Re: Complex GPO Configuration Issue
- From: James Miller <JamesMiller@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 5 Oct 2005 09:14:01 -0700
Thanks Steve. Creating a separate OU would certainly take care of my
needs in the short term. I'm really trying to avoid creating an OU because
as more GPOs are applied, this strategy loses value. Trying to except
machines from multiple policies this way turns into a mess because the
computer object can only exist in a single OU.
The user settings are definitely enabled on the policy in question. I
did try to set my second policy to replace mode (both were merge mode to
begin with). This didn't make a difference. However, if I set the second
policy to enforce it does apply. This causes the first policy to stop
applying when the machine is not a member of the 'deny' group though.
My user settings are in the loopback policy, and should be coming from
the computer OU's policy. What I'm getting for user configuration is
actually coming from the default domain policy. This policy is not set to
enforce, so I'm not sure why the user settings from my loopback policies
won't merge.
Logically I would expect my current setup to work, but perhaps I'm just
pushing GPO to do something it was never intended to do.
--
_________________________
JC Miller
Distributed Technology Analyst
Boise, ID
"Steven L Umbach" wrote:
> Loopback processing is computer configuration. When you "filter a GPO" with
> deny for the domain computers only computer configuration can be disabled
> and the user configuration portion of the GPO could still be active. So what
> may be happening is that for all computers in the OU they could then have
> the same user configuration applied to users as the second GPO user
> configuration is applied to them and then the first one. In other words I
> don't think that when loopback processing is enabled that the user
> configuration settings can come from only the GPO where the Group Policy is
> configured for the computer. Another thing that could be happening is that
> the user configuration from the first GPO is overriding all user
> configuration settings in the second GPO much as if they would if those
> settings came from the OU where the user account is located and replace mode
> was used. It might be interesting to configure the top GPO with merge mode
> and then the second GPO with replace mode to see what happens assuming you
> are trying to configure additional settings for users in addition to the top
> level GPO which you may not be trying to do. Like I said before using a
> separate OU may be something to look at. Also verify that the user
> configuration portion of the Group Policy in question is enabled. --- Steve
>
>
> "James Miller" <JamesMiller@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:65743786-B787-4667-B05C-8D1B82CA7C18@xxxxxxxxxxxxxxxx
> > Hmm..actually they do have read and apply. I saw read(from Security
> > Filtering) in the GPMC and thought you'd nailed it. When I pulled up the
> > Advanced window it did show both read and apply.
> > --
> > _________________________
> > JC Miller
> > Distributed Technology Analyst
> > Boise, ID
> >
> >
> > "Roger Abell [MVP]" wrote:
> >
> >> And the second, non-default loopback GPO does have the users that are
> >> logging in defined for read/apply ?
> >>
> >> "James Miller" <JamesMiller@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> >> news:F0131426-C34A-45C5-B3BB-BC9ADD76EC7B@xxxxxxxxxxxxxxxx
> >> >
> >> > I am trying to create two policies that set user configuration on
> >> > computer objects in our domain using loopback processing. One policy
> >> > should
> >> > be the default, and the handful of exception machines should use the
> >> > second
> >> > policy. Both policies are defined at the OU level, with the default
> >> > set
> >> > to
> >> > take precedence.
> >> > We have a group with deny rights to the default GPO object that
> >> > contains machine accounts for all our exception machines. In theory,
> >> > because
> >> > they are denied access to the policy we want as default, they should
> >> > effectively have the second policy settings applied.
> >> > What our experience has been is that when a machine is placed into
> >> > the
> >> > group and denied access to our default policy, only the computer
> >> > configuration settings from the second policy are applied. So the
> >> > loopback
> >> > setting in this policy shows that it is enabled, however none of the
> >> > user
> >> > configuration settings from that policy make it to the client.
> >> > Modeling in the GPMC shows the default policy in the denied list as
> >> > expected, and shows the second policy as being applied. It also shows
> >> > the
> >> > loopback setting, but none of the user configuration settings - it's
> >> > accurately describing what my clients are experiencing. Is this
> >> > behavior
> >> > by
> >> > design? What can I do to make this work the way I think it should?
> >> > --
> >> > _________________________
> >> > JC Miller
> >> > Distributed Technology Analyst
> >> > Boise, ID
> >>
> >>
> >>
>
>
>
.
- Follow-Ups:
- Re: Complex GPO Configuration Issue
- From: Steven L Umbach
- Re: Complex GPO Configuration Issue
- References:
- Re: Complex GPO Configuration Issue
- From: Roger Abell [MVP]
- Re: Complex GPO Configuration Issue
- From: Steven L Umbach
- Re: Complex GPO Configuration Issue
- Prev by Date: Re: 1030
- Next by Date: Re: Restricted Policy [WILDPACKET]
- Previous by thread: Re: Complex GPO Configuration Issue
- Next by thread: Re: Complex GPO Configuration Issue
- Index(es):
Relevant Pages
|
