Re: RE: loopback group policy
- From: "lforbes" <lforbes@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 18 Aug 2005 21:36:24 -0700
Hi,
First of all, just so you know. GPO's don't apply to Groups or members of
Groups. Groups can be used for Security Filtering only however, I don't even
use them for that. It doesn't matter where in AD you put the Groups, it only
matters where you put the computers and the users.
Basically GPO's are Cumulative with the one "Closest" to the User winning in
the case of a conflict. The exception is the Loopback because if set to
"replace" then it replaces all the Users GPO Settings. If set to "Merge" it
merges the settings on the Computer GPO (in Users section) with the Users GPO
settings BUT if in case of a conflict the Computer GPO wins out. (This is
all explicit in the Help Section of the Loopback GPO)
For your case, I would create a GPO for Department 1 OU and link it to
Department 2 OU as well (same GPO). I would call this GPO "Loopback" and the
only setting would be the Loopback = Enabled = Merge.
I would then create a Workstation1 GPO and a separate Workstation2 GPO. In
these GPO's I would instruct the Admins of the departments to make any
Computer Conf settings in the Computer Config and any Users Settings (to
apply specifically to their department computers) in the Users Config.
Because the "Loopback" GPO is above the Workstation1 and the Workstation2
GPO's then it will still affect any workstations below it.
In this case when users logon to workstations in the Workstation1 GPO then
they will get their Users Settings (set on User OU) merged with any settings
in the User Config of the Workstation1 GPO that your department heads set.
Cheers,
Lara
"twospoons" wrote:
> yes, i know where to turn on loopback processing in terms of a single
> gpo... what i'm asking is concerning the processing
> order/inheiritance of gpo's when configured in loopback mode from
> multiple OU's... and what if the OU's are not nested?
>
> say a user from a top level OU logs into a workstation in a seperate
> OU's (department) nested OU (workstation)
>
> domain
> - Users_OU
> - Department1_OU
> ---- Workstations1_OU
> ---- Groups1_OU
> - Department2_OU
> ---- Workstations2_OU
> ---- Groups2_OU
>
> how would loopback work if there is a gpo applied to the Users_OU,
> Department1_OU and the Workstations1_OU... and a different gpo
> applied to the workstations in department two? which of these gpo's
> would you turn loopback on? what order would the gpo's be applied?
>
> what i'm wanting to accomplish is to have a global gpo configured for
> all users... then i want each department manager to have access to
> apply gpo's to their own groups and workstations. is loopback policy
> even the best way to do this? what steps do i need to take to ensure
> that the departmental gpo's comply with the global gpo's from the
> User's OU?
>
> thanks
>
>
.
- References:
- loopback group policy
- From: twospoons
- Re: RE: loopback group policy
- From: twospoons
- loopback group policy
- Prev by Date: MIIS PasswordSet
- Next by Date: RE: Local User Profiles Becoming Corrupt, Domainwide
- Previous by thread: Re: RE: loopback group policy
- Next by thread: re:loopback group policy
- Index(es):
Relevant Pages
|
