adam21983 wrote: Thanks for your replys so far! Ok here is my first response: (I am a newbie so I am more than likely misunderstanding you guys but here goes! "However if you have GPOs applied to that computer from AD level then it overrides any local policy setting you have on your machine." However, I have read that the tiers related to group policy are as follows: 1.Local GP 2.Site GP 3.Domain GP 4. OU GP Does this mean that the Local GP overides the lower tiers? If not then why is it listed as the top tier? Thanks for your help!
famosbrown wrote: The only way to get a Local Policy to override a Policy from AD is to enable Loopback Processing and this will replace the User portion of the AD GPO with the User portion of the Local GPO...unless you decide to merge them together instead.
Mishra wrote: famosbrown wrote: The only way to get a Local Policy to override a Policy from AD is to enable Loopback Processing and this will replace the User portion of the AD GPO with the User portion of the Local GPO...unless you decide to merge them together instead. Hmm.. Loopback modes don't have anything to do with local policy. Loopback mode is designed to select which user and computer settings you would like from the OUs the the computer and user object are located. I posted a topic talking about how it works.http://www.techexams.net/forums/viewtopic.php?p=174442#174442
dynamik wrote: famosbrown wrote: The only way to get a Local Policy to override a Policy from AD is to enable Loopback Processing and this will replace the User portion of the AD GPO with the User portion of the Local GPO...unless you decide to merge them together instead. That's not correct. Loopback processing doesn't have anything to do with where the policy is applied (local, domain, site, ou). In a nutshell, loopback processing allows user settings to be applied to a computer. Here is a link that goes into detail: http://technet2.microsoft.com/windowsserver/en/library/abe2b1a9-975f-4b2f-b771-9e6a903e97db1033.mspx?mfr=true
famosbrown wrote: Read what you linked and try to find some more detailed information. It is used to replace or merge user settings set in a particular GPO whether it be OU or Local...as the article stated, it's used in kiosks, laboratories, etc....I've usually seen these type of public places configured with Local Policy with Loopback Policy Merge or replace enabled.
MS KB wrote: SUMMARY Group Policy applies to the user or computer in a manner that depends on where both the user and the computer objects are located in Active Directory. However, in some cases, users may need policy applied to them based on the location of the computer object alone. You can use the Group Policy loopback feature to apply Group Policy Objects (GPOs) that depend only on which computer the user logs on to.
MS KB wrote: When users work on their own workstations, you may want Group Policy settings applied based on the location of the user object. Therefore, we recommend that you configure policy settings based on the organizational unit in which the user account resides. However, there may be instances when a computer object resides in a specific organizational unit, and the user settings of a policy should be applied based on the location of the computer object instead of the user object. Note You cannot filter the user settings that are applied by denying or removing the AGP and Read rights from the computer object specified for the loopback policy. Normal user Group Policy processing specifies that computers located in their organizational unit have the GPOs applied in order during computer startup. Users in their organizational unit have GPOs applied in order during logon, regardless of which computer they log on to. In some cases, this processing order may not be appropriate. For example, when you do not want applications that have been assigned or published to the users in their organizational unit to be installed when the user is logged on to a computer in a specific organizational unit. With the Group Policy loopback support feature, you can specify two other ways to retrieve the list of GPOs for any user of the computers in this specific organizational unit: •Merge Mode In this mode, when the user logs on, the user's list of GPOs is typically gathered by using the GetGPOList function. The GetGPOList function is then called again by using the computer's location in Active Directory. The list of GPOs for the computer is then added to the end of the GPOs for the user. This causes the computer's GPOs to have higher precedence than the user's GPOs. In this example, the list of GPOs for the computer is added to the user's list. •Replace Mode In this mode, the user's list of GPOs is not gathered. Only the list of GPOs based on the computer object is used.
dynamik wrote: famosbrown wrote: Read what you linked and try to find some more detailed information. It is used to replace or merge user settings set in a particular GPO whether it be OU or Local...as the article stated, it's used in kiosks, laboratories, etc....I've usually seen these type of public places configured with Local Policy with Loopback Policy Merge or replace enabled. Here is some excerpts from this link: http://support.microsoft.com/?id=231287 MS KB wrote: SUMMARY Group Policy applies to the user or computer in a manner that depends on where both the user and the computer objects are located in Active Directory. However, in some cases, users may need policy applied to them based on the location of the computer object alone. You can use the Group Policy loopback feature to apply Group Policy Objects (GPOs) that depend only on which computer the user logs on to. MS KB wrote: When users work on their own workstations, you may want Group Policy settings applied based on the location of the user object. Therefore, we recommend that you configure policy settings based on the organizational unit in which the user account resides. However, there may be instances when a computer object resides in a specific organizational unit, and the user settings of a policy should be applied based on the location of the computer object instead of the user object. Note You cannot filter the user settings that are applied by denying or removing the AGP and Read rights from the computer object specified for the loopback policy. Normal user Group Policy processing specifies that computers located in their organizational unit have the GPOs applied in order during computer startup. Users in their organizational unit have GPOs applied in order during logon, regardless of which computer they log on to. In some cases, this processing order may not be appropriate. For example, when you do not want applications that have been assigned or published to the users in their organizational unit to be installed when the user is logged on to a computer in a specific organizational unit. With the Group Policy loopback support feature, you can specify two other ways to retrieve the list of GPOs for any user of the computers in this specific organizational unit: •Merge Mode In this mode, when the user logs on, the user's list of GPOs is typically gathered by using the GetGPOList function. The GetGPOList function is then called again by using the computer's location in Active Directory. The list of GPOs for the computer is then added to the end of the GPOs for the user. This causes the computer's GPOs to have higher precedence than the user's GPOs. In this example, the list of GPOs for the computer is added to the user's list. •Replace Mode In this mode, the user's list of GPOs is not gathered. Only the list of GPOs based on the computer object is used. The point I was trying to make is that describing loopback processing simply as a way to have local GPOs override AD GPOs is misleading and not technically accurate. Looking at your original post, I see that you were not providing a definition of loopback processing as much as you were detailing a scenario. I apologize my miscommunication/misunderstanding.
sprkymrk wrote: Keeping it simple: If the loopback processing policy is set in the computer settings of a GPO (whether local, site, domain, or OU) it either ignores completely or merges any GPO normally aplied to the user logging in. One thing I have never tested though is setting the Loopback Processing on a computer's local group policy to "enabled", and then setting it to "disabled" in a domain or OU policy also linked to that same computer. I would have to assume that Loopback Processing would be disabled in that case. Loopback Processing is no different than any other computer configuration setting, it still gets applied in the order of Local, Site, Domain, OU. If Loopback Processing is applied at any level, as long as a higher level GPO does not over ride it, it will take effect. This is what famos was pointing out. I must admit though, I was almost the first to reply "No way!" to his post until I realized he wasn't saying that Loopback Processing at the local level over rides everything at the OU/domain level. This whole thread almost made my head hurt.
famosbrown wrote: Yep...that's another way to do it, but if you do not want to create a generic domain user account and rather create a local generic user account for public use, would the domain GPO's appply to that Local user? This is the reason I would use Local Policy.
sprkymrk wrote: famosbrown wrote: Yep...that's another way to do it, but if you do not want to create a generic domain user account and rather create a local generic user account for public use, would the domain GPO's appply to that Local user? This is the reason I would use Local Policy. Good question, and my guess would be that "yes" it would. My reasoning (untried and untested) is because even though you are setting "user settings" in the GPO that you want to have applied, it's the "computer setting" that says to loop back to the user settings defined in THIS policy. In effect, it's the LoopBack policy itself where you actually define what settings you want applied to the user. Sound right? I can easily test this when I get back to the office to see for sure.
famosbrown wrote: Yeah...test that out with a local user, and let us know. Computer settings are applied at startup or shutdown only, so I would like to know if the User Settings will still be applied when a local user logs into the computer.
famosbrown wrote: I love this part of I.T. ! Test, discovery, and conclusion !!
sprkymrk wrote: famosbrown wrote: Yeah...test that out with a local user, and let us know. Computer settings are applied at startup or shutdown only, so I would like to know if the User Settings will still be applied when a local user logs into the computer. What about Group Policy refresh every 90 minutes or so? That applies everything except security settings by default. (Note - the following link was a quick find and specifically for 2K, but to the best of my knowledge hasn't changed for 2K3):http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/gp/32.mspx?mfr=true famosbrown wrote: I love this part of I.T. ! Test, discovery, and conclusion !! +1
but I would like to see if the settings will automatically change for the local user during the refresh...
sprkymrk wrote: It works. I used a GPO with loopback set to replace, applied to an OU with a computer. Set options on the screensaver (5 total) and hid various tabs and menus. Set IE proxy. Created a local user on the computer and the settings applied just fine. Were there any specific issues you wanted to test/check? but I would like to see if the settings will automatically change for the local user during the refresh... You can always change the default behavior of the refresh if you find something not being applied. I use the settings under Computer>AdminTemplates>System>GroupPolicy to make sure the background refresh is set, and the various "policy processing" settings all are configured to the appropriate level.
famosbrown wrote: Sweet!!! You saved some testing for me!
famosbrown wrote: Great job Mark.
