All versions of Centrify DirectControl for all OSesProblem:
A Group Policy Object is created in a child OU where:
- Computer accounts for joined machines are placed in this child OU
- AD users are not in this child OU, and instead are in another OU (which is typically the case)
Any group policies configured in the User Configuration section of the GPO do not get applied.Cause:
This is the expected Active Directory behaviour for all Group Policies (not limited to Centrify Group Policies):
- User Configuration GPs of any GPO will apply to AD User objects within the GPO's linked OUs only.
- Computer Configuration GPs will apply to AD Computer objects within the GPO's linked OUs only.
If the AD user is also moved to this child OU, then Group Policies in the User Configuration section with then get applied.
However in production environments, placing AD users in the same OU as the AD computers is most likely not the desired layout for AD organisation.Solution:
There are two workable solutions:
- Have the GPO created and configured at a parent OU level to both the AD users and AD computers.
- The child OUs can then be configured so that it inherits Group Policies from the parent level.
- Use Loopback Processing:
- Loopback Processing is a Group Policy that can be configured in the OU level where the computer accounts exists, but the AD users do not.
- When configured, it will apply Group Policies in User Configuration to any AD user that logs into the machines under this OU.
To configure Loopback Processing:
- Enable the GP at:
- Computer Configuration / Administrative Templates / System / Group Policy / "User Group Policy loopback processing mode"
- Mode: Merge
- (See the Explain tab of the GP for more information on the options in this GP)
For further information, see the following links: (Provided as a courtesy)