Hi Tom,
I have included comments in your text in
<>
Alan C
----- Original Message -----
From: "Kern, Tom" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Friday, May 20, 2005 12:07 PM
Subject: RE: [ActiveDir] GPO being
denied
well, the machine has to have read and apply for
its gpo to process. regardless of whether its merge or replace. in fact,
loopback is set in the computer config part of the machine's gpo. so the machine
has to be able to read and apply the gpo for loopback to occur to begin
with.<Generally correct. Loopback processing depends on the existence
of the key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SYSTEM
(UserMode=1 or 2) You can manually create the key and it will activate. You
don't need a policy to create it)> then if its merge, the user's
part of the user's gpo will be processed, followed by the user portion of the
machine's gpo. in replace, the user's portion of the user's gpo is ignored and
just the machine's gpo's user portion will be processed.
<Agreed>
we're talking about 2 gpo's here and 2 seperate parts of the gpo-
first the user part of the user accounts gpo and second the user part of the machine's gpo. <Agreed>
its the user part of the machine's gpo that you want to merge or replace, hence the machine has to have rights to that gpo. <Not sure why. The user is doing the processing and so the User needs READ and APPLY >
In reference to your example, are you sure there isn't a gpo with the same settings as policy 1 coming from somewhere(like the user's ou or linked at the domain level)? <YEP. It was a totally new registry key>
is the authenticated users group defined in the acl for policy 1's gpo? <No I removed it totally>
i'm sorry if this is unclear. its most likely my fault. i'm no AD expert and i'm sure joe or al or gil or any of the other much much more knowledgable people will jump in and correct the hell out of me.<I am sure someone will set us right! Any comments Darren?>
we're talking about 2 gpo's here and 2 seperate parts of the gpo-
first the user part of the user accounts gpo and second the user part of the machine's gpo. <Agreed>
its the user part of the machine's gpo that you want to merge or replace, hence the machine has to have rights to that gpo. <Not sure why. The user is doing the processing and so the User needs READ and APPLY >
In reference to your example, are you sure there isn't a gpo with the same settings as policy 1 coming from somewhere(like the user's ou or linked at the domain level)? <YEP. It was a totally new registry key>
is the authenticated users group defined in the acl for policy 1's gpo? <No I removed it totally>
i'm sorry if this is unclear. its most likely my fault. i'm no AD expert and i'm sure joe or al or gil or any of the other much much more knowledgable people will jump in and correct the hell out of me.<I am sure someone will set us right! Any comments Darren?>
i apologize if i've confused you
more.
thanks
-----Original Message-----
From: SysPro Support [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 19, 2005 9:41 PM
To: [email protected]
Subject: Re: [ActiveDir] GPO being denied
Tom,
This is not the way I thought it worked (but I may have misread what you are
saying or I may just be wrong!)
I thought that if Loop back processing was active on the machine as Replace,
when the user logged on, they received the policies as if they were members
of the Machine OU.
If Loop back processing was active on the machine as Merge, when the user
logged on, they received the policies based on their own OU membership,
followed by the policies as if they were members of the Machine OU.
Whether the machine had apply or read access to these polices was
irrelevant.
I just did the following test where I created two polices:
Policy 1 (User has apply access, machine has neither read nor apply access).
Contains one user setting
Policy 2 (User and machine both have apply access). Contains loopback
processing as merge plus a user based setting
Both policies applied to TEST Ou. Machine belongs to Test OU but User
doesn't.
My reading of your statement is that the user will only get the second User
based setting. In fact when I tried it, the user got both settings.
Alan C
Policy Management Software:- http://www.sysprosoft.com/pol_summary.shtml
ADM Template Editor:- http://www.sysprosoft.com/adm_summary.shtml
Policy Log Reporter(Free) http://www.sysprosoft.com/policyreporter.shtml
----- Original Message -----
From: "Kern, Tom" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Friday, May 20, 2005 10:29 AM
Subject: Re: [ActiveDir] GPO being denied
To repeat-
You're getting that error because if the computer object or authenticated
users is not on the acl to apply gpo and reaf gpo, the user portion of the
gpo which is defined for the ou the computer object is in, will not apply.
Both the gpo defined on the user and the user portion of the gpo defined on
the computer are applied in merge mode.
If the pc doesn't have rights, the user portion of the computer's gpo will
not apply and you'll get that error
--------------------------
Sent from my BlackBerry Wireless Handheld (www.BlackBerry.net)
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
thanks
-----Original Message-----
From: SysPro Support [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 19, 2005 9:41 PM
To: [email protected]
Subject: Re: [ActiveDir] GPO being denied
Tom,
This is not the way I thought it worked (but I may have misread what you are
saying or I may just be wrong!)
I thought that if Loop back processing was active on the machine as Replace,
when the user logged on, they received the policies as if they were members
of the Machine OU.
If Loop back processing was active on the machine as Merge, when the user
logged on, they received the policies based on their own OU membership,
followed by the policies as if they were members of the Machine OU.
Whether the machine had apply or read access to these polices was
irrelevant.
I just did the following test where I created two polices:
Policy 1 (User has apply access, machine has neither read nor apply access).
Contains one user setting
Policy 2 (User and machine both have apply access). Contains loopback
processing as merge plus a user based setting
Both policies applied to TEST Ou. Machine belongs to Test OU but User
doesn't.
My reading of your statement is that the user will only get the second User
based setting. In fact when I tried it, the user got both settings.
Alan C
Policy Management Software:- http://www.sysprosoft.com/pol_summary.shtml
ADM Template Editor:- http://www.sysprosoft.com/adm_summary.shtml
Policy Log Reporter(Free) http://www.sysprosoft.com/policyreporter.shtml
----- Original Message -----
From: "Kern, Tom" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Friday, May 20, 2005 10:29 AM
Subject: Re: [ActiveDir] GPO being denied
To repeat-
You're getting that error because if the computer object or authenticated
users is not on the acl to apply gpo and reaf gpo, the user portion of the
gpo which is defined for the ou the computer object is in, will not apply.
Both the gpo defined on the user and the user portion of the gpo defined on
the computer are applied in merge mode.
If the pc doesn't have rights, the user portion of the computer's gpo will
not apply and you'll get that error
--------------------------
Sent from my BlackBerry Wireless Handheld (www.BlackBerry.net)
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
