Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Group Policy, Security Groups, and OUs

3 views
Skip to first unread message

Eric L.

unread,
Aug 5, 2009, 10:10:05 AM8/5/09
to

Sorry for the newbie question, but I'm having trouble wrapping my head
around this. Even though I think it's an easy answer, it's kind of hard to
explain:

Let's say you have two top-level OUs--one for all of your domain computers
(OUPCs) and one for all of your domain users (OUEmployees). Now you create a
group policy (GPUsers) that has "computer configuration" settings and "user
configuration" settings. If you link that group policy to OUEmployees, are
the "computer configuration" settings ever going to be applied? It seems
like they wouldn't because there aren't any computers in OUEmployees.

I would like to hear an answer to this question, and I would love to hear an
explanation. Thank you!


Florian Frommherz [MVP]

unread,
Aug 5, 2009, 10:27:21 AM8/5/09
to

Eric,

Eric L. schrieb:


> Let's say you have two top-level OUs--one for all of your domain computers
> (OUPCs) and one for all of your domain users (OUEmployees). Now you create a
> group policy (GPUsers) that has "computer configuration" settings and "user
> configuration" settings. If you link that group policy to OUEmployees, are
> the "computer configuration" settings ever going to be applied? It seems
> like they wouldn't because there aren't any computers in OUEmployees.

Yes, your assumption is correct. This is how GP works. Put simple, in
order to evaluate the GPs to apply, the target (either a user or a
computer) checks the appropriate configuration on the GPO and applies
it. Users only apply "User Configuration", computers apply "Computer
Configuration" by default. There's a special mode you can put computers
in (called "Loopback processing mode") that lets computers apply user
settings. But by default, objects only apply their configuration "side"
of a GP.

> I would like to hear an answer to this question, and I would love to hear an
> explanation. Thank you!

Explanation enough? :-)

Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste

Danny Sanders

unread,
Aug 5, 2009, 11:27:11 AM8/5/09
to

There's a special mode you can put computers
> in (called "Loopback processing mode") that lets computers apply user
> settings.


Now that you have opened the discussion...........Why the need for loopback
processing mode? Is this only used for terminal services?

TIA
DDS

"Florian Frommherz [MVP]" <flo...@frickelsoft.DELETETHIS.net> wrote in
message news:%238S5Zkd...@TK2MSFTNGP05.phx.gbl...

Eric L.

unread,
Aug 5, 2009, 11:44:19 AM8/5/09
to
Thanks, that clears things up.

So, let's say we have three major types of computer--desktop, server, and
terminal server.
Then we have three major types of employees--sales rep, office, and
warehouse.

If we need to apply different policies to different employees based on what
computer they're logging into (or trying to log into), do we need to link
all of our GPs at the domain-level and then use "Security Filtering" by
security groups, then? After all, the lowest common denominator between
users and computers for us is the top-domain-level.

If so, it sounds like our OU plan will be more for show than for group
policy organization, and the real hero will be our security groups. That's
ok, though. A clean appearance is important.

I have read of people applying the Computer half of the GP to the Computer
OU and the User half to the User OU, but that sidesteps the fact that
different users will need different privileges on the Computer OU so you
have to do some user-based filtering on it.


"Florian Frommherz [MVP]" <flo...@frickelsoft.DELETETHIS.net> wrote in
message news:%238S5Zkd...@TK2MSFTNGP05.phx.gbl...

Eric L.

unread,
Aug 5, 2009, 12:15:19 PM8/5/09
to
I think I may need to look at loopback processing a little. That seems to
answer my question in part.

"Eric L." <ericl...@yahoo.com> wrote in message
news:O2yOiOeF...@TK2MSFTNGP03.phx.gbl...

Florian Frommherz [MVP]

unread,
Aug 6, 2009, 4:34:58 AM8/6/09
to
Danny,

Danny Sanders wrote:
> There's a special mode you can put computers
>> in (called "Loopback processing mode") that lets computers apply user
>> settings.
>
> Now that you have opened the discussion...........Why the need for loopback
> processing mode? Is this only used for terminal services?

You would use Loopback whenever you want a certain "User Configuration"
setting to be applied on a machine - no matter which user logs on to
that machine or what other settings that user has configured.

You can use Loopback to bind certain "User Configuration" elements to
machines -- loopback knows two modes it can run in. "Merge" mode merges
the "User Configuration" settings the user brings in with the settings
that are configured for the machine. Settings that have contradicting
values will result in the machine's "User Configuration" settings to
win. "Replace" tells loopback to simply ignore what the user has
configured in all his "User Configuration" settings. It just applies the
machine's "User Configuration" settings.

By know, you may see the typical use of loopback: you can use loopback
to dictate a couple of settings on a TS - settings you just want to have
enabled on the TS and not on other machines the user logs on.

Cheers,
Florian

0 new messages