Group Policy Processing In Windows Server 2003 Part II
- 0
- Add a Comment
In most cases, a user who logs on from a workstation should have his group policies applied based primarily on the settings defined by the user object in the Active Directory rather than their computer object. A user who logs on from a computer that’s part of the server’s OU, however, should take his settings from the computer’s object location rather than the user object. There can be many other situations in which you want the computer object’s GPO(s) to take precedence over the user object, as determined by your organization’s structure, computer function, and so on.
Group policy loopback is supported only in pure Windows 2000 and Windows Server 2003 environments (both clients and domain controllers). Group Policy loopback enables group policies to be applied based only on the computer from which the user logs on. Loopback provides for two processing modes:
- Merge mode: In this mode, Windows Server 2003 processes the group policies for the User Configuration first, followed by those for the Computer Configuration. In effect, this causes the Computer Configuration group policies to have precedence over any User Configuration settings. When the Computer Configuration object doesn’t specify a given policy, the User Configuration object defines the policy setting.
- Replace mode: In this mode, Windows Server 2003 processes only the Computer Configuration group policies, ignoring the User Configuration group policies.
Keep in mind that in either mode, the user might have several GPOs applied. For example, the user might be affected by a site GPO, a domain GPO, and two OU GPOs. When the client retrieves the GPO list from the DC, the contents of the list are determined by the loopback mode. With merge mode, the client requests the list normally (based on the user location in the AD) and then submits a second request based on the computer location. The result is that GPOs might actually be processed twice.
In this example, the initial GPO list and order of processing are GPO1, GPO2, GPO3, and GPO4. When the second request based on the computer location is fulfilled, the response is added to the list, resulting in a final GPO process list of GPO1, GPO2, GPO3, GPO4, GPO1, GPO2, GPO5, and GPO6. In the case of replace mode, the client requests the list based only on the computer location in the AD, giving the result GPO1, GPO2, GPO5, and GPO6.
Setting the loopback mode
To set the effective loopback mode, open the Active Directory Users And Computers console, right-click the container in which you want to apply the loopback setting (site, domain, or OU), and choose Properties. When the Properties window appears, click the Group Policy tab.
Select the group policy in which you want to define the loopback setting and choose Edit. Next, expand the Computer Configuration/Administrative Templates/System/Group Policy branch. Double-click User Group Policy Loopback Processing Mode, select Enabled, then select either Merge or Replace from the drop-down list. Click OK to close the dialog box, then close the Group Policy console.
- Business Manager - Support Services - Redlands, CA US
- Certification Program Manager - Redlands, CA US
- Windows Engineer - New York, NY US
- IT Systems Engineer B002953 - Adelphi, MD US
- Software Engineer - FileMaker Pro - Scottsdale, AZ US
- Senior Network Engineer - Washington, DC US
- Windows Server Engineer - Center Valley, PA US
- Microsoft SQL Database Administrator - Adelphi, MD US
- System Administrator - Nationwide
- Sr. Systems Administrator - Austin, TX US
- Systems Engineer-Broker/Dealer - New York, NY US
- Vmware Tech Lead Architect with Windows Systems Administration. - Marlborough, MA US
- Systems Administrator - Bardstown, KY US
- Senior SQL Server DBA - Chantilly, VA US
- Technical Support Specialist - Philadelphia, PA US
- DBA - Pearl Harbor, HI US
- Systems Engineer, Principal - 38980 - Washington, DC US
- Systems Engineer US Citizen Security Installation Configuration - Manassas, VA US
- Database Administrator - Pearl Harbor, HI US
- ENGINEER SHAREPOINT TOP SECRET SCI FULL SCOPE - Fort Meade, MD US
- Sr. Windows Server Administrator - Center Valley, PA US
- Systems Engineer, Lead - 40162 - Washington, DC US
- Dot Net Oracle Backend Application Developer - Jacksonville, FL US
- Documentum Developer - San Diego, CA US
- Exchange Active Directory Engineer - Rochester, NY US
- Network Engineer, Principal - 40170 - Washington, DC US
- Vignette/Webshere Software Analyst Right to Hire - Springfield, MA US
- Regional Systems Administrator - Tampa, FL US
- Regional Systems Administrator - Salt Lake City, UT US
- Active Directory Lead(39876) - Boston, MA US
- Microsoft Subject Matter Expert - Alexandria, VA US
- Systems Administrator - Fort Belvoir, VA US
- Sr. Systems Engineer (Windows Server and VMware) - Marlborough, MA US
- MS Engineer - Right to Hire - Washington, DC US
- Sr Application Support Engineer - Center Valley, PA US
- Messaging Engineer - Washington, DC US
- Regional Systems and Network Administrator - Salt Lake City, UT US
- Regional Systems and Network Adminstrator - Columbia, SC US
- Regional Network Administrator - Tampa, FL US
- VoIP Telephony Network Systems Engineer - Crofton, MD US
- Software Development Engineer in Test, Senior - 706639 - Redmond, WA US
- Software Development Engineer in Test, Senior Exchange - 706492 - Redmond, WA US
- Systems/Windows Developer - Broken Bow, NE US
- Unix/Windows Engineer - Minneapolis, MN US
- Windows Server Adminsitrator - Tucson, AZ US
- IT Field Engineer / Tech Support (Secret Clearance) - Ashburn, VA US
- Principal Analyst, Operations - 162192 - Orlando, FL US
- SharePoint 2007 Administrator - Groton, CT US
- Distributed Systems Computing Analyst - New York, NY US
- Citrix Engineer - New York, NY US