Thursday, September 2, 2010

Loopback Policy processing

NOTE: Loopback is supported only in a purely Windows 2000 based environment. Both the computer account and the user account must be in Active Directory. If a Microsoft Windows NT 4.0 based domain controller manages either account, the loopback does not function. The client computer must be a Windows 2000 based computer.

When users work on their own workstations, you may want to have Group Policy settings applied based on the location of the user object. Therefore, it is recommended that you configure policy settings based on the organizational unit (OU) in which the user account resides. However, there may be instances when a computer object resides in a specific OU, and the user settings of a policy should be applied based on the location of the computer object instead of the user object.

NOTE: You cannot filter the application of user settings by denying or removing the AGP and Read rights from the computer object specified for the loopback policy.

Normal user Group Policy processing specifies that computers located in their OU have the GPOs applied in order during computer startup. Users in their OU have GPOs applied in order during logon, regardless of which computer they log on to.

In some cases, this processing order may not be appropriate (for example, when you do not want applications that have been assigned or published to the users in their OU to be installed while they are logged on to the computers in some specific OU). With the Group Policy loopback support feature, you can specify to other ways to retrieve the list of GPOs for any user of the computers in this specific OU:

Merge Mode
In this mode, when the user logs on, the user's list of GPOs is gathered normally by using the GetGPOList function. The GetGPOList function is then called again, using the computer's location in Active Directory. The list of GPOs for the computer is then added to the end of the GPOs for the user. This causes the computer's GPOs to have higher precedence than the user's GPOs. In this example, the list of GPOs for the computer is added to the user's list.

Replace Mode
In this mode, the user's list of GPOs is not gathered. Only the list of GPOs based on the computer object is used.

How to Enable Group Policy Loopback

To apply User Configuration GPO settings to users only when they log on to the Terminal Servers, you may want to use the Group Policy loopback feature. This feature limits user configuration per computer and will not apply to others.

To Enable Group Policy Loopback, follow these steps:

1. Run Active Directory Users and Computers.

2. Right-click on the OU for the GPO.

3. Select the GPO and the Edit.

4. Click Computer Configuration and then Administrative Templates>System>Group Policy.

5. Double-click on the User Group Policy loopback processing mode.

6. Check Enabled and the OK to close.

More details here :

No comments:

Post a Comment