Just another Microsoft MVPs site

Month: October 2009

Group Policy Loopback Processing

Subtitled – “Wow, I learned something new today!”  [:)]

So in the Third Tier support queue today, Jon posed an interesting question:

How do I exclude Folder Redirection from applying to one domain-joined laptop that is out of the office & disconnected from the domain most of the time?

To revisit Group Policy basics for everyone – GPOs can apply to either computer accounts or user accounts.  GPOs that apply to computer accounts are processed when computers boot up (we’ve all seen the “Applying Computer Settings” message during startup), and GPOs that apply to user accounts are processed during login.  Obviously, Folder Redirection is a user setting in Group Policies, and GPOs don’t have the same targeting options that Group Policy Preferences do.  So how do we have different GP user settings implemented when users log in to specific machines?   Via User Group Policy loopback processing, of course . . .

So what is User Group Policy loopback processing?  It is a Group Policy setting that applies to Computer accounts.  When enabled, it effectively tells a computer to process User Settings in GPOs that apply to the computer account whenever a user logs on to that computer.  As a result, we are able to define user GP settings in a GPO applied to computer accounts instead of user accounts.

User Group Policy loopback processing can be enabled in one of two modes:  merge or replace.  In merge mode, both GPOs applying to the user account and GPOs applying to the computer account are processed when a user logs in.  GPOs that apply to the computer account are processed second and therefore take precedence – if a setting is defined in both the GPO(s) applying to the user account, and the GPO(s) applying to the computer account, the setting in the GPO(s) applying to the computer account will be enforced.  With the replace mode, GPOs applying to the user account are not processed – only the GPOs applying to the computer account are applied.

In Jon’s specific case, he wanted to exclude Folder Redirection for one remote laptop.  The folder redirection settings in Group Policies do not have a “disable” option – only “Not Configured” or enabled via the “Basic” or “Advanced” modes.  Since there isn’t an option to explicitly disable Folder Redirection, the merge option would not meet Jon’s needs, since the user GPOs would be applied and Folder Redirection would remain enabled on the laptop.  By using the “Replace” mode and not defining Folder Redirection in the GPO that applies to the computer account, Jon is able to achieve his desired result.

Take-aways on User Group Policy Loopback Processing:

  • This is a COMPUTER setting, which is found under Computer Configuration | Administrative Templates | System | Group Policy | User Group Policy Loopback Processing Mode
  • You want to create a new OU in AD that is dedicated to computer accounts that will have loopback processing enabled.
  • Create a new GPO in your new OU to enable User Group Policy Loopback Processing and set the appropriate mode (merge / replace).
  • You will define the user settings you want to apply to the loopback-enabled PCs via GPOs in this same new OU.  You can define these settings either in the same GPO where you enabled the User Group Policy Loopback Processing setting, or you create another new GPO in the same OU for your user settings.
  • Remember that when using the REPLACE mode, none of your other user GPOs will be applied when a user logs in to a machine that has loopback processing enabled.  ONLY the user settings that are defined in the GPOs that apply to that machine will be applied.

Killing off ISA

Earlier today Susan blogged about upgrade season in her office, and getting ready to migrate from SBS 2003 to 2008.  In that post, she talked about uninstalling ISA and mentioned a post that Kevin has on that subject.  I thought I’d take a moment to expand a little bit on Kevin’s post and add a few thoughts from my own battle scars with removing ISA.

First and foremost – Kevin mentions removing the ISA firewall client from all of your PCs before you remove ISA from the server.  I cannot overstate how crucial this step is.  The ISA 2004 firewall client uninstaller wants access to the original installation MSI, which lives in a share on your SBS box.  This share is actually the Clients folder in the ISA installation directory.  So what happens when you remove ISA from your SBS?  You guessed it – the mspclnt share with the firewall client installation files is removed, which means any firewall clients still installed on PCs are not going to be happy when you try to remove them and they can’t find the MSI.

Since the Clients folder under the ISA installation folder is typically only about 5MB, I copy this folder to a safe spot on the server – usually my Tech directory where we keep various utilities and scripts.  Here’s why – more and more, customers are backing up their workstations whether via Acronis / StorageCraft / Windows Home Server.  We may find ourselves at a point in the not so distant future after removing ISA that we need to restore a PC from an image taken before ISA was removed, and need to remove the firewall client again.  Or we may discover a forgotten PC / laptop that we missed removing the firewall client from.  There’s all sorts of scenarios – but by keeping the Clients folder in-tact, we can share that out with the original mspclnt share name at any time and be able to uninstall the firewall client just like ISA was still installed on the server.  Without the mspclnt share, you have a very VERY ugly path in front of you, and it is safe to say that you may end up facing the decision of living with the firewall client still on the machines, or wiping & re-installing the OS . . .

Second – Kevin also makes a brief mention about proxy settings.  When you uninstall the firewall client from a PC, it will automatically disable proxy settings for the user account that is running the uninstall, but not for any other users on the machine.  So if you have a PC that multiple users log in to, or if you are running a terminal server, be prepared for some proxy pain.  I actually have a little VBScript that disables proxy settings for the current user by changing the value of the HKCU\Software\Microsoft\Windows\CurrentVersion\InternetSettings\ProxyEnable key from 1 to 0.  I modify my login script to call the VBScript, in effect ensuring proxy gets disabled for each user when they log in to each machine.  

The other aspect with proxy settings to keep in mind are your server-side applications.  Unless you modified your ISA firewall policy to allow unauthenticated outbound http access from the server itself, you most likely specified proxy information for apps like Trend Micro’s Worry-Free Business Security or even WSUS – so that they can download their updates automatically.  After removing ISA, you no longer have a proxy server, which means apps configured to use a proxy aren’t going to be able to get out to the internet.  As a result, you stop getting automatic updates for things like A/V.  So you will need to manually update the connection settings in these apps to remove the proxy settings previously defined.

So – here’s my quick checklist for removing ISA from your network & installing a hardware firewall:

  1. Prep your hardware firewall in a lab setting.  Enter in all public IP info, disable DHCP, and create all of our inbound rules.  It’s best to do this while ISA is still installed & working, so you can refer to the rules in ISA to make sure you don’t miss any necessary inbound rules for your environment.
  2. Backup your ISA configuration.  While we’re moving away from ISA permanently, if we do encounter an issue with the new hardware solution where something isn’t working that was working with ISA, the ISA backup is an XML file that is relatively easy to read to see what rules you had and what they did without having to reinstall & restore ISA on your SBS.
  3. Open up your outbound access in ISA by creating the proverbial ALL/ALL/ALL rule.  In other words, create a new access rule in ISA allowing All outbound traffic via all protocols for all users/computers.  Much of the internet access in ISA on SBS is dependent on users being members of the Internet Users security group.  The firewall client on the PCs is what actually passes user info to the ISA server so it can check group membership.  Once we remove the firewall client from PCs, ISA isn’t going to be getting user info and some stuff that worked before isn’t going to work now.  If you only have 5 PCs and are moving from ISA to your hardware firewall on a Sunday when no one is working, you might be able to skip this step.  But if you have a larger number of PCs, etc. this helps to insure you don’t disrupt users’ internet access too much while removing the firewall client . . .
  4. In my case, I update my domain login script to call my DisableProxy.vbs script at this point.
  5. Uninstall the firewall client from ALL PCs.  Again – see my notes above.  Your life will be MUCH simpler if you insure the firewall client is completely removed from all PCs before removing ISA from your server.
  6. Copy the contents of the mspclnt share (%programfiles%\Microsoft ISA Server\Clients by default) to a safe location on the server, and plan to keep this folder safe for some time  [:)]
  7. Follow Kevin’s steps 3-9 to remove ISA from the server.
  8. When you re-run the CEICW, it should automatically update the DHCP scope option on the server to use the internal IP of the new hardware firewall as the default gateway setting.  If you have any devices that are using static IP addresses, you will need to manually update those with the new gateway.  (HINT:  Take a few extra minutes to create DHCP reservations for each device using a static IP, and change those devices to DHCP – so if you have another network reconfiguration in the future, all you have to do is reboot those devices instead of reconfigure [:)].    For all of your other DHCP devices, you will want to run an ipconfig /release followed by an ipconfig /renew to update their IP settings so they pull the new gateway, or you can reboot them as well.  HINT 2 – PSTools are your friend.  Create a batch file with the two ipconfig commands, and use PSExec to push & execute the batch file on all machines in the domain from the server.  5 minutes tops to update the IPConfig on all domain machines (that are online) instead of sneakernetting . . .
  9. ALSO – if you followed Jim Harrison’s steps to configure auto-detection of proxy settings on your SBS LAN, you want to remove the wpad A record from your internal AD domain forward lookup zone in DNS – otherwise you may have devices pulling proxy settings for pointing to your non-existent proxy server via auto-detect.

So that’s my addendum to Kevin’s excellent post


P.S. . . .   and if you haven’t decided on a hardware firewall yet, I highly recommend Calyptix devices.  These are the standard devices we are implementing when migrating customers to SBS 2008.