Salesforce

KB-0487: User based Group Policies do not get applied to OUs containing only Computers

Printable View
« Go Back

Information

 
TitleKB-0487: User based Group Policies do not get applied to OUs containing only Computers
URL NameKB-0487-User-based-Group-Policies-do-not-get-applied-to-OUs-containing-only-Computers
Knowledge Article TypeProblem / Resolution
Article TypeKnowledge
ArticleType 
ProductAuthentication Service
ComponentAccess Manager
VersionAll
Tagsloopback processing gp user configuration computer
Internal Comments
Article Edits
Bug #
Solution ID487
Knowledge Base Article Details
Problem:

A Group Policy Object is created in a child OU where:
  • Computer accounts for joined machines are placed in this child OU
  • AD users are not in this child OU, and instead are in another OU (which is typically the case)
Any group policies configured in the User Configuration section of the GPO do not get applied.


Cause:

This is the expected Active Directory behaviour for all Group Policies (not limited to Centrify Group Policies):
  • User Configuration GPs of any GPO will apply to AD User objects within the GPO's linked OUs only.
  • Computer Configuration GPs will apply to AD Computer objects within the GPO's linked OUs only.

If the AD user is also moved to this child OU, then Group Policies in the User Configuration section with then get applied.
However in production environments, placing AD users in the same OU as the AD computers is most likely not the desired layout for AD organisation.


Solution:

There are two workable solutions:

Option 1:
  • Have the GPO created and configured at a parent OU level to both the AD users and AD computers.
  • The child OUs can then be configured so that it inherits Group Policies from the parent level.

Option 2:
  • Use Loopback Processing:
    • Loopback Processing is a Group Policy that can be configured in the OU level where the computer accounts exists, but the AD users do not.
    • When configured, it will apply Group Policies in User Configuration to any AD user that logs into the machines under this OU.

To configure Loopback Processing:
  • Enable the GP at:
    • Computer Configuration / Policies / Administrative Templates / System / Group Policy / "Configure user Group Policy loopback processing mode"
       
    • Mode: Merge
    • (See the Explain tab of the GP for more information on the options in this GP)


For further information, see the following links:
Centrify Corporation does not take any responsibility for the content or availability of the links and it was provided as a courtesy.  Customers should contact the vendor if there are any further questions
Created ByArticle Admin
Solution CreatorDavid Kim
DraftNot Checked
LithiumId
Lithium_Board_Id
Lithium_View_Href
Tags 
Category 
ArticleImage
Known IssuesNot Checked
Powered by