Hi, I suspect there's a bit to much magic in loopback processing, so I'd like to try to unmuddy the waters a bit with a simplistic view of how things work. The basic issue is that you have to be an object "in" an an OU (container) so that a group policy object (GPO) applied to to that container can apply to you. Think of an OU as a circle. If you're inside the circle, any group policy belonging to that circle applies to you (security filtering aside). Normally if you log on to a machine belonging to a particular container (machine OU), you are not "entering" the circle (machines OU), so only the implemented machine policies will have any effect on you, no machine OU user configuration policies will apply. When you log on to a machine belonging to an OU with loopback processing enabled you are "entering" the machine container and it's user configuration policies will apply to you. As an aside, loopback processing mode for a GPO is set under computer configuration > administrative templates > system > group policy > Use group policy loopback processing mode. There are some special considerations with loopback processing. You can choose either "replace" or "merge" modes for loopback processing. Replace mode behaves like a standard GPO with "block inheritence" enabled, merge mode means the GPO works just like a standard GPO. For replace mode, this means that if any GPO's are set to "enforce" upstream from the machine OU, these settings will override any settings in the machine OU. "Enforce" means ignore block inheritence, and means that the default loopback processing replace mode can be ignored in part or fully. This can cause a lot of pain. regards, Rick Ulrich Mack rmack@xxxxxxxxxxxxxx Volante Systems 18 Heussler Terrace, Milton 4064 Queensland Australia tel +61 7 32467704 -----Original Message----- From: Brian Murphy [mailto:brian_murphy@xxxxxxxxx] Sent: Saturday, 12 July 2003 3:26 AM To: 'thin@xxxxxxxxxxxxx' Subject: [THIN] Re: Group Policy help You seem to be on target. On your Server Container Make sure you have disabled Inheritence Create 3 policies 1. ALL TS Users 2. ALL TS Servers 3. Normal Users Right Click ALL TS Users and disable Computer Policy Right Click ALL TS Servers and disable User Policy Right Click Normal Users and disable Computer Policy On ALL TS Servers set Authenticated Users to Read and Apply GPO Set Domain Admins to Full Set System to Read, Write, Create, Delete Same on ALL TS Users On Normal Users set Domain Admins to Full Control then check Deny on "Apply GPO" You will end up with Read, Write, Create, Delete (Deny-on Apply GPO) This should do it for you assuming your Root Policy allows you to set the "Disable Inherit" -----Original Message----- From: Brian Rota [mailto:brian.rota@xxxxxxxxxxxxx <mailto:brian.rota@xxxxxxxxxxxxx> ] Sent: Friday, July 11, 2003 9:56 AM To: thin@xxxxxxxxxxxxx Subject: [THIN] Group Policy help I was wondering if anyone can help with some GPO help. Here is what I did. I created an OU called Citrix Servers. Created a Group called Citrix Users I added the Citrix server to the OU. I then created a Policy for a locked down environment. I only want the policy to affect the Citrix users when they log into a citrix server not when they log into there every day Win2k computers. But for some reason the Policy does not work I added a link to the domain root but then the Policy locked down the local win2k computers. Can someone please tell me what I may be missing? Thanks Brian ******************************************************** This weeks sponsor - RTOSoft TScale Complaints about applications response time - DO SOMETHING ABOUT IT! TScale 2.0 improves applications response time and increases terminal server capacity. Really get MORE from your existing servers! Free eval: http://www.rtosoft.com/enter.asp?id=130 <http://www.rtosoft.com/enter.asp?id=130> ********************************************************** Useful Thin Client Computing Links are available at: http://thethin.net/links.cfm <http://thethin.net/links.cfm> For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thethin.net/citrixlist.cfm <http://thethin.net/citrixlist.cfm> -------------------------------------------------------------------------------------------------------------------- The information contained in this e-mail is confidential and may be subject to legal professional privilege. It is intended solely for the addressee. If you receive this e-mail by mistake please promptly inform us by reply e-mail and then delete the e-mail and destroy any printed copy. You must not disclose or use in any way the information in the e-mail. There is no warranty that this email or any attachment or message is error or virus free. It may be a private communication, and if so, does not represent the views of Volante group Limited.