[THIN] Re: loopback

• From: "Jim Hathaway" <JimH@xxxxxxxxxxxxxxx>
• To: <thin@xxxxxxxxxxxxx>
• Date: Thu, 27 Jan 2005 11:29:14 -0800

I'm afriad I have to disagree with you. Loopback has no bearing on the
"computer" section of a policy being applied specifically to an end
user's session.
 
Loopback affects only how the "User" policy is applied at the OU of the
computer where the user is logging into. Hence the policy actually being
labled "User Group policy loopback processing mode" : 
 
    Applies alternate user policies when a user logs on to a computer
affected by this policy.
 
    This policy directs the system to apply the set of Group Policy
objects for the computer to any user who logs on to a computer affected
by this policy. It is intended for special-use            computers,
such as those in public places, laboratories, and classrooms, where you
must modify the user policy based on the computer that is being used.
 
    By default, the user's Group Policy objects determine which user
policies apply. If this policy is enabled, then, when a user logs on to
this computer, the computer's Group Policy objects determine which set
of Group Policy objects applies.
 
    --   "Replace" indicates that the user policies defined in the
computer's Group Policy objects replace the user policies normally
applied to the user.
 
    --   "Merge" indicates that the user policies defined in the
computer's Group Policy objects and the user policies normally applied
to the user are combined. If the policy settings conflict, the user
policies in the computer's Group Policy objects take precedence over the
user's normal policies.
 
    Loopback provides alternatives to the default method of obtaining
the ordered list of Group Policy objects whose User Configuration
settings affect a user. By default, a user's settings come from a Group
Policy object list that depends on the user's location in Active
Directory. The ordered list goes from site-linked to domain-linked to
organizational unit-linked Group Policy objects, with inheritance
determined by the location of the user in Active Directory and in an
order that is specified by the administrator at each level.
 
So . . a higher level OU's computer / machine assigned policy to 'deny
logon locally' - can and will carry down to the machine accounts of
lower level OU's (that have loopback enabled for user settings) , if the
GP assignment has not been modified for who and where the policy should
be assigned to from the default of "authenticated users". 
 
If you want to "block" computer policy settings from a higher level
trickling down to your computers in a "loopbacked" OU, then block
inheritance on the OU. 
 
More MS links . . on the order of processing for policies:
 
 
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standa
rd/proddocs/en-us/Default.asp?url=/resources/documentation/windowsserv/2
003/standard/proddocs/en-us/orderofevents.asp - order of events when
starting up and logging on.
 
 
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standa
rd/proddocs/en-us/Default.asp?url=/resources/documentation/windowsserv/2
003/standard/proddocs/en-us/orderUser.asp - order of processing
settings. 
 
HTH
 
J
 
 
 


________________________________

From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Steve Greenberg
Sent: Thursday, January 27, 2005 10:38 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: loopback


Loopback prevents both user and machine GPO settings from outside the OU
from taking effect, user and machine settings from GPO's within the OU
do take effect
 

Steve Greenberg
Thin Client Computing
34522 N. Scottsdale Rd. suite D8453
Scottsdale, AZ 85262
(602) 432-8649
(602) 296-0411 fax
steveg@xxxxxxxxxxxxxx



 


________________________________

From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of bbeckett2000@xxxxxxxxxxx
Sent: Thursday, January 27, 2005 11:19 AM
To: windows2000@xxxxxxxxxxxxx; thin@xxxxxxxxxxxxx
Subject: [THIN] loopback


Question about Loopback GPO....does only the computer configuration
settings take effect or are both user config and computer config
settings effective when using loopback? For example, I have a TS OU
which contains a 2003 terminal server. GPO is linked, users are in 2k
domain and loopback is enabled. Do all settings take effect or just
computer config?


Notice: This transmission contains confidential information intended only for 
the use of the individual or entity to whom it is addressed.  Any disclosure, 
copying, distribution, or action in reliance on the contents of this 
transmission is strictly prohibited by anyone except the party to whom it is 
addressed.

• Follow-Ups:
  • [THIN] Re: loopback
    • From: Steve Greenberg

Other related posts:

• » [THIN] loopback
• » [THIN] Re: loopback
• » [THIN] Re: loopback
• » [THIN] Re: loopback
• » [THIN] Re: loopback
• » [THIN] Re: loopback
• » [THIN] Re: loopback
• » [THIN] Re: loopback
• » [THIN] Re: loopback
• » [THIN] Re: loopback
• » [THIN] Re: loopback

1. Home
2. thin
3. Archive
4. 01-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---