This had me puzzled for a while so I thought it would be worth recording here.
Enabling loopback processing in a GPO affects not just the way that policy is processed, but all policies affecting the user/computer because it changes the way group policy processing is performed - precisely it affects the way in which the GetGPOList function operates.
So therefore if you have one policy targeting a computer with loopback processing enabled, then all policies targeting that computer will be reapplied with user settings (if there are any)
Here are the differences:
Policy processing WITHOUT loopback processing:
1. Computer Node policies from all GPOs in scope for the computer account object are applied during start-up (in the normal Local, Site, Domain, OU order).
2. User Node policies from all GPOs in scope for the user account object are applied during logon (in the normal Local, Site, Domain, OU order).
Policy processing with loopback processing in REPLACE mode:
1. Computer Node policies from all GPOs in scope for the computer account object are applied during start-up (in the normal Local, Site, Domain, OU order), the computer flags that loopback processing (Replace Mode) is enabled.
2. User Node policies from all GPOs in scope for the user account object are NOT applied during logon (as the computer is running loopback processing in Replace mode no list of user GPOs has been collected).
3. As the computer is running in loopback (Replace Mode) it then applies all User Node policies from all GPOs in scope for the computer account object during logon (Local, Site, Domain and OU).
Policy processing with loopback processing in MERGE mode:
1. Computer Node policies from all GPOs in scope for the computer account object are applied during start-up (in the normal Local, Site, Domain, OU order), the computer flags that loopback processing (Merge Mode) is enabled.
2. User Node policies from all GPOs in scope for the user account object are applied during logon (in the normal Local, Site, Domain, OU order).
3. As the computer is running in loopback (Merge Mode) it then applies all User Node policies from all GPOs in scope for the computer account object during logon (Local, Site, Domain and OU), if any of these settings conflict with what was applied during step 2. Then the computer account setting will take precedence.
You can also see here that policies targeted to computers can be applied twice: once during normal application of computer settings and again when the user settings are applied.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment