Scribd Logo
Carica

Benvenuto in Scribd!

  • Group Policy Loopback Processing Understanding

    Caricato da

    Ravi Sankasr
    57 visualizzazioni4 pagine
    Group Policy Loopback Processing Understanding

    Copyright

    © © All Rights Reserved

    Formati disponibili

    DOCX, PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento
    Group Policy Loopback Processing Understanding

    Copyright:

    © All Rights Reserved
    Scarica in formato DOCX, PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    57 visualizzazioni4 pagine

    Group Policy Loopback Processing Understanding

    Caricato da

    Ravi Sankasr
    Group Policy Loopback Processing Understanding

    Copyright:

    © All Rights Reserved
    Scarica in formato DOCX, PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 4

    A Little on Standard Group policy Processing

    Before we look at how loopback processing works it may be beneficial to


    have a quick refresh on how standard group policy processing works.

    Group Policy Objects (GPO) are a collection of configurable policy settings


    that are organised as a single object and contain Computer Configuration
    policies which are applied to computers during Startup and User
    Configuration policies which are applied to users during logon.

    All about Scope


    The term in scope is used to refer to any GPO that applies to an object
    (computer account or user account).

    Group policies can be applied at four separate points within a domain


    structure (Local, Site, Domain and Organisational Unit (OU)) and are applied
    one after the other in precedence order for each step.

    So the in scope GPOs for an account consist of all Local policy GPOs, all of
    the Site GPOs, all of the Domain GPOs and all GPOs linked to each OU in the
    path of the account object. At each stage a new GPO applies it will overwrite
    any conflicting settings with its own settings; the final set of policies applied
    is known as the Resultant Set of Policies (RSoP) and can be viewed on a
    client device via the RSoP.msc console.

    Any GPO that has been denied apply rights or filtered out via WMI Filtering is
    considered to be Out of scope

    Why Loopback
    The User Group Policy loopback processing mode option available within the
    computer configuration node of a Group Policy Object is a useful tool for
    ensuring certain user settings are applied on specified computers.

    Essentially loopback processing changes the standard group policy


    processing in a way that allows user configuration settings to be applied
    based on the computers GPO scope during logon. This means that user
    configuration options can be applied to all users who log on to a specific
    computer.
    When to use Loopback
    Common scenarios where this policy is used include public accessible
    terminals, machines acting as application kiosks, terminal servers and any
    other environment where the user settings should be determined by the
    computer account instead of the user account.

    Where to Enable Loopback


    The setting is found within the Computer Configuration node of a GPO:

    Computer Configuration > Administrative Templates > System > Group


    Policy > User Group Policy loopback processing mode

    Replace or Merge
    When Enabled you must select which mode loopback processing will operate
    in; Replace or Merge.

    Replace mode will completely discard the user settings that normally apply
    to any users logging on to a machine applying loopback processing and
    replace them with the user settings that apply to the computer account
    instead.

    Merge mode will apply the user settings that apply to any users logging on to
    a machine applying loopback processing as normal and then will apply the
    user settings that apply to the computer account; in the case of a conflict
    between the two, the computer account user settings will overwrite the user
    account user settings.

    How Loopback Works


    Loopback processing affects the way in which the GetGPOList function
    operates, normally when a user logs on the GetGPOList function collects a
    list of all in scope GPOs and arranges them in precedence order for
    processing.
    When loopback processing is enabled in Merge mode the GetGPOList
    function also collects all in scope GPOs for the computer account and
    appends them to the list of GPOs collected for the user account, these then
    run as higher precedence than the users GPOs.
    When loopback processing is enabled in Replace mode the GetGPOList
    function does not collect the users in scope GPOs.

    So, without loopback enabled, policy processing looks a little like this:
    1. Computer Node policies from all GPOs in scope for the computer account
    object are applied during start-up (in the normal Local, Site, Domain, OU
    order).
    2. User Node policies from all GPOs in scope for the user account object are
    applied during logon (in the normal Local, Site, Domain, OU order).

    And, with loopback processing enabled (in Merge Mode):


    1. Computer Node policies from all GPOs in scope for the computer account
    object are applied during start-up (in the normal Local, Site, Domain, OU
    order), the computer flags that loopback processing (Merge Mode) is
    enabled.
    2. User Node policies from all GPOs in scope for the user account object are
    applied during logon (in the normal Local, Site, Domain, OU order).
    3. As the computer is running in loopback (Merge Mode) it then applies all
    User Node policies from all GPOs in scope for the computer account object
    during logon (Local, Site, Domain and OU), if any of these settings conflict
    with what was applied during step 2. Then the computer account setting will
    take precedence.

    And, with loopback processing enabled (in Replace Mode):


    1. Computer Node policies from all GPOs in scope for the computer account
    object are applied during start-up (in the normal Local, Site, Domain, OU
    order), the computer flags that loopback processing (Replace Mode) is
    enabled.
    2. User Node policies from all GPOs in scope for the user account object are
    not applied during logon (as the computer is running loopback processing in
    Replace mode no list of user GPOs has been collected).
    3. As the computer is running in loopback (Replace Mode) it then applies all
    User Node policies from all GPOs in scope for the computer account object
    during logon (Local, Site, Domain and OU).
    But I don't want everyone who logs on to get these Settings
    If you want to add an exception to this rule, for example you have used
    loopback processing to secure a terminal server using replace mode but
    would like to ensure that the server administrators do not receive the
    settings; then you can set a security group containing the administrators
    accounts in the delegation tab of the GPO(s) whilst viewed from the Group
    Policy Management Console (GPMC) as Deny for the Apply group policy
    option. This will have to be set for all GPOs that contain user settings you
    wish to deny that are in scope for the computer account.

    In Conclusion
    So all you need to do to ensure the User Node setting you want configured in
    loopback processing applies; is ensure that the User Node setting is in a GPO
    that is in scope for the computer account object (and that it has precedence
    over any competing GPOs).

    Potrebbero piacerti anche