Re: Loopback Processing

anonymous_at_discussions.microsoft.com
Date: 09/23/04 

Date: Thu, 23 Sep 2004 07:42:19 -0700

Correction on my last post. There are actually 2 GPOs,
the one with the deny permission is not the one running
the Loopback. I think after realizing all this I may have
answered me own question. But any thoughts you have would
only help...

Thanks

>-----Original Message-----
>Thank you Mark,
>
>That does clear up alot, could you answer a couple other
>questions.
>
>1. As long as loopback is set in one GPO, it doesn't
have
>to be set in any other GPO that falls with the hierarchy?
>
>2. I have a GPO that has both Computer and User
>Configuration setting. I apply it to an OU which only
has
>computer objects underneath it. The GPO has Loopback set
>with replace mode. I set deny permissions on a specific
>machine account, which resides in this OU, to the GPO.
>When running a result, the machine does not get the
>Computer configurations settings. How ever, the User
>configuration settings from this GPO are still applied.
>If the machine account is given deny permission, during
>loopback, shouldn't it skip over the GPO completely?
>why does it still apply the User Configuration settings.
>Is this a feature or a flaw?
>
>
>>-----Original Message-----
>>Hi Andrew
>>
>>Group Policy Loopback works as follows:
>>
>>1. When the computer boots, the list of GPO's for the
>computer is gathered
>>based on it's location in the Active Directory. This
is
>it's SOM or Scope
>>of Management. The list includes GPO's linked to OU's
>at each level in the
>>heirarchy from the OU in which the computer resides all
>the way up to the
>>domain.
>>
>>2. The computer configuration settings from this list
>are applied to the
>>computer provided it has permissions to the GPO's.
>>
>>3. When the user logs in, different behaviour occurs
>according to the policy
>>loopback settings:
>>
>>A. Loopback off - the SOM for the user is calculated
and
>then user
>>configuration settings applied according to user
>permissions. The location
>>of the user account in the AD decides entirely which
>user configuration
>>settings are applied.
>>
>>B. Loopback merge mode - the SOM for the user is
>calculated as in A. The
>>user configuration settings from this SOM are applied
>but at a lower
>>precedence to the user configuration settings in the
>computer SOM. Once
>>again, user permissions allow or prevent application of
>these setting
>>regardless of whether they came from the user or
>computer SOM.
>>
>>C. Loopback replace mode - the SOM for the user is not
>considered. The user
>>configuration settings are applied from the GPO's in
the
>computer SOM
>>provided they have user permissions.
>>
>>+++++++++++
>>
>>To answer your question, the Users need permissions to
>read and apply the
>>GPO's.
>>
>>HTH
>>--
>>Mark Renoden [MSFT]
>>Windows Platform Support Team
>>Email: markreno@online.microsoft.com
>>
>>Please note you'll need to strip ".online" from my
email
>address to email
>>me; I'll post a response back to the group.
>>
>>This posting is provided "AS IS" with no warranties,
and
>confers no rights.
>>
>>
>>
>>"Andrew" <lak18@hotmail.com> wrote in message
>>news:48a501c4a0a5$7c1cb280$a301280a@phx.gbl...
>>> Hello,
>>>
>>> You have been very helpful to me in the past, and I'm
>>> wondering if anyone can give me some insite into
>Loopback
>>> processing replace mode. I'm familiar with what it is
>>> intended to do, but have found some odd real life
>results
>>> using it.
>>> Any useful reading material or real life experiences
>>> would be greatly appreciated.
>>> My experience has been this
>>>
>>> I have a group policy with both User and Computer
>>> settings in it. I set it at the top level of my tree.
>On
>>> the scope tab I set the filtering to apply to a global
>>> group. In the global group I have added only a few
>>> computer accounts which I only want to target.
>>>
>>> Further down the tree I have mulitple Workstation OUs,
>>> which contain all my computer objects. On each of
these
>>> OUs I have a GPO where Replace mode Loopback
processing
>>> is enable. When logging in, only the setting in the
>>> Computer portion of the top level GPO are applied. The
>>> User setting are not applied. When running a result, I
>>> see that the User portion of this GPO was denied due
to
>>> security filtering. Shouldn't have the Replace
>>> Loopbacking have fixed this? How can I get the user
>>> setting to be applied, without adding user objects to
>the
>>> Global Group.
>>>
>>> I hope I made this clear enough to follow
>>>
>>> Thank You
>>
>>
>>.
>>
>.
>

Relevant Pages

  • Re: Loopback Processing
    ... As long as loopback is set in one GPO, ... why does it still apply the User Configuration settings. ... it's SOM or Scope ...
    (microsoft.public.windows.group_policy)
  • Re: Loopback Processing
    ... Policy Loopback only has to be defined in one GPO that applies to the ... > why does it still apply the User Configuration settings. ...
    (microsoft.public.windows.group_policy)
  • Re: Loopback issues
    ... To explain loopback: ... This is it's SOM or Scope ... The computer configuration settings from this list are applied to the ... >> 1 GPO applied, with Loopback Processing enabled and set to replace.SUS ...
    (microsoft.public.windows.group_policy)
  • Re: LoopBack policy
    ... If you are familiar with the notion of security filtering of a GPO, then this is the same thing. ... Whereas normally, in order to process a GPO, a computer or user needs the Read and Apply Group Policy permissions, what you can also do is create an explicit Deny ACE on the GPO that you are implementing the loopback user settings with. ...
    (microsoft.public.windows.group_policy)
  • Re: LoopBack policy
    ... you would modify the permissions on ... the GPO object. ... user needs the Read and Apply Group Policy permissions, ... from processing those loopback settings. ...
    (microsoft.public.windows.group_policy)