|Subject:||GPO-Loop back processing|
|Posted by:||Paul J (Pau…@discussions.microsoft.com)|
|Date:||Tue, 18 Jul 2006|
Is this the right way to proceed?
I am setting up the following OU structure with GPOâ€™s linked as below.
CDcomputers, 1500 computers with 40 servers in child OU (CDComputers\Servers)
OU GPO linked
CDcomputers CDcomputersGPO ïƒŸ GPO with loop back set, replace
PDusers PduserGPO linked here
CDusers CDusersGPO linked here
My goal is: no matter who logs onto a computer in CDcomputers OU, they get a
locked down desktop. (Except for an admin group that I will deny read and
I need to make sure that when PDuser logons to CDcomputer they get the same
locked down desktop that the CDuser would. Originally, I was locking down
the CDusers with CDusersGPO. This works fine for CDusers due to their
account location in AD but PDusers (because of their account location in AD)
do not process the CDusersGPO.
I setup a CDcomputers GPO with both user and computer settings set and have
enable System\Group Policy loop back in replace mode.
I have been cautioned by another person at my company not to use GPO loop
back. I am told that this will complicate troubleshooting efforts should
there be any issues. I have used GPO with terminal server access before and
thought it worked well. Any reason I shouldnâ€™t move forward with this design?