Hello.
I have a question regarding loopback processing and security filtering.
My client requirement is that we have 3 citrix servers (windows 2003 SP2) on which my other Japanese forest's users will login through citrix URL and will work on Citrix server in my domain. I have external trust setup with other forest.
To complete this request, I have created one GPO with group policy preferences in control panel "Regional language settings” to change the keyboard language for Japanese forest's users as I have windows 2008 R2 DCs. Also changed the keyboard layout using the keyboard control panel applet viaregedit.exe
Move to HKEY_USERS\.DEFAULT\Keyboard Layout\Preload
- Double click on 1 and change the number to your local layout (you could get this by looking at HKEY_CURRENT_USER\Keyboard Layout\Preload1). Click OK
Additionally, I have enabled following policy: Computer Configuration\Administrative Templates\System\Group Policy\Allow Cross-Forest User Policy and Roaming Profiles for external trust users to get the "Regional language settings" policy.
I applied this policy on Citrix server OU and added security group and computer accounts in security filtering and removed the authenticated users. Also I have enabled the Loopback processing with replace mode.
Now, MY policy is applying on citrix server with the accounts which are member of Regional language settings group.
But if I remove any user from this group, the group policy settings remain same for those users. Ideally it should be removed after GPP is not applying on that user.
Another thing, I have lots of confusion with Loop back processing with security filtering as I got help from below link about Loop back process but still in doubt..
http://social.technet.microsoft.com/Forums/en/winserverGP/thread/a8432a90-46a6-474e-b3eb-1e228cf53884
======
If you use loopback merge:
The user or user group needs to have read and apply access.
Additional (regardless if there are computer settings in this policy) the computer account needs
at least read permissions on the policy. This was not needed before Vista.
If there are also computer settings in the policy, the computer account needs also apply permissions.
-------------------------------------------
If you use loopbackup replace:
The user or user group needs to have read and apply access.
If there are computer settings in the policy, the computer account needs read and apply.
------------------------------------------------------------------