Re: Loopback Processing
From: Andrew (lak18_at_hotmail.com)
Date: 09/23/04
- Next message: Simon Geary: "Re: Applying user policies to computers"
- Previous message: carlos: "Applying user policies to computers"
- In reply to: Mark Renoden [MSFT]: "Re: Loopback Processing"
- Next in thread: anonymous_at_discussions.microsoft.com: "Re: Loopback Processing"
- Reply: anonymous_at_discussions.microsoft.com: "Re: Loopback Processing"
- Reply: Mark Renoden [MSFT]: "Re: Loopback Processing"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 23 Sep 2004 06:00:53 -0700
Thank you Mark,
That does clear up alot, could you answer a couple other
questions.
1. As long as loopback is set in one GPO, it doesn't have
to be set in any other GPO that falls with the hierarchy?
2. I have a GPO that has both Computer and User
Configuration setting. I apply it to an OU which only has
computer objects underneath it. The GPO has Loopback set
with replace mode. I set deny permissions on a specific
machine account, which resides in this OU, to the GPO.
When running a result, the machine does not get the
Computer configurations settings. How ever, the User
configuration settings from this GPO are still applied.
If the machine account is given deny permission, during
loopback, shouldn't it skip over the GPO completely?
why does it still apply the User Configuration settings.
Is this a feature or a flaw?
>-----Original Message-----
>Hi Andrew
>
>Group Policy Loopback works as follows:
>
>1. When the computer boots, the list of GPO's for the
computer is gathered
>based on it's location in the Active Directory. This is
it's SOM or Scope
>of Management. The list includes GPO's linked to OU's
at each level in the
>heirarchy from the OU in which the computer resides all
the way up to the
>domain.
>
>2. The computer configuration settings from this list
are applied to the
>computer provided it has permissions to the GPO's.
>
>3. When the user logs in, different behaviour occurs
according to the policy
>loopback settings:
>
>A. Loopback off - the SOM for the user is calculated and
then user
>configuration settings applied according to user
permissions. The location
>of the user account in the AD decides entirely which
user configuration
>settings are applied.
>
>B. Loopback merge mode - the SOM for the user is
calculated as in A. The
>user configuration settings from this SOM are applied
but at a lower
>precedence to the user configuration settings in the
computer SOM. Once
>again, user permissions allow or prevent application of
these setting
>regardless of whether they came from the user or
computer SOM.
>
>C. Loopback replace mode - the SOM for the user is not
considered. The user
>configuration settings are applied from the GPO's in the
computer SOM
>provided they have user permissions.
>
>+++++++++++
>
>To answer your question, the Users need permissions to
read and apply the
>GPO's.
>
>HTH
>--
>Mark Renoden [MSFT]
>Windows Platform Support Team
>Email: markreno@online.microsoft.com
>
>Please note you'll need to strip ".online" from my email
address to email
>me; I'll post a response back to the group.
>
>This posting is provided "AS IS" with no warranties, and
confers no rights.
>
>
>
>"Andrew" <lak18@hotmail.com> wrote in message
>news:48a501c4a0a5$7c1cb280$a301280a@phx.gbl...
>> Hello,
>>
>> You have been very helpful to me in the past, and I'm
>> wondering if anyone can give me some insite into
Loopback
>> processing replace mode. I'm familiar with what it is
>> intended to do, but have found some odd real life
results
>> using it.
>> Any useful reading material or real life experiences
>> would be greatly appreciated.
>> My experience has been this
>>
>> I have a group policy with both User and Computer
>> settings in it. I set it at the top level of my tree.
On
>> the scope tab I set the filtering to apply to a global
>> group. In the global group I have added only a few
>> computer accounts which I only want to target.
>>
>> Further down the tree I have mulitple Workstation OUs,
>> which contain all my computer objects. On each of these
>> OUs I have a GPO where Replace mode Loopback processing
>> is enable. When logging in, only the setting in the
>> Computer portion of the top level GPO are applied. The
>> User setting are not applied. When running a result, I
>> see that the User portion of this GPO was denied due to
>> security filtering. Shouldn't have the Replace
>> Loopbacking have fixed this? How can I get the user
>> setting to be applied, without adding user objects to
the
>> Global Group.
>>
>> I hope I made this clear enough to follow
>>
>> Thank You
>
>
>.
>
- Next message: Simon Geary: "Re: Applying user policies to computers"
- Previous message: carlos: "Applying user policies to computers"
- In reply to: Mark Renoden [MSFT]: "Re: Loopback Processing"
- Next in thread: anonymous_at_discussions.microsoft.com: "Re: Loopback Processing"
- Reply: anonymous_at_discussions.microsoft.com: "Re: Loopback Processing"
- Reply: Mark Renoden [MSFT]: "Re: Loopback Processing"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
