Solved

Group Policy processing question and Loopback

Posted on 2007-03-27
5
894 Views
Last Modified: 2010-05-18
I am trying to get my head around the order of group policy processing and the difference loopback makes to it.

Now first of all I have read a load of MS articles and web resources and for me none of them are completely clear.

I know the processing order is Local, site, domain, OU

I know that each GPO processes user configuration first and computer configuration second (making computer configuration take precedence)

Now my first question is are the GPOs linked to BOTH the user account and to the computer account applied (assuming there are GPOs for each)? if so in what order, whcih one takes presedence? and are both parts of the GPO applied (i.e. computer and user configuration settings?)

My next question is how does Loopback change this?

I appreciate the help - its driving me crazy!
0
Comment
Question by:mistaking
5 Comments
 
LVL 27

Expert Comment

by:Jason Watkins
Comment Utility
Hello,

The computer configuration is processed against the computer account first, so it will cover anyone who may log on.  The user settings are then applied after the user's access token has been granted from the domain controller.  Those settings are specific to the user.  

Loopback settings can either merge or replace the tallied GPO settings for a particular user.  merge combines the user's effective GPO settings with the prescribed settings from loopback.  Replace, does exactly that, but is geared to giving everyone the same settings on a given machine irregardless of who logs on.  Replace is good for kiosks and public computers,

/F
0
 

Author Comment

by:mistaking
Comment Utility
Ok  so if there is a setting in computer configuration of a GPO that I change for example and I apply that GPO to an OU that contains only users - that setting will never be applied beacuse there are no computers in that OU and so computer configuration will never be applied?
0
 
LVL 9

Expert Comment

by:FixingStuff
Comment Utility
I hear ya... this stuff drives me crazy too.
I have found the Group Policy Management Console (GPMC.MSC) to help in understanding the Link Order, Precedence, status etc...
If you don't have it, you may want to try it out.
fs
0
 
LVL 27

Expert Comment

by:Jason Watkins
Comment Utility
The configuration will be applied, but it will be transparent without any settings...

/F
0
 
LVL 82

Accepted Solution

by:
oBdA earned 500 total points
Comment Utility
The basics:
Any policy that you configure in the "Computer Configuration" part will only be applied to computer objects in or below the OU to which the GPO is linked. This might or might not have an impact on users. These are machine specific settings: policies defined here write to the HKLM hive.
Any policy that you configure in the "User Configuration" part will only be applied to user objects in or below the OU to which the GPO is linked. These are user specific settings: policies defined here write to the HKCU hive.
It doesn't matter at all if both settings are present in a single GPO, and both the user and the computer account are in or below the OU to which the GPO is linked. The Computer Configuration is applied at the computer's startup (and refreshed periodically), the User Configuration is applied during the user's logon (and refreshed periodically). They have absolutely nothing in common, since they write to different sections in the registry. There can only be a precedence of some sorts if the *software* (Windows Explorer, Internet Explorer, whatever) that evaluates the policies created created is configured to check both machine and user specific settings, but this has nothing to do with the application of the policies themselves.

Now to the Loopback feature.
As I said above, the User Configuration part is applied only to user objects in or below a certain OU. But often there's a need for different policies, depending on the computer the user is logging on to. With the standard possibilities mentioned above, this would not be possible: the user account is always the same, no matter where the user is logging on, so there's *nothing* you can do (no security group filtering, no playing around with inheritance) to have different policies.
That is, unless you're using the Loopback feature. If you enable the loopback processing for computers in an OU, any *User* *Configuration* applied to this OU will be applied to *all* users logging on to those computers, *regardless* where the user objects are in AD.
The two processing modes (Merge and Replace) define what happens with the user's "regular" policies (the policies applied directly to the user's account).
If the loopback is set to "Replace", the user's regular policies will not be evaluated, only the Loopback user configuration will be applied.
If the loopback is set to "Merge", the user's regular policies will be applied first, then the Loopback policies will be applied (so if there are conflicting settings, the Loopback policy will win).
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

Suggested Solutions

Companies that have implemented Microsoft’s Active Directory need to ensure that the Active Directory is configured and operating properly. If there are issues found and not resolved, it eventually leads the components to fail or stop working and fi…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now