Options
Group Policy confusion/question
Todd Burrell
Member Posts: 280
I am preparing for the 70-686 exam and I had a practice question today that left me somewhat confused. The question dealt with GPO's and what happens when the user and computer portions of a GPO both have a setting configured and those settings conflict. My understanding was always that the computer config settings are applied - then the user settings are applied. So I thought that the user settings would override the conflicting computer setting. However, the answer was that when a GPO has a conflicting computer and user setting in a GPO the computer setting wins.
Is this correct? And if so, then I'm real confused about why you would need LOOPBACK? But maybe this just has to do when the settings are in both computer and user sections of a GPO.
Thanks to anyone that can help with this issue.
Is this correct? And if so, then I'm real confused about why you would need LOOPBACK? But maybe this just has to do when the settings are in both computer and user sections of a GPO.
Thanks to anyone that can help with this issue.
Comments
-
Options
Psoasman
Member Posts: 2,687 ■■■■■■■■■□
If I am remembering correctly, The user configuration will override the computer configuration. You would use Loopback when you want the computer configuration to override the user configuration.
the normal way is the computer configuration loads when the computer powers on and the user configs are applied when the user logs on.
In reading more about loopback, there are 2 options:
Replace: where the computer settings replace the user settings.
Merge: where the computer and user settings are merged together and if there are any conflicts, then the computer settings win. -
Options
jyrki.arpiainen
Member Posts: 32 ■■□□□□□□□□
Todd Burrell wrote: »I am preparing for the 70-686 exam and I had a practice question today that left me somewhat confused. The question dealt with GPO's and what happens when the user and computer portions of a GPO both have a setting configured and those settings conflict. My understanding was always that the computer config settings are applied - then the user settings are applied. So I thought that the user settings would override the conflicting computer setting. However, the answer was that when a GPO has a conflicting computer and user setting in a GPO the computer setting wins.
Is this correct? And if so, then I'm real confused about why you would need LOOPBACK? But maybe this just has to do when the settings are in both computer and user sections of a GPO.
Thanks to anyone that can help with this issue.
I'd say that practice test Q and it's answer were correct. Computer settings win conflicting user settings. At least when they are configured in same GPO.
GPO:s linked to lower OU:s overrides those that are coming from higher levels of the OU hierarchy. Except when No override / Block inheritance is used.
If conflicting policies are at the same OU, policy which will win depends order of the policies. It is possible to switch order with Up/Down arrows in GPMC.
When it is needed to change which settings come in to use in certain OU's or groups of users i have used security filtering a lot.. by removing authenticated users group and adding what ever security group is wanted.
Especially when OU hierarchy has been "designed" by someone else and it is a big mess.
And when all tries to make hierarchy more logical causes some one to scream somewhere.
Situation when to use loopback is when there is computers in organization where is needed that no one could do certain things, like those which are in public use, kiosks etc.
Or when is needed that in those certain machines everybody DO get same (user) settings whether they are end users or IT-Stuff.
Then even if user would have Domain Admins or "IT-Stuff" etc. security group membership s/he gets settings that are configured in user side of settings in the GPO when loop back mode is configured -and they are applied only to those computers where policy is affecting.
Those user side of settings wouldn't have any effect anywhere in most cases, because that OU would normally contain only computer objects.
It works even if there would be security filtered domain wide GPO for that "IT-Stuff" from where is inheriting another settings.
It's a feature to avoid that IT stuff wouldn't do something that risks security or company policy in those public computers.
Rarely used stuff IMHO... i've had need to use that only once in real life.
There is pretty much rules which affect GPO processing so it is good to check things in practice -or use Group Policy Modelling Wizard in GPMC to see which settings come to use in different situations.