Re: GPO problems

From: Jamie (jamiec_at_subnetsolutions.com)
Date: 08/24/04 

Date: Mon, 23 Aug 2004 17:14:31 -0700

OK I understand Loopback, I don't think it will help.
I have a Terminal Server user within his own seperate OU
with his own GPO assigned to it. In this GPO I have set
the policy to remove the "Search" button from Windows
Explorer. Also in this GPO I have set Software
Restriction Policies to deny all programs. When I Remote
Desktop to the Terminal Server with this account, the
"User Configuration" policies are applied (eg.
removes "Search" feature from Windows Explorer) but the
Software Restriction policies do not work! He still
has access to all programs! There are no other Software
restriction policies set anywhere in the forest,
therefore no conflicting GPO settings.
Any clues?
...Jamie

>-----Original Message-----
>Hi Jamie
>
>If policy loopback (replace) is set in the Computer
Configuration of a GPO
>that applied to the Terminal Server, user policy will
not be applied based
>on the location of the user in the AD but instead, the
location of the
>Terminal Server in the AD.
>
>If policy loopback (merge) is set instead, the user
policy will be applied
>based on the location of the user in the AD but at a
lower priority to the
>user configuration set against the Terminal Server (ie,
the TS user settings
>override the User where there is a conflict).
>
>To explain loopback:
>
>1. When the computer boots, the list of GPO's for the
computer is gathered
>based on it's location in the Active Directory. This is
it's SOM or Scope
>of Management. The list includes GPO's linked to OU's
at each level in the
>heirarchy from the OU in which the computer resides all
the way up to the
>domain.
>
>2. The computer configuration settings from this list
are applied to the
>computer provided it has permissions to the GPO's.
>
>3. When the user logs in, different behaviour occurs
according to the policy
>loopback settings:
>
>A. Loopback off - the SOM for the user is calculated and
then user
>configuration settings applied according to user
permissions. The location
>of the user account in the AD decides entirely which
user configuration
>settings are applied.
>
>B. Loopback merge mode - the SOM for the user is
calculated as in A. The
>user configuration settings from this SOM are applied
but at a lower
>precedence to the user configuration settings in the
computer SOM. Once
>again, user permissions allow or prevent application of
these setting
>regardless of whether they came from the user or
computer SOM.
>
>C. Loopback replace mode - the SOM for the user is not
considered. The user
>configuration settings are applied from the GPO's in the
computer SOM
>provided they have user permissions.
>
>HTH
>--
>Mark Renoden [MSFT]
>Windows Platform Support Team
>Email: markreno@online.microsoft.com
>
>Please note you'll need to strip ".online" from my email
address to email
>me; I'll post a response back to the group.
>
>This posting is provided "AS IS" with no warranties, and
confers no rights.
>
>
>"Jamie" <jamiec@subnetsolutions.com> wrote in message
>news:a06f01c48709$98ab8710$a501280a@phx.gbl...
>>I have a user within a seperate OU with its own GPO
>> assigned to it. The User Settings are applied properly
>> (through this GPO) to a user account when this user
logs
>> directly onto my PC, but they are not applied when
logged
>> on to a Terminal Server.
>> There are no conflicting settings! Shouldnt the User
>> Settings for this user be applied no matter where he
logs
>> on to? Every computer is only under the Domain GPO.
>> Any clues?
>> ...Jamie
>
>
>.
>