[gptalk] Re: user config questions

  • From: "Omar Droubi" <omar@xxxxxxxxxxxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Wed, 17 Oct 2007 15:19:58 -0700



For loopback processing you have the concept correct but I think your
order of policy application is incorrect. Remember that last policy
applied wins with conflicting settings so loopback allows us to
reprocess the user settings of a policy linked to a computer object-
last to get these settings to be the final settings applied.


For the loopback Merge mode you have:


When User logs on to the computer in the TS OU they will get Policies
applied in the following order:


1st user policy processing with loopback merge mode and policies
inherited to the OU with the user:

1.     Local computer policy will be applied 1st

2.     Domain Policy "A" will be applied

3.     User Policy "D"

Then the policies inherited and applied to the OU with the computer

4.     Local computer policy (user config section)

5.     Domain Policy "A" (user config section)

6.     TS OU Policy "E" (user config section)


So last applied policy settings will be the final setting if there are
any conflicting settings-and these will come from the user configuration
settings nodes within policies linked and inherited to the container
that has the computer object within.


Here is a reference article;








From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Alan & Margaret
Sent: Wednesday, October 17, 2007 3:02 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: user config questions


Hi Scott,


I am not sure exactly what you mean, but I think the answer may lie in
LoopBack processing. It sounds like you may have Loopback processing
enabled as REPLACE on your TS OU. Of course the User modeling tool
should still give the correct answer. In these sorts of cases, I always
enable verbose logging then check out the UserEnv log to find out what
is REALLY happening, rather than what is supposed to happen. To help, I
have a free tool that makes more sense of the log. You can download it
from http://www.sysprosoft.com/policyreporter.shtml


You probably know all about Loopback processing, but if not it allows
you to give the user different sets of policies depending which machine
they log on to.


If you set loop back processing on the Machine policy in the TS OU to
REPLACE you can get two different sets of policies:- 

When User logs on to a LAB PC they will get Policies D, A

When User logs on to a TS OU they will get Policies E, A


If you set loop back processing on the Machine policy in the TS OU to
MERGE you can get two different sets of policies:- 

When User logs on to a LAB PC they will get Policies D, A

When User logs on to a TS OU they will get Policies D, A, E, A


You could of course set Loopback processing on each of the specific LAB
policies. If this was set to replace they would get C, B, A . If it was
set to merge, they would get D, A, C, B, A


(Note: I have shown the policies in the order that they will be applied.
In the "merge" case, the domain policy actually gets applied twice)


Hope this helps...


 Alan Cuthbertson



 Policy Management Software:-



ADM Template Editor:-



Policy Log Reporter(Free)






From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Bean, Scott
Sent: Thursday, 18 October 2007 4:21 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] user config questions


First let me describe my current setup.


--domain.local (A)

           |----Specific OU


                                       |----Specific Lab(C)


           |----TS OU(E)




At the domain.local level I have 3 Policies that affect the domain.

At the specific OU level I have nothing.

At the Labs level I have one policy.  (I have many Specific Lab OUs but
am keeping it simple - Each having its own policy due to desktop and
start menu redirection)

At the Specific Lab level I have one policy that contains user config


All Users that are in the Users OU that log onto a machine in the
Specific Lab OU get the correct settings.


Now at the TS OU I have 2 policies.  One is Computer Config.  The other
is User Config.  Basically I need to have multiple User Configs based on
groups.  The main reason for this is that we do desktop and start menu
redirection.  The TS OU is for a group of 2003 Terminal Servers.  My
user that is in the Users (listed above) is not getting the correct user
config when logging into a Terminal Server.  If I move the user to the
TS OU the Group Policy Modeling tool shows that I should get the correct
policies but when I log on it still does not have the correct settings.
If the user is in the Users OU and I check the Group Policy Modeling
tool then the user config policy doesn't show up under applied gpos.


I guess my question is will I have to block inheritance on all the
Specific Lab OUs then instead of having my user config policy on the TS
OU move it to the Users OU?  Or what exactly is the best way to do this?


Sorry if this is somewhat confusing.

Other related posts: