|Subject:||Re: GPO-Loop back processing|
|Posted by:||Ace Fekay [MVP] (PleaseAsk…@SomeDomain.com)|
|Date:||Tue, 18 Jul 2006|
Paul J <Pau…@discussions.microsoft.com> stated, which I commented on below:
> Is this the right way to proceed?
> AD2k3 Domain
> I am setting up the following OU structure with GPO's linked as below.
> CDcomputers, 1500 computers with 40 servers in child OU
> OU GPO linked
> PDcomputers PdcomputersGPO
> CDcomputers CDcomputersGPO ? GPO with loop back set, replace
> PDusers PduserGPO linked here
> CDusers CDusersGPO linked here
> My goal is: no matter who logs onto a computer in CDcomputers OU,
> they get a locked down desktop. (Except for an admin group that I
> will deny read and apply GPO)
> I need to make sure that when PDuser logons to CDcomputer they get
> the same locked down desktop that the CDuser would. Originally, I
> was locking down the CDusers with CDusersGPO. This works fine for
> CDusers due to their account location in AD but PDusers (because of
> their account location in AD) do not process the CDusersGPO.
> I setup a CDcomputers GPO with both user and computer settings set
> and have enable System\Group Policy loop back in replace mode.
> I have been cautioned by another person at my company not to use GPO
> loop back. I am told that this will complicate troubleshooting
> efforts should there be any issues. I have used GPO with terminal
> server access before and thought it worked well. Any reason I
> shouldn't move forward with this design?
I would. Just document what you did and test it, more so to make sure it
works, and allay your colleague's concerns.
You could also create a similar GPO such as CDComputers or just link that
GPO, that is if the settings in that GPO other than the loopback would apply
to the scope of management of the objects in the PDusers OU.
Innovative IT Concepts, Inc
Willow Grove, PA
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer
Having difficulty reading or finding responses to your post?
Instead of the website you're using, I suggest to use OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. This is a direct link to the Microsoft Public
Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
to easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject.
How to Configure OEx for Internet News
Infinite Diversities in Infinite Combinations
Assimilation Imminent. Resistance is Futile
"Very funny Scotty. Now, beam down my clothes."
The only constant in life is change...
GPO-Loop back processing posted by Paul J on Tue, 18 Jul 2006