GPO-Loop back processing

Giganews Newsgroups
Subject: GPO-Loop back processing
Posted by:  Paul J (Pau…@discussions.microsoft.com)
Date: Tue, 18 Jul 2006

Is this the right way to proceed?

AD2k3 Domain
I am setting up the following OU structure with GPO’s linked as below.
CDcomputers, 1500 computers with 40 servers in child OU (CDComputers\Servers)

OU            GPO linked
PDcomputers        PdcomputersGPO
CDcomputers        CDcomputersGPO    ïƒŸ GPO with loop back set, replace
PDusers        PduserGPO linked here
CDusers        CDusersGPO linked here

My goal is: no matter who logs onto a computer in CDcomputers OU, they get a
locked down desktop. (Except for an admin group that I will deny read and
apply GPO)

I need to make sure that when PDuser logons to CDcomputer they get the same
locked down desktop that the CDuser would.  Originally, I was locking down
the CDusers with CDusersGPO.  This works fine for CDusers due to their
account location in AD but PDusers (because of their account location in AD)
do not process the CDusersGPO.

I setup a CDcomputers GPO with both user and computer settings set and have
enable System\Group Policy loop back in replace mode.

I have been cautioned by another person at my company not to use GPO loop
back.  I am told that this will complicate troubleshooting efforts should
there be any issues.  I have used GPO with terminal server access before and
thought it worked well.  Any reason I shouldn’t move forward with this design?

Thanks!
PaulJ

Replies