Right, I saw that. But would that override the fact that I have domain admins exempted from the policy (via the explicit deny)? I wouldn't think it would...thanks!
<mc> -----Original Message----- From: Rich Milburn [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 06, 2004 1:49 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Undoing a GPO for Domain Admins was - GPO Loopbac k problem Mark Jorge posted this a little while ago, I'd say loopback is causing your problem... Sorry if you saw this already - Rich ---- Mark Creamer wrote: Yes I do (loopback) - that may be where I'm going wrong. My goal is to only have the settings apply to normal users, and only when they are on the terminal servers in the OU where the GPO is applied. So in order to have the user portion of the GPO apply to computers in the OU, I enabled loopback (the user objects are all in the Users container). If that's the problem, can you explain further for me what's going wrong? Thanks Darren... <mc> -----Original Message----- From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 30, 2003 6:28 PM To: ''[EMAIL PROTECTED]' ' Subject: RE: [ActiveDir] GPO Loopback problem QUOTE FROM TECHNET Using Loopback Processing to Configure User SettingsThe User Group Policy loopback processing mode policy setting is an advanced option that is intended to keep the configuration of the computer the same regardless of who logs on. This option is appropriate in certain closely managed environments, such as servers, terminal servers, classrooms, public kiosks, and reception areas. Setting the loopback processing mode policy setting applies the same user settings for any user who logs onto the computer, based on the computer. When you apply Group Policy objects to users, normally the same set of user policy settings applies to those users when they log on to any computer. By enabling the loopback processing policy setting in a GPO, you can configure user policy settings based on the computer that they log on to. Those settings are applied regardless of which user logs on. When you use this option, you must ensure that both the computer and user portions of the GPO are enabled. You can set the loopback policy in the Group Policy Object Editor snap-in by using the User Group Policy loopback processing mode policy setting under Computer Settings\Administrative settings\System\Group Policy. Two options are available: Merge mode In this mode, the list of GPOs for the user is gathered during the logon process. Then, the list of GPOs for the computer is gathered. Next, the list of GPOs for the computer is added to the end of the GPOs for the user. As a result, the computer's GPOs have higher precedence than the user's GPOs. Replace mode In this mode, the list of GPOs for the user is not gathered. Instead, only the list of GPOs based on the computer object is used. The User Configuration settings from this list are applied to the user. Regards, Jorge -----Original Message----- From: Salandra, Justin A. To: '[EMAIL PROTECTED]' Sent: 12/30/2003 8:33 PM Subject: RE: [ActiveDir] GPO Loopback problem Loopback is have never fully understood, but from what I can comprehend, if you enable loopback, no matter what settings you make for the user under the user config, they are ignored and the computer settings are true for the user. GPO are not applied to admins if the apply is not checked like you said, however if there are computer configs in the GPO they are applied to the computer and the computer is not in the admin group -----Original Message----- From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 30, 2003 2:26 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] GPO Loopback problem We're setting up a group policy being applied to an OU which contains 2 computer objects, which are terminal servers. Then we want to set user configuration policies disabling certain start menu options, etc. As expected, the policy affecting the users only goes into effect upon selecting Loopback mode. The problem is, I have something enabled which is completing blanking the desktop - no icons, no start menu, no right-click, etc. Anyone know what I must have enabled to have that happen? Also, I was (probably mistakenly) under the impression Administrators are not affected by a GPO as long as the "Apply Group Policy" security permission is not enabled. In this GPO, it is not enabled for administrators, but the GPO is still applied to admins. Help! :-) Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE------- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
