[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 963
  • Last Modified:

Group Policy processing question and Loopback

I am trying to get my head around the order of group policy processing and the difference loopback makes to it.

Now first of all I have read a load of MS articles and web resources and for me none of them are completely clear.

I know the processing order is Local, site, domain, OU

I know that each GPO processes user configuration first and computer configuration second (making computer configuration take precedence)

Now my first question is are the GPOs linked to BOTH the user account and to the computer account applied (assuming there are GPOs for each)? if so in what order, whcih one takes presedence? and are both parts of the GPO applied (i.e. computer and user configuration settings?)

My next question is how does Loopback change this?

I appreciate the help - its driving me crazy!
0
mistaking
Asked:
mistaking
1 Solution
 
Jason WatkinsIT Project LeaderCommented:
Hello,

The computer configuration is processed against the computer account first, so it will cover anyone who may log on.  The user settings are then applied after the user's access token has been granted from the domain controller.  Those settings are specific to the user.  

Loopback settings can either merge or replace the tallied GPO settings for a particular user.  merge combines the user's effective GPO settings with the prescribed settings from loopback.  Replace, does exactly that, but is geared to giving everyone the same settings on a given machine irregardless of who logs on.  Replace is good for kiosks and public computers,

/F
0
 
mistakingAuthor Commented:
Ok  so if there is a setting in computer configuration of a GPO that I change for example and I apply that GPO to an OU that contains only users - that setting will never be applied beacuse there are no computers in that OU and so computer configuration will never be applied?
0
 
FixingStuffCommented:
I hear ya... this stuff drives me crazy too.
I have found the Group Policy Management Console (GPMC.MSC) to help in understanding the Link Order, Precedence, status etc...
If you don't have it, you may want to try it out.
fs
0
 
Jason WatkinsIT Project LeaderCommented:
The configuration will be applied, but it will be transparent without any settings...

/F
0
 
oBdACommented:
The basics:
Any policy that you configure in the "Computer Configuration" part will only be applied to computer objects in or below the OU to which the GPO is linked. This might or might not have an impact on users. These are machine specific settings: policies defined here write to the HKLM hive.
Any policy that you configure in the "User Configuration" part will only be applied to user objects in or below the OU to which the GPO is linked. These are user specific settings: policies defined here write to the HKCU hive.
It doesn't matter at all if both settings are present in a single GPO, and both the user and the computer account are in or below the OU to which the GPO is linked. The Computer Configuration is applied at the computer's startup (and refreshed periodically), the User Configuration is applied during the user's logon (and refreshed periodically). They have absolutely nothing in common, since they write to different sections in the registry. There can only be a precedence of some sorts if the *software* (Windows Explorer, Internet Explorer, whatever) that evaluates the policies created created is configured to check both machine and user specific settings, but this has nothing to do with the application of the policies themselves.

Now to the Loopback feature.
As I said above, the User Configuration part is applied only to user objects in or below a certain OU. But often there's a need for different policies, depending on the computer the user is logging on to. With the standard possibilities mentioned above, this would not be possible: the user account is always the same, no matter where the user is logging on, so there's *nothing* you can do (no security group filtering, no playing around with inheritance) to have different policies.
That is, unless you're using the Loopback feature. If you enable the loopback processing for computers in an OU, any *User* *Configuration* applied to this OU will be applied to *all* users logging on to those computers, *regardless* where the user objects are in AD.
The two processing modes (Merge and Replace) define what happens with the user's "regular" policies (the policies applied directly to the user's account).
If the loopback is set to "Replace", the user's regular policies will not be evaluated, only the Loopback user configuration will be applied.
If the loopback is set to "Merge", the user's regular policies will be applied first, then the Loopback policies will be applied (so if there are conflicting settings, the Loopback policy will win).
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now