none
Apply User Configuration on Computer Object without Loopback Processing

    Question

  • Hi All,

    I have a problem (behavior), that I cannot exaplain and really frustrated, because I tought I undertsand GPOs well and nothing can suprise me. Long story short:

    I have a domain (Windows Server 2008 R2 forest and domain functional levels) with a bunch of Windows Serer 2012 domain controllers. I have a GPO, which contains only User Configuration and is linked to the Domain Controllers OU. When I log on to a domain controller this GPO, containing only User Config and linked only to this OU is being applied. I checked and made sure that there is no loopback processing in any of the GPOs. How is this possible? I tough User Settings can be applied only to the OU, which contains the user object?

    What frustrates me further is that I have a OU with all of the computer accounts of my member servers (Windows Server 2012, 2012 R2) and there there are 3 other GPOs, containing only User Settings (Computer Configuration is disabled) and those GPOs are also applied to the Servers. How is this possible when loopback processing is not enabled? Are there any exeptions from the rule?

    Many thanks in advance for sharing your opinion!

    Wednesday, December 03, 2014 1:52 PM

Answers

  • > frustrated, because I tought I undertsand GPOs well and nothing can
    > suprise me.
     
    Really? :-))
     
    > I checked and made sure that there is no loopback processing in any of
    > the GPOs.
     
    You should not check your GPOs, but an RSoP Report... There in fact IS
    loopback processing in one of your GPOs. Or an evil admin deployed
    HKLM\Software\Policies\Microsoft\Windows\System:UserPolicyMode
    (REG_DWORD) and set it to 1 or 2...
     
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Wednesday, December 03, 2014 1:56 PM

All replies

  • > frustrated, because I tought I undertsand GPOs well and nothing can
    > suprise me.
     
    Really? :-))
     
    > I checked and made sure that there is no loopback processing in any of
    > the GPOs.
     
    You should not check your GPOs, but an RSoP Report... There in fact IS
    loopback processing in one of your GPOs. Or an evil admin deployed
    HKLM\Software\Policies\Microsoft\Windows\System:UserPolicyMode
    (REG_DWORD) and set it to 1 or 2...
     
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Wednesday, December 03, 2014 1:56 PM
  • Hi Martin,

    I've created dosens of gpresults (/h) on all of the servers affected, but Loopback Processing was not enabled.

    Now I will search for the key. Thanks for sharing! :)

    Regards,

    Stoyan

    Wednesday, December 03, 2014 2:14 PM
  • Hi Martin,

    you are right. UserPolicyMode was set everywhere either to 1 or to 2. This would mean that at some point in the environment "Loopback Processing" was configured and afterwars not disabled properly and the key in the registry remained unchaanged.

    Thanks for the support, wish you a great day. Your reply was celarly the ANSWER :)

    Regards,

    Stoyan

    Wednesday, December 03, 2014 2:28 PM