Tom, This is not the way I thought it worked (but I may have misread what you are saying or I may just be wrong!)
I thought that if Loop back processing was active on the machine as Replace, when the user logged on, they received the policies as if they were members of the Machine OU. If Loop back processing was active on the machine as Merge, when the user logged on, they received the policies based on their own OU membership, followed by the policies as if they were members of the Machine OU. Whether the machine had apply or read access to these polices was irrelevant. I just did the following test where I created two polices: Policy 1 (User has apply access, machine has neither read nor apply access). Contains one user setting Policy 2 (User and machine both have apply access). Contains loopback processing as merge plus a user based setting Both policies applied to TEST Ou. Machine belongs to Test OU but User doesn't. My reading of your statement is that the user will only get the second User based setting. In fact when I tried it, the user got both settings. Alan C Policy Management Software:- http://www.sysprosoft.com/pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/policyreporter.shtml ----- Original Message ----- From: "Kern, Tom" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Friday, May 20, 2005 10:29 AM Subject: Re: [ActiveDir] GPO being denied To repeat- You're getting that error because if the computer object or authenticated users is not on the acl to apply gpo and reaf gpo, the user portion of the gpo which is defined for the ou the computer object is in, will not apply. Both the gpo defined on the user and the user portion of the gpo defined on the computer are applied in merge mode. If the pc doesn't have rights, the user portion of the computer's gpo will not apply and you'll get that error -------------------------- Sent from my BlackBerry Wireless Handheld (www.BlackBerry.net) List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
