[THIN] Re: loopback
- From: "Steve Greenberg" <steveg@xxxxxxxxxxxxxx>
- To: <thin@xxxxxxxxxxxxx>
- Date: Thu, 27 Jan 2005 17:52:16 -0700
Jim,
Thanks for the clarfication, I tend to answer these things very quickly
between other tasks!. When I say loopback I also assumed blocking
inheritance as well (they just tend to go together in our implementations).
I left out that statement from my post which made it unclear, they are
separate configuration options.....
Regards,
Steve Greenberg
Thin Client Computing
34522 N. Scottsdale Rd. suite D8453
Scottsdale, AZ 85262
(602) 432-8649
(602) 296-0411 fax
steveg@xxxxxxxxxxxxxx
_____
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Jim Hathaway
Sent: Thursday, January 27, 2005 12:29 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: loopback
I'm afriad I have to disagree with you. Loopback has no bearing on the
"computer" section of a policy being applied specifically to an end user's
session.
Loopback affects only how the "User" policy is applied at the OU of the
computer where the user is logging into. Hence the policy actually being
labled "User Group policy loopback processing mode" :
Applies alternate user policies when a user logs on to a computer
affected by this policy.
This policy directs the system to apply the set of Group Policy objects
for the computer to any user who logs on to a computer affected by this
policy. It is intended for special-use computers, such as those
in public places, laboratories, and classrooms, where you must modify the
user policy based on the computer that is being used.
By default, the user's Group Policy objects determine which user
policies apply. If this policy is enabled, then, when a user logs on to this
computer, the computer's Group Policy objects determine which set of Group
Policy objects applies.
-- "Replace" indicates that the user policies defined in the
computer's Group Policy objects replace the user policies normally applied
to the user.
-- "Merge" indicates that the user policies defined in the computer's
Group Policy objects and the user policies normally applied to the user are
combined. If the policy settings conflict, the user policies in the
computer's Group Policy objects take precedence over the user's normal
policies.
Loopback provides alternatives to the default method of obtaining the
ordered list of Group Policy objects whose User Configuration settings
affect a user. By default, a user's settings come from a Group Policy object
list that depends on the user's location in Active Directory. The ordered
list goes from site-linked to domain-linked to organizational unit-linked
Group Policy objects, with inheritance determined by the location of the
user in Active Directory and in an order that is specified by the
administrator at each level.
So . . a higher level OU's computer / machine assigned policy to 'deny logon
locally' - can and will carry down to the machine accounts of lower level
OU's (that have loopback enabled for user settings) , if the GP assignment
has not been modified for who and where the policy should be assigned to
from the default of "authenticated users".
If you want to "block" computer policy settings from a higher level
trickling down to your computers in a "loopbacked" OU, then block
inheritance on the OU.
More MS links . . on the order of processing for policies:
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/p
roddocs/en-us/Default.asp?url=/resources/documentation/windowsserv/2003/stan
dard/proddocs/en-us/orderofevents.asp - order of events when starting up and
logging on.
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/p
roddocs/en-us/Default.asp?url=/resources/documentation/windowsserv/2003/stan
dard/proddocs/en-us/orderUser.asp - order of processing settings.
HTH
J
_____
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Steve Greenberg
Sent: Thursday, January 27, 2005 10:38 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: loopback
Loopback prevents both user and machine GPO settings from outside the OU
from taking effect, user and machine settings from GPO's within the OU do
take effect
Steve Greenberg
Thin Client Computing
34522 N. Scottsdale Rd. suite D8453
Scottsdale, AZ 85262
(602) 432-8649
(602) 296-0411 fax
steveg@xxxxxxxxxxxxxx
_____
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of bbeckett2000@xxxxxxxxxxx
Sent: Thursday, January 27, 2005 11:19 AM
To: windows2000@xxxxxxxxxxxxx; thin@xxxxxxxxxxxxx
Subject: [THIN] loopback
Question about Loopback GPO..does only the computer configuration settings
take effect or are both user config and computer config settings effective
when using loopback? For example, I have a TS OU which contains a 2003
terminal server. GPO is linked, users are in 2k domain and loopback is
enabled. Do all settings take effect or just computer config?
Notice: This transmission contains confidential information intended only
for the use of the individual or entity to whom it is addressed. Any
disclosure, copying, distribution, or action in reliance on the contents of
this transmission is strictly prohibited by anyone except the party to whom
it is addressed.
Other related posts:
