Announcement

Collapse
No announcement yet.

Question on loopback processing

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Question on loopback processing

    Hi,

    I have my domain structure something like below.

    <domain>
    | -- User GPOs are attached here
    |
    |---<Site> (there are few user GPOs attached to the sites also)
    | --- <Users Container>
    | --- <Special Computers OU>
    |---- <Computers OU>

    I want to execute a logoff script on special computers when ever a user login to that. I have several computer/user policies configured at domain and site level. I created and linked new GPO(logoff scripts) on Special computers OU with loopback (merge) mode enabled and logoff script configured. But the problem is that, when a user is logging into the special computer, I can see from RSOP that user related policies are getting processed two times. I know the reason for this - in merge mode, when the user is logging in, first all the user policies will get applied and then computer process all the policies to which it has access and has user settings and applies the settings to user(that is what meant by merge mode). Because of this behavior, all the user policies are getting applied twice on special computers. So, I have denied read/apply access to special computers on User GPOs which are at domain and site level. But to my surprise, they are still getting applied though computers are denied to read/apply.

    Any one has idea why it is happening like this? I couldn't find any traces of this problem.

    Thanks,
    Sitaram
    http://www.sitaram-pamarthi.com

  • #2
    Re: Question on loopback processing

    The policies are applying to the user as well, so you would need to deny read/apply to the users as well.

    Are you wanting users who logon to the special machines to all have the same rights or are you still wanting certain users to have more elevated rights? It may be more effective to use 'replace' mode, so you know precisely the rights that a user will be getting when logging on to those machines.

    Are you using the 'enforce' on any of the top level GPOs?

    Comment


    • #3
      Re: Question on loopback processing

      I'm a little confused by your post but here's what I would say:

      1. Logoff scripts are processed at logoff, not logon.
      2. Computer settings are applied before user settings.
      3. Computer settings don't apply to users.
      4. When using loopback policy processing in merge mode user settings are applied twice, this is the normal behavior. So what's the problem? It sounds like you are complaining about something working exactly as it's supposed to and exactly how you set it up to work. If you don't want user settings applied twice then use replace mode instead.
      5. If the logoff script is the only setting in the GPO, then that's the only setting that's being set by this GPO, so again, what's the problem?

      Can you tell us what you're trying to accomplish so that we have a better idea of a solution. Thanks.

      Comment


      • #4
        Re: Question on loopback processing

        Originally posted by joeqwerty View Post
        3. Computer settings don't apply to users.
        Unless of course the "Loopback processing" is enabled and applies to the computer objects in question.
        Caesar's cipher - 3

        ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

        SFX JNRS FC U6 MNGR

        Comment


        • #5
          Re: Question on loopback processing

          No, computer settings don't apply to users. When you use loopback policy processing you're telling the GPO processing extensions to apply the user settings from the GPO where the computer lives instead of where the user lives, but it's still only applying user settings to the user, not computer settings. Computer settings are for computers and user settings are for users.

          Comment

          Working...
          X