[gptalk] Re: (no subject)

  • From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Tue, 6 Jan 2009 11:58:12 -0800

Jerry is spot on here. You only need one GPO to deliver the loopback setting
to the computers that will be in loopback mode, but you could have more than
one GPO delivering the per-user loopback settings. But again, as Jerry says,
for simplicity sake one GPO is ideal.

 

Darren

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Cruz, Jerome L
Sent: Tuesday, January 06, 2009 11:52 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: (no subject)

 

All it takes is '1' GPO along the path to the computer account. and
'Loopback' is on.

 

Remember, it's a registry setting, so that's what the system will read in a
single key.

 

. that said, it doesn't matter if there is more than one GPO having the
setting, but it could make debugging a problem harder. Just have one GPO
apply it.

 

Jerry Cruz | Group Policies Product Manager | Windows Infrastructure
Architecture | CNO | Boeing IT

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Steve Crompton
Sent: Tuesday, January 06, 2009 11:49 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: (no subject)

 

Excellent.
 
Would i be correct pursuming that you can only have 1 GPO per OU which has
Loop back enabled or can you have more ?

  _____  


From: darren@xxxxxxxxxx
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: (no subject)
Date: Tue, 6 Jan 2009 11:13:54 -0800

I decided to blog it as well, so you have it for posterity J

 

http://sdmsoftware.com/blog/2009/01/please_explain_loopback_proces.html

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Nelson, Jamie
Sent: Tuesday, January 06, 2009 10:35 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: (no subject)

 

Nice summary Darren. We need to bookmark this one for future questions. I
was too lazy to type that much so I just found a link on the web. :P

 

Jamie Nelson | Operations Consultant | BI&T Infrastructure-Intel | Devon
Energy Corporation | Work: 405.552.8054 | Mobile: 405.200.8088 |
http://www.dvn.com <http://www.dvn.com/> 

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Darren Mar-Elia
Sent: Tuesday, January 06, 2009 11:12 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: (no subject)

 

Steve-

Is a complex topic for many (including me!) so I will try to attack it from
a solution perspective. Essentially loopback is designed to help answer the
following challenge, "How do I control user policy on a particular computer
or set of computers such that, no matter who logs onto those computers, they
always get the same user policy?". As you know, GP is processed by computers
and users and the policy that a computer or user gets is determined by where
the computer and user account resides in AD, where the GPO is linked, and
whether its filtered or not. Loopback is a special mode of GP processing
that you set on a per-computer basis. When a computer has loopback enabled,
any user that logs onto that computer can be given a set of per-user
policies that is different than the ones they would normally receive by
virtue of where their user account is. The simplest example is a Terminal
Server environment. A common configuration is to create an OU called
"Terminal Servers". In that OU, you place computer accounts that are your
Terminal Server machines. Now, linked to that OU, you create a GPO called
"TS Loopback Policy". In that GPO, you enable loopback under Computer
Configuration\Administrative Templates\System\Group Policy\User Group Policy
Loopback Processing Mode. When you enable the policy, you have two
options-merge or replace. Merge says, "first apply the user's normal user
policies (as if they were logging into their normal workstation) then apply
the loopback user settings". Replace says, "Just apply the loopback user
settings". I generally tell people to choose "replace" mode unless you have
a specific requirement for merging.

 

So, now that loopback is enabled, on that same TS GPO (assuming the simplest
case) under User Configuration, you can set all of the loopback user
settings that you want to apply to users logging into these TS boxes. When
the user logs on, these user settings are applied instead of their "home"
ones.

 

Hope that helps.


Darren

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Steve Crompton
Sent: Tuesday, January 06, 2009 5:49 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] (no subject)

 

Hi
 
Could you please explain Group Policy Loopback Processing ? im finding this
very difficult to understand !
 
Thanks

  _____  

Get Windows Live Messenger on your Mobile. Click Here!
<http://clk.atdmt.com/UKM/go/msnnkmgl0010000001ukm/direct/01/> 

  _____  

Confidentiality Warning: This message and any attachments are intended only
for the use of the intended recipient(s), are confidential, and may be
privileged. If you are not the intended recipient, you are hereby notified
that any review, retransmission, conversion to hard copy, copying,
circulation or other use of all or any portion of this message and any
attachments is strictly prohibited. If you are not the intended recipient,
please notify the sender immediately by return e-mail, and delete this
message and any attachments from your system. 

 

  _____  

Take your friends with you with Mobile Messenger. Click Here!
<http://clk.atdmt.com/UKM/go/msnnkmgl0010000001ukm/direct/01/> 

Other related posts: