Jim, Thanks for the clarfication, I tend to answer these things very quickly between other tasks!. When I say loopback I also assumed blocking inheritance as well (they just tend to go together in our implementations). I left out that statement from my post which made it unclear, they are separate configuration options..... Regards, Steve Greenberg Thin Client Computing 34522 N. Scottsdale Rd. suite D8453 Scottsdale, AZ 85262 (602) 432-8649 (602) 296-0411 fax steveg@xxxxxxxxxxxxxx _____ From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Hathaway Sent: Thursday, January 27, 2005 12:29 PM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: loopback I'm afriad I have to disagree with you. Loopback has no bearing on the "computer" section of a policy being applied specifically to an end user's session. Loopback affects only how the "User" policy is applied at the OU of the computer where the user is logging into. Hence the policy actually being labled "User Group policy loopback processing mode" : Applies alternate user policies when a user logs on to a computer affected by this policy. This policy directs the system to apply the set of Group Policy objects for the computer to any user who logs on to a computer affected by this policy. It is intended for special-use computers, such as those in public places, laboratories, and classrooms, where you must modify the user policy based on the computer that is being used. By default, the user's Group Policy objects determine which user policies apply. If this policy is enabled, then, when a user logs on to this computer, the computer's Group Policy objects determine which set of Group Policy objects applies. -- "Replace" indicates that the user policies defined in the computer's Group Policy objects replace the user policies normally applied to the user. -- "Merge" indicates that the user policies defined in the computer's Group Policy objects and the user policies normally applied to the user are combined. If the policy settings conflict, the user policies in the computer's Group Policy objects take precedence over the user's normal policies. Loopback provides alternatives to the default method of obtaining the ordered list of Group Policy objects whose User Configuration settings affect a user. By default, a user's settings come from a Group Policy object list that depends on the user's location in Active Directory. The ordered list goes from site-linked to domain-linked to organizational unit-linked Group Policy objects, with inheritance determined by the location of the user in Active Directory and in an order that is specified by the administrator at each level. So . . a higher level OU's computer / machine assigned policy to 'deny logon locally' - can and will carry down to the machine accounts of lower level OU's (that have loopback enabled for user settings) , if the GP assignment has not been modified for who and where the policy should be assigned to from the default of "authenticated users". If you want to "block" computer policy settings from a higher level trickling down to your computers in a "loopbacked" OU, then block inheritance on the OU. More MS links . . on the order of processing for policies: http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/p roddocs/en-us/Default.asp?url=/resources/documentation/windowsserv/2003/stan dard/proddocs/en-us/orderofevents.asp - order of events when starting up and logging on. http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/p roddocs/en-us/Default.asp?url=/resources/documentation/windowsserv/2003/stan dard/proddocs/en-us/orderUser.asp - order of processing settings. HTH J _____ From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Steve Greenberg Sent: Thursday, January 27, 2005 10:38 AM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: loopback Loopback prevents both user and machine GPO settings from outside the OU from taking effect, user and machine settings from GPO's within the OU do take effect Steve Greenberg Thin Client Computing 34522 N. Scottsdale Rd. suite D8453 Scottsdale, AZ 85262 (602) 432-8649 (602) 296-0411 fax steveg@xxxxxxxxxxxxxx _____ From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of bbeckett2000@xxxxxxxxxxx Sent: Thursday, January 27, 2005 11:19 AM To: windows2000@xxxxxxxxxxxxx; thin@xxxxxxxxxxxxx Subject: [THIN] loopback Question about Loopback GPO..does only the computer configuration settings take effect or are both user config and computer config settings effective when using loopback? For example, I have a TS OU which contains a 2003 terminal server. GPO is linked, users are in 2k domain and loopback is enabled. Do all settings take effect or just computer config? Notice: This transmission contains confidential information intended only for the use of the individual or entity to whom it is addressed. Any disclosure, copying, distribution, or action in reliance on the contents of this transmission is strictly prohibited by anyone except the party to whom it is addressed.