Question on loopback processing
Hi,
I have my domain structure something like below.
<domain>
| -- User GPOs are attached here
|
|---<Site> (there are few user GPOs attached to the sites also)
| --- <Users Container>
| --- <Special Computers OU>
|---- <Computers OU>
I want to execute a logoff script on special computers when ever a user login to that. I have several computer/user policies configured at domain and site level. I created and linked new GPO(logoff scripts) on Special computers OU with loopback (merge) mode enabled and logoff script configured. But the problem is that, when a user is logging into the special computer, I can see from RSOP that user related policies are getting processed two times. I know the reason for this - in merge mode, when the user is logging in, first all the user policies will get applied and then computer process all the policies to which it has access and has user settings and applies the settings to user(that is what meant by merge mode). Because of this behavior, all the user policies are getting applied twice on special computers. So, I have denied read/apply access to special computers on User GPOs which are at domain and site level. But to my surprise, they are still getting applied though computers are denied to read/apply.
Any one has idea why it is happening like this? I couldn't find any traces of this problem.
Thanks
I have my domain structure something like below.
<domain>
| -- User GPOs are attached here
|
|---<Site> (there are few user GPOs attached to the sites also)
| --- <Users Container>
| --- <Special Computers OU>
|---- <Computers OU>
I want to execute a logoff script on special computers when ever a user login to that. I have several computer/user policies configured at domain and site level. I created and linked new GPO(logoff scripts) on Special computers OU with loopback (merge) mode enabled and logoff script configured. But the problem is that, when a user is logging into the special computer, I can see from RSOP that user related policies are getting processed two times. I know the reason for this - in merge mode, when the user is logging in, first all the user policies will get applied and then computer process all the policies to which it has access and has user settings and applies the settings to user(that is what meant by merge mode). Because of this behavior, all the user policies are getting applied twice on special computers. So, I have denied read/apply access to special computers on User GPOs which are at domain and site level. But to my surprise, they are still getting applied though computers are denied to read/apply.
Any one has idea why it is happening like this? I couldn't find any traces of this problem.
Thanks
Akhater
why don't you just apply loopback in replace mode if you just want the special computer OU policies to be applied or block inheritance on the special computers ou level
ASKER
Akhater, the reason I didn't use replace mode is, the users should get all remaning policies configured at domain and site level along with the logoff script configured in loopback enabled GPO.
well ur script is a user policy denying the computer shouldn't have any effect
so why not change a bit ur OU structure
so why not change a bit ur OU structure
ASKER
>well ur script is a user policy denying the computer shouldn't have any effect
I am thinking that, computer is responsible for reading the GPOs which has user settigs. Do you think in other way? I understood this from below references.
References :
------------
http://osdir.com/ml/activedir/2006-01/msg00322.html
http://articles.techrepublic.com.com/5100-10878_11-1055139.html
http://www.frickelsoft.net
>so why not change a bit ur OU structure
Changing the OU structure is not a solution for me because we have lot of Dependencies
I am thinking that, computer is responsible for reading the GPOs which has user settigs. Do you think in other way? I understood this from below references.
References :
------------
http://osdir.com/ml/activedir/2006-01/msg00322.html
http://articles.techrepublic.com.com/5100-10878_11-1055139.html
http://www.frickelsoft.net
>so why not change a bit ur OU structure
Changing the OU structure is not a solution for me because we have lot of Dependencies
To be honest I've never had to deal with that specific case so we are just thinking out loud,
My understanding is that you've added all computers in the "special computers" OU to a group and you've denied "apply group policy" permission for that group on the logon script assigned at the domain level ?
My understanding is that you've added all computers in the "special computers" OU to a group and you've denied "apply group policy" permission for that group on the logon script assigned at the domain level ?
thinking a little bit more you can modify your first logon script (the one on the domain level) to check the OU of the computer it is running on, if that computer is in the "special computers" OU exit
something like
$OU = Retrieve local computer OU
if $ou != "special computers"
your script
else
nothing
something like
$OU = Retrieve local computer OU
if $ou != "special computers"
your script
else
nothing
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
>My understanding is that you've added all computers in the "special computers"
>OU to a group and you've denied "apply group policy" permission for that group
>on the logon script assigned at the domain level ?
Yes, you are right.
And I can not think of educating logoff scripts because, I have few environmental limitations which are stopping me.
>OU to a group and you've denied "apply group policy" permission for that group
>on the logon script assigned at the domain level ?
Yes, you are right.
And I can not think of educating logoff scripts because, I have few environmental limitations which are stopping me.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If you want to just apply the logoff script to all users, at domain level, the VB logic is below. Basically the script will only perform the required actions if the current machine is in the OU. Then you don't have to worry about loopback.
Hope this helps...
Hope this helps...
Set oAdInfo = CreateObject("ADSystemInfo")
Set objPC = GetObject("LDAP://" & oAdInfo.ComputerName)
strOU = "OU=Special Computers"
If Left(objPC.Parent,Len(strOU)) = strOU Then
'YOUR SCRIPT GOES HERE
'.
'.
End if
Sorry akhater - didn't refresh!!
no prob :) neither did I
ASKER
I want to get more clarity on below point:
>3. Aftwerwards, the user settings on GPOs inherited by the computer are then applied.
Is user account is responsible for reading the GPOs list of computer or computer account is responsible for reading the GPO list of it's own? I think the later because, computer account only known to which it has permissions. Please correct me if I am wrong.
>3. Aftwerwards, the user settings on GPOs inherited by the computer are then applied.
Is user account is responsible for reading the GPOs list of computer or computer account is responsible for reading the GPO list of it's own? I think the later because, computer account only known to which it has permissions. Please correct me if I am wrong.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.