Re: Loopback issues
From: Mark Renoden [MSFT] (markreno_at_online.microsoft.com)
Date: 01/26/05
- Next message: BSUMelissa: "Re: Security - Deleted admin group"
- Previous message: Steven L Umbach: "Re: Security - Deleted admin group"
- In reply to: Roger Abell: "Re: Loopback issues"
- Next in thread: Mike Huff: "Re: Loopback issues"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 27 Jan 2005 08:15:12 +1100
Hi
I tend to agree with Roger. It sounds like a security issue on the GPOs.
To explain loopback:
1. When the computer boots, the list of GPO's for the computer is gathered
based on it's location in the Active Directory. This is it's SOM or Scope
of Management. The list includes GPO's linked to OU's at each level in the
heirarchy from the OU in which the computer resides all the way up to the
domain.
2. The computer configuration settings from this list are applied to the
computer provided it has permissions to the GPO's.
3. When the user logs in, different behaviour occurs according to the policy
loopback settings:
A. Loopback off - the SOM for the user is calculated and then user
configuration settings applied according to user permissions. The location
of the user account in the AD decides entirely which user configuration
settings are applied.
B. Loopback merge mode - the SOM for the user is calculated as in A. The
user configuration settings from this SOM are applied but at a lower
precedence to the user configuration settings in the computer SOM. Once
again, user permissions allow or prevent application of these setting
regardless of whether they came from the user or computer SOM.
C. Loopback replace mode - the SOM for the user is not considered. The user
configuration settings are applied from the GPO's in the computer SOM
provided they have user permissions.
HTH
-- Mark Renoden [MSFT] Windows Platform Support Team Email: markreno@online.microsoft.com Please note you'll need to strip ".online" from my email address to email me; I'll post a response back to the group. This posting is provided "AS IS" with no warranties, and confers no rights. "Roger Abell" <mvpNOSpam@asu.edu> wrote in message news:%23j3GiY3AFHA.1260@TK2MSFTNGP12.phx.gbl... > The GPO security group filtering is still at its default > with read/apply set for Authenticated Users ? > > -- > Roger Abell > Microsoft MVP (Windows Security) > MCSE (W2k3,W2k,Nt4) MCDBA > "Mike Huff" <huffmt@adelphia.net> wrote in message > news:zo-dnSer5_y6bGvcRVn-hg@adelphia.com... >> I have an OU with 10 XP workstations in it. 2003 AD. >> >> 1 GPO applied, with Loopback Processing enabled and set to replace.SUS >> policy set in Computer Configuraiton. >> GPO in User Configuration has set to not display "My Computer" on desktop >> and not to display "Add/Remove Programs" in Control Panel. >> >> Computer Configuraiton portion of GPO is working fine (SUS, etc.), but > none >> of the User Configuraiton portion of the policy is being applied. >> >> Any ideas? >> >> > >
- Next message: BSUMelissa: "Re: Security - Deleted admin group"
- Previous message: Steven L Umbach: "Re: Security - Deleted admin group"
- In reply to: Roger Abell: "Re: Loopback issues"
- Next in thread: Mike Huff: "Re: Loopback issues"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
