Carla,
Since you have never done Group Policy before please allow me to give you
the basics. I will try to be brief ( I tend to babble on endlessly! ).
First of all you need to know that GPOs are linked to four levels: Local,
Site, Domain and OU. The pecking order is the same as I just described.
So, if there is a Site GPO that has a particular setting that conflicts with
a setting in a Domain-linked GPO then the setting in the Domain-linked GPO
will win. Now, if there were a setting in an OU-linked GPO that conflicted
with a setting in the Domain-linked OU then the OU-linked GPO would win.
But, what happens if there are conflicting settings at the same level?
Easy. The pecking order is how the GPOs appear in the Editor. What is at
the bottom is processed first and what is at the top of the list is
processed last. So, the 'higher' one wins. Not too complicated so far!
Now, how are GPOs created and where are they stored. A GPO is created when
you go to an OU ( I am going to focus on the OU level as this is the most
common level that you would be using ), right click that OU, select
Properties, go to the Group Policy tab and click on the New... button. You
then give it a 'friendly' name and click on the edit button to make the
settings. Please note that the GPO is comprised of two halves: the GPT and
the GPC. The GPT ( Group Policy Template ) is the part of the GPO that
resides in the SYSVOL share while the GPC ( Group Policy Container ) is the
part that resides in the Active Directory. We will leave it at that for the
time being.
So, you are in the GPO Editor and have clicked on the edit button. You now
see two halves: the Computer Configuration half and the User Configuration
half. You need to know that any settings that you configure in the Computer
Configuration half are processed when the computer restarts ( well, mostly.
There is a way around this ). Similarly, any settings that you configure in
the User Configuration half are processed when the user logs on ( and,
again, there is a way around this ). So, just to be thorough, if you wanted
some settings to affect the user side you would have to configure those
settings in the user configuration half. I know that this seems obvious but
I need to make this clear. You will see why in a second.
So, the process looks like this: you turn on the computer at the beginning
of the day. When the computer starts up it will process any GPOs of which
it falls under the influence ( meaning: any GPOs that are linked to the OU
in which it - the computer account object - resides ). You are then
prompted to logon. So, you log on by entering a user name and password.
Now any GPOs that are linked to the OU in which the user account object
resides are processed. Hopefully you see that first the computer
configuration settings are processed ( based on the location of the computer
account object ) and then the user configuration settings are processed (
based on the location of the user account object ). This is a really
important concept to understand!
Now, what happens if you have some 'special' computers and you want to make
sure that they are locked down good and tight no matter who logs on ( well,
with a few high-level exceptions ). You would take a look at Group Policy
Loopback Processing. What exactly does this do? It alters the way that
GPOs are processed.
I mentioned that there are two modes in Loopback: Replace and Merge.
Replace is what you would probably want in this situation. What this does
is kinda neat. The computer boots up. It processes any GPOs that are
linked to the OU in which the computer account object resides and then you
are prompted to log on. You log on by entering a user name and password (
sound familiar? ). Now, it completely ignores any GPOs that are linked to
the OU in which the user account object resides! Yep! Completely ignores
it/them. Does not process nothing! Nada! Nichts! So, any settings that
might be configured in the user configuration side of things are lost?
Nope! You would configure them in the GPO that is linked to the OU in which
the computer account object resides. Huh? Processes user configuration
settings from a GPO that is linked to the OU in which the computer account
object resides? But I just said, above, that it was a really important
concept to understand how things are processed and now I am contradicting
that! Well, yes, but no! This is Loopback processing! It works this way
only in Loopback processing! And it affects only those users when logging
onto the computer account objects that fall under the influence of this
Loopback GPO.
Merge is similar to replace. There is one difference. With Merge any user
configuration settings that might be set in any GPOs that are linked to the
OU in which the user account object resides are actually processed. If
there is a conflicting setting ( between the 'computer' configuration and
the 'user' configuration ) then the setting in the GPO linked to the OU in
which the user account object resides wins.
I mentioned a 'few high-level exceptions' a couple of paragraphs above.
What does that mean? Well, if you are locking down a computer - or group of
computers - with the Loopback GPO I am pretty sure that you do not want the
Domain Admins group to be affected by this GPO. I stated that this
Loopback affects only those users while logging into the computer account
objects that fall under the influence of the Loopback GPO. Well, a member
of the Domain Admins is a user! Just like you and me ( well, mostly and in
this case definitely ). How do we make sure that these special groups are
not affected by the Loopback GPO ( imagine how difficult it would be to
troubleshoot and to fix things if you were locked down..... ). Well, in the
security tab of each GPO you will notice that there is a group called
Authenticated Users that have both the READ and APPLY GROUP POLICY rights.
You would want to remove this group and put in another security group, one
which has only those user account objects that you want to be affected by
this GPO. The key is to make sure that this group has both the READ and
APPLY GROUP POLICY rights.
There are several other things that affect GPOs. Slow links are one. Most
GPOs are not processed when the computer detects a slow link. What is a
slow link? By default, anything under 500kbps. This can be changed
however!
Does this help you?
Cary
