Archived from groups: microsoft.public.win2000.group_policy (
More info?)
Thanks, Mark for a good description of the loopback processing modes.
I didn't fully understand the consequences of using loopback mode in replace
mode.
You are correct. After a night of settling in, the policies all work now
properly. You have to be patient making changes to the GPOs as they take
time to take effect. I tried telling the domain controllers to sync up and
spread the GPO words, but did not wait long enough last night.
Many thanks for your good advice,
Graham
"Mark Renoden [MSFT]" <markreno@online.microsoft.com> wrote in message
news:%23%23Taid5cEHA.3016@tk2msftngp13.phx.gbl...
> Hi Graham
>
> Just to clarify how policy loopback works (which may help you sort this
> out):
>
> 1. When the computer boots, the list of GPO's for the computer is gathered
> based on it's location in the Active Directory. This is it's SOM or Scope
> of Management. The list includes GPO's linked to OU's at each level in
the
> heirarchy from the OU in which the computer resides all the way up to the
> domain.
>
> 2. The computer configuration settings from this list are applied to the
> computer provided it has permissions to the GPO's.
>
> 3. When the user logs in, different behaviour occurs according to the
policy
> loopback settings:
>
> A. Loopback off - the SOM for the user is calculated and then user
> configuration settings applied according to user permissions. The
location
> of the user account in the AD decides entirely which user configuration
> settings are applied.
>
> B. Loopback merge mode - the SOM for the user is calculated as in A. The
> user configuration settings from this SOM are applied but at a lower
> precedence to the user configuration settings in the computer SOM. Once
> again, user permissions allow or prevent application of these setting
> regardless of whether they came from the user or computer SOM.
>
> C. Loopback replace mode - the SOM for the user is not considered. The
user
> configuration settings are applied from the GPO's in the computer SOM
> provided they have user permissions.
>
> In your case, where the user OU's are children of the machine OU, you
> shouldn't need loopback. Computer configuration settings would apply from
> GPO's linked at the OU in which the Terminal Server resides and GPO's
linked
> above it. User settings would apply from GPO's linked at the OU in which
> the User resides and GPO's linked above it.
>
> Kind regards
> --
> Mark Renoden [MSFT]
> Windows Platform Support Team
> Email: markreno@online.microsoft.com
>
> Please note you'll need to strip ".online" from my email address to email
> me; I'll post a response back to the group.
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
> "Graham Prentice" <gprentice_@_rocketmail.com> wrote in message
> news:utgyIC4cEHA.2724@TK2MSFTNGP11.phx.gbl...
> > Tried disabling loopback policy, Merge mode, still nogo.
> > gpresult /z says sub-GPO is not being processed.
> > Will try again tomorrow. Thanks again.
> > Graham
> >
> > "Mark Renoden [MSFT]" <markreno@online.microsoft.com> wrote in message
> > news:%231wl2s3cEHA.3832@TK2MSFTNGP11.phx.gbl...
> >> Hi Graham
> >>
> >> Turn off policy loopback. The effect of this in replace mode is that
it
> >> effectively ignores the policy which applies to the Users and only
> >> applies
> >> the user configuration settings that apply to the server (thereby
> > discarding
> >> policy settings applied to the user OU's). Everything should work as
you
> >> want once you've done this.
> >>
> >> Kind regards
> >> --
> >> Mark Renoden [MSFT]
> >> Windows Platform Support Team
> >> Email: markreno@online.microsoft.com
> >>
> >> Please note you'll need to strip ".online" from my email address to
email
> >> me; I'll post a response back to the group.
> >>
> >> This posting is provided "AS IS" with no warranties, and confers no
> > rights.
> >>
> >> "Graham Prentice" <gprentice_@_rocketmail.com> wrote in message
> >> news:%23kt6gP3cEHA.3016@tk2msftngp13.phx.gbl...
> >> > Thanks for the reply Mark,
> >> > My structure has a Main OU with 5 child OUs.
> >> >
> >> > The TermServ object resides in the Main OU and the user objects are
in
> >> > each
> >> > respective child OUs.
> >> >
> >> > I had (under the user section of GPO) a logon script adding a printer
> > and
> >> > mapping a drive in the GPO of each child OU. They would not take
> >> > affect
> >> > until I moved the TS object under one of the child OUs (as a test).
> >> >
> >> > I have the impression that you must have the w/s object and the user
> >> > objects
> >> > within the OU for it to take effect. From what you're saying, things
> >> > should
> >> > inherit down - but it seems to stop where the TS object resides.
What
> >> > about
> >> > the child OUs? How do you associate the users with the terminal
server
> >> > that
> >> > is farther up the tree? I would assume that it would just take the
> >> > user
> >> > portion of the GPO and apply it to any server you log into.
> >> >
> >> > Yes, I did apply the policy loopback 'replace' - should I not? Most
of
> >> > the
> >> > users will be WinXPe thin clients - they probably don't need this
> > setting.
> >> >
> >> > When I try logging in, the gpresult /z says it didn't run the child
> >> > GPO.
> >> > (does work however if I move the TS object right into that child OU -
> > but
> >> > it
> >> > doesn't help the other 4 sub- OUs)
> >> >
> >> > I've got domain admins deny and associated users, domain users
apply -
> > but
> >> > still no go.
> >> >
> >> > Any ideas how to fix this?
> >> > Many thanks,
> >> >
> >> > Graham
> >> > "Mark Renoden [MSFT]" <markreno@online.microsoft.com> wrote in
message
> >> > news:%23Rj9Iz2cEHA.560@TK2MSFTNGP10.phx.gbl...
> >> >> Hi Graham
> >> >>
> >> >> Are you using policy loopback at any point?
> >> >>
> >> >> The computer configuration parts of the policy will only apply to
the
> >> >> Terminal Server from the GPO's linked to the OU heirarchy under
which
> > the
> >> >> Terminal Server resides.
> >> >>
> >> >> The user configuration parts of the policy will only apply to the
> >> >> Users
> >> > from
> >> >> the GPO's linked to the OU heirarchy under which the Users reside.
> >> >>
> >> >> In this situation, you probably don't require the use of policy
> > loopback.
> >> >> May I suggest:
> >> >>
> >> >> 1. Apply all computer configuration settings in a GPO linked to the
OU
> > in
> >> >> which the Terminal Server resides. These settings will be the same
> >> >> for
> >> > all
> >> >> users in all sites because they apply to the server and are user
> >> >> independant.
> >> >>
> >> >> 2. Apply all user configuration settings that are COMMON to all
users
> > in
> >> >> a
> >> >> GPO linked to the OU in which the Terminal Server resides. Becuase
> >> >> the
> >> > User
> >> >> OU's reside under the Terminal Server OU, these settings will be
> >> > inherited.
> >> >>
> >> >> 3. Apply all user configuration settings that are specific to each
> >> >> site
> >> >> in
> >> > a
> >> >> GPO linked to the relevant OU. Users in each OU will received these
> >> >> specific settings.
> >> >>
> >> >> NOTE: You cannot have computer configuration settings that are
> > different
> >> > for
> >> >> each set of Users.
> >> >>
> >> >> HTH
> >> >> --
> >> >> Mark Renoden [MSFT]
> >> >> Windows Platform Support Team
> >> >> Email: markreno@online.microsoft.com
> >> >>
> >> >> Please note you'll need to strip ".online" from my email address to
> > email
> >> >> me; I'll post a response back to the group.
> >> >>
> >> >> This posting is provided "AS IS" with no warranties, and confers no
> >> > rights.
> >> >>
> >> >>
> >> >>
> >> >> "Graham Prentice" <gprentice_@_oakville.ca> wrote in message
> >> >> news:O%23m%236r0cEHA.2664@TK2MSFTNGP09.phx.gbl...
> >> >> > Can someone tell me the proper way to set up the OU's in this
> >> >> > situation?
> >> >> > We have one terminal server with users in 5 locations.
> >> >> > I would like each location to have it's own GPO with logon script.
> >> >> > The way I had it set up is Main OU with TS machine object.
> >> >> > Under this OU is 5 branch OU's for each location.
> >> >> > Looks good to me but I'm having a devil of a time getting the
proper
> >> >> > scripts
> >> >> > to run for each location. It appears that is I move the TS object
> >> >> > to
> > a
> >> >> > branch, it will work ok - but I only have one TS, how can it be
> >> >> > under
> >> > all
> >> >> > of
> >> >> > the 5 branches at once?
> >> >> > The user objects are under the branches ok - but gpresult /z shows
> > the
> >> > GPO
> >> >> > doesn't run when the TS machine object isn't under the branch.
> >> >> > There must be a way, can somebody assist please?
> >> >> > Graham
> >> >> >
> >> >> >
> >> >>
> >> >>
> >> >
> >> >
> >>
> >>
> >
> >
>
>