published application their rights have to be restricted. To achieve this, the servers in the Citrix OU have GPO "loopback" processing enabled, which causes the USER policies in the computer OU to be applied.

To ensure that administrative accounts did not get the restrictions, I applied security settings so that domain administrators did not get the policy applied.

So far so good. Unfortunately some local admin account *did* get the restrictions, and this caused a problem.

I disabled the policy for local admin accounts and this appeared to be fine.

The problem that I have now is that I'm no longer getting computer policies applied. I'm assuming that these are applied by a local admin account or an account in the local administrators group, but I'm not sure and Googling/MSDNing hasn't turned anything up yet.

Does anyone know what account applies the computer policies? Is it the computer account? If so is the account in a local admin group?

The quick fix that I am going to try is to split the policy into seperate computer and user policies, but I'd really like to know the cause as I've been trying to keep the number of policies which need to be applied to an absolute minumum.

Top
#155240 - 2006-01-13 02:58 PM Re: OT: Which accounts are used to apply computer policies?
Chris S. Offline
MM club member
*****

Registered: 2002-03-18
Posts: 2368
Loc: Earth
I don't know for certain, but I would venture a guess and say that once the computer recieves the policy it is processed by the local system account.
Top
#155241 - 2006-01-13 03:11 PM Re: OT: Which accounts are used to apply computer policies?
Les Offline
KiX Master
*****

Registered: 2001-06-11
Posts: 12734
Loc: fortfrances.on.ca
Not so sure about local accounts. I do create DGGs with computer accounts as members and apply the deny ACE to policies and it seems to work for me. You really need to be careful though and make sure the computer has rebooted or else the deny ACE will not apply and the computer will get the policy.
_________________________
Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.

Top
#155242 - 2006-01-13 04:19 PM Re: OT: Which accounts are used to apply computer policies?
Richard H. Administrator Offline
Administrator
*****

Registered: 2000-01-24
Posts: 4946
Loc: Leatherhead, Surrey, UK
Thanks for the responses.

I've split the policy into seperate COMPUTER and USER policies and applied the security to only the USER policy, so this has got me out of my immediate problem.

If anyone reading this post does know the answer please update the thread - I'd like to know for future planning. A pointer to some relevant documentation would be even better.

Top
#155243 - 2006-01-13 04:49 PM Re: OT: Which accounts are used to apply computer policies?
Chris S. Offline
MM club member
*****

Registered: 2002-03-18
Posts: 2368
Loc: Earth
http://www.samspublishing.com/content/images/0789728494/webresources/A010601.html

Quote:

Group Policy Processing

Administrators define the scope of a Group Policy by linking it to certain objects in Active Directory. The scope determines which objects are affected by the particular Group Policy. Group Policies can be linked to sites, domains, and organizational units (OUs). Any object within the scope of where the object is linked is potentially affected by the Group Policy. For example, by linking a Group Policy at the domain level, all objects (users and computers) in that domain potentially get the settings configured in that Group Policy.

Group Policies are processed in a very specific order. The order in which the polices are processed determines the net effect of all the polices on the computer or user. If multiple policies configure the same setting, the last policy to apply wins. Group policies are processed in the order of local group policy, site, domain, OU. If multiple OUs exist, policies are processed first at the top OUs and then down to the child OUs. So, any group polices applied to the OU in which the object resides gets processed last and thereby wins.

When a Windows 2000 or later machine boots up on the network, it queries Active Directory to determine which policies are applied to the computer account. The polices applied are based on the location of the computer account in Active Directory. For example, if the computer account is in the Sales OU which is in the North America OU in the braincore.net domain, it processes all the policies applied to the braincore.net domain, the North America OU, and the Sales OU. It then determines the computer configuration settings that are set by these group polices and applies them to the computer. It does all this before you even get the logon screen.

Eventually, a user logs on. When that happens, the system goes through the same process, but this time it processes user configuration policies based on the location of the user account. Once again, they are processed in the order of local, site, domain, OU, OU, OU, and so on.




This implies the local system account, which would make sense since has admin rights, is built-in, and cannot be removed from any Administrator group.

Top
#155244 - 2006-01-13 04:52 PM Re: OT: Which accounts are used to apply computer policies?
StarwarsKid Offline
Seasoned Scripter
*****

Registered: 2005-06-15
Posts: 506
Loc: Oregon, USA
Richard, What permission changes did you make to keep the local admin accounts from receiving the Computer GPO settings?

You have a good question there. "What accounts apply computer GPO settings?" I could guess at this and say it may be the actual computer account itself %computername% + '$' or the local "SYSTEM" security group, which seems to be the most logical choices.

AD GPOs being domain centric, I would think the object that applies these settings would have to reside in AD. As you probably know, the last GPO to apply is the computer's local GPOs. I'm wondering if the "loopback" setting may have something to do with this.

I remember reading about the GPO applying process in great detail a few months ago. I'll have to search for the documents and see if I can post them for you.

It is a good idea to seperate the Computer and User GPO settings, for simplicity sake, but I understand about wanting to keep your GPO count at a minimum.
_________________________
let the wise listen and add to their learning,
and let the discerning get guidance- Proverbs 1:5

Top
#155245 - 2006-01-13 05:06 PM Re: OT: Which accounts are used to apply computer policies?
Richard H. Administrator Offline
Administrator
*****

Registered: 2000-01-24
Posts: 4946
Loc: Leatherhead, Surrey, UK
Sorry, leaving for the w/e - will update Monday.
Top
Page 1 of 1 1


Moderator:  Arend_, Allen, Jochen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Mart 
Hop to:
Shout Box

Who's Online
1 registered (Allen) and 307 anonymous users online.
Newest Members
Praveer, Ollero, rayyo, Foxlicht, DonChild
17742 Registered Users

Generated in 0.072 seconds in which 0.052 seconds were spent on a total of 12 queries. Zlib compression enabled.

Search the board with:
superb Board Search
or try with google:
Google
Web kixtart.org