GPO policy question

[KT]

I have a policy on desktop (local GPO) that is more restrictive than domain
policy - which will take into effect? I know Domain overwrites Local, but
is the more secured Local settings overwritten?

 

[Guest]

yes the more secure local setting will be overwritten...

 

[Cary Shultz [A.D. MVP]]

KT,

The 'pecking order' is Local, Site, Domain, OU. So, any setting in the
local level that conflicts with a setting at a later level will be
overwritten. Please do not think that just because there is a local policy
and an OU policy that the local policy will be entirely overwritten. It is
only that specific setting at the local level that conflicts with the same
setting at the OU level that will be overwritten.

HTH,

Cary

 

[Guest]

If you need the local policy to always apply, you can edit the local policy
on the machine and change the "loopback processing" to either replace (ignore
other group policies) or merge (apply all GPOs and re-apply the local group
policy last).

Do this by editing the local group policy, expand Computer
node->System->Group Policy and configure the "User Group Policy loopback
processing mode" setting to either Merge or Replace..

 

[Cary Shultz [A.D. MVP]]

Michael,

Good point. Loopback is a really neat thing that changes the way that GPOs
are processed. Thank you for pointing this out. Loopback is generally used
for a Terminal Server or a 'Kiosk' type system. Naturally these are not the
only two situations where using Loopback makes sense, probably just the two
most common situation.

Cary

 

[KT]

Based on the help file, the replace or merge is based on the local
settings - basically if there are conflicts with COMPUTER or USER for Local
Settings, not necessarily Domain, Site, or OU policy - is that correct or id
I interpret it incorrectly - as I said or read - local

 

[Cary Shultz [A.D. MVP]]

KT,

Please take a look at the following MSKB Articles. The first one explains
how to lock down a Terminal Server using Group Policy Loopback and the
second one explains how to keep this from affecting 'Administrators. It
will hopefully answer your questions. If not, please post back and we will
be happy to answer them.

http://support.microsoft.com/?id=278295
http://support.microsoft.com/?kbid=315675

HTH,

Cary

 

[Joe]

Loopback processing won't change this at all.

What it will do is go back and apply the user side of the policies that
applied to the computer - still in the order L-S-D-OU.

The way it's used for kiosks is to merge or replace the user's policies with
the computer GPO's user side. The reason it looks like the local GPO takes
precedence is that few computer GPOs on the S, D, or OU will have any user
entries at all. The order is still L-S-D-OU, but when there's no S-D-OU in
play, the net effect is L.

Joe