When a computer is joined to a domain with the Active Directory and Group Policy implemented, a local Group Policy Object is processed. Note that LGPO policy is processed even when the Block Policy Inheritance option has been specified.
Local Group Policy Objects are always processed first, and then domain policy is processed. If a computer is participating in a domain and a conflict occurs between domain and local computer policy, domain policy prevails. However, if a computer is no longer participating in a domain, LGPO policy is applied.
Group Policy Loopback Support
Group Policy is applied to the user or computer, based upon where the user or computer object is located in the Active Directory. However, in some cases, users may need policy applied to them, based upon the location of the computer object, not the location of the user object. The Group Policy loopback feature gives the administrator the ability to apply user Group Policy, based upon the computer that the user is logging onto.
To describe the loopback feature, we’ll use an example. In this scenario, you have full control over the computers and users in this domain because you have been granted domain administrator rights.
T
he following illustration shows the Reskit domain, which is used to work through this example.
Figure 8. The Reskit domain
Normal user Group Policy processing specifies that computers located in the Servers OU have the GPOs A3, A1, A2, A4, A6 applied (in that order) during computer startup. Users of the Marketing OU have GPOs A3, A1, A2, A5 applied (in that order), regardless of which computer they log on to.
In some cases this processing order may not be what you want to do, for example, when you do not want applications that have been assigned or published to the users of the Marketing OU to be installed while they are logged on to the computers in the Servers OU. With the Group Policy loopback feature, you can specify two other ways to retrieve the list of GPOs for any user of the computers in the Servers OU:
Merge mode. In this mode, the user’s list of GPOs is normally gathered during logon through the use of the GetGPOList function. Then GetGPOList is called again using the computer’s location in the Active Directory. Next, the list of GPOs for the computer is added to the end of the GPOs for the user. This causes the computer’s GPOs to have higher precedence than the user’s GPOs. In this example, the list of GPOs for the computer is A3, A1, A2, A4, A6, which is added to the user’s list of A3, A1, A2, A5, resulting in A3, A1, A2, A5, A3, A1, A2, A4, and A6 (listed in lowest to highest priority).
Replace mode. In this mode, the user’s list of GPOs is not gathered. Only the list of GPOs based upon the computer object is used. In this example, the list is A3, A1, A2, A4, and A6.
You can set the loopback feature by using the User Group Policy loopback processing mode policy under Computer Settings\Administrative settings\System\Group Policy.
The processing of the loopback feature is implemented in the Group Policy engine5, not in the GetGPOList function. When the Group Policy engine is about to apply user policy, it looks in the registry for a computer policy, which specifies which mode user policy should be applied in. Then, based upon this policy, it calls GetGPOList, as appropriate.
|
