well, the machine has to have read and apply for its gpo to process. regardless of whether its merge or replace. in fact, loopback is set in the computer config part of the machine's gpo. so the machine has to be able to read and apply the gpo for loopback to occur to begin with. then if its merge, the user's part of the user's gpo will be processed, followed by the user portion of the machine's gpo. in replace, the user's portion of the user's gpo is ignored and just the machine's gpo's user portion will be processed.
we're talking about 2 gpo's here and 2 seperate parts of the gpo- first the user part of the user accounts gpo and second the user part of the machine's gpo. its the user part of the machine's gpo that you want to merge or replace, hence the machine has to have rights to that gpo. In reference to your example, are you sure there isn't a gpo with the same settings as policy 1 coming from somewhere(like the user's ou or linked at the domain level)? is the authenticated users group defined in the acl for policy 1's gpo? i'm sorry if this is unclear. its most likely my fault. i'm no AD expert and i'm sure joe or al or gil or any of the other much much more knowledgable people will jump in and correct the hell out of me. i apologize if i've confused you more. thanks -----Original Message----- From: SysPro Support [mailto:[EMAIL PROTECTED] Sent: Thursday, May 19, 2005 9:41 PM To: [email protected] Subject: Re: [ActiveDir] GPO being denied Tom, This is not the way I thought it worked (but I may have misread what you are saying or I may just be wrong!) I thought that if Loop back processing was active on the machine as Replace, when the user logged on, they received the policies as if they were members of the Machine OU. If Loop back processing was active on the machine as Merge, when the user logged on, they received the policies based on their own OU membership, followed by the policies as if they were members of the Machine OU. Whether the machine had apply or read access to these polices was irrelevant. I just did the following test where I created two polices: Policy 1 (User has apply access, machine has neither read nor apply access). Contains one user setting Policy 2 (User and machine both have apply access). Contains loopback processing as merge plus a user based setting Both policies applied to TEST Ou. Machine belongs to Test OU but User doesn't. My reading of your statement is that the user will only get the second User based setting. In fact when I tried it, the user got both settings. Alan C Policy Management Software:- http://www.sysprosoft.com/pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/policyreporter.shtml ----- Original Message ----- From: "Kern, Tom" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Friday, May 20, 2005 10:29 AM Subject: Re: [ActiveDir] GPO being denied To repeat- You're getting that error because if the computer object or authenticated users is not on the acl to apply gpo and reaf gpo, the user portion of the gpo which is defined for the ou the computer object is in, will not apply. Both the gpo defined on the user and the user portion of the gpo defined on the computer are applied in merge mode. If the pc doesn't have rights, the user portion of the computer's gpo will not apply and you'll get that error -------------------------- Sent from my BlackBerry Wireless Handheld (www.BlackBerry.net) List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
