couple questions regarding loopback processing

-

hello,

i've reviewed these:
http://blogs.technet.com/b/askds/archive/2013/02/08/circle-back-to-loopback.aspx
http://kudratsapaev.blogspot.com/2009/07/loopback-processing-of-group-policy.html

i need few clarifications:

1. "use policy setting configure user group policy loopback processing mode to configure loopback in windows 8 , windows server 2012.  earlier versions of windows have same policy setting under name user group policy loopback processing mode." -- ok, i'm using windows 7 management machine, gpmc shows 'configure user group policy loopback processing mode', not 'user group policy loopback processing mode.' i'm targeting server 2008 r2 machine enable loopback processing on. newer windows 8 , windows server 2012 setting going work on server 2008 r2? run group policy results wizard machine , test user , says applied setting, i'm not seeing expected see... many other reasons, know. rule out possibility of particular setting 'configure user group policy loopback processing mode', not working on 2008 r2, should work? or must 'user group policy loopback processing mode' setting, don't see available?


2. if loopback processing enabled computer, user settings gpo's applied computer applied, not settings in same gpo enables loopback processing, correct?


3. i'm enabling loopback processing 1 machine. machine in ou other machines (let's can't move sake of question). create gpo linked ou 'computer' setting enable loopback processing configured , via security filtering remove 'authenticated users' , add 1 computer account want setting apply. should fine, correct? in other words, since loopback going make logged on 'user' pickup 'user' settings gpo's applied 'computer' account now, user accounts don't need access gpo enabled loopback right? long have read/apply permissions other gpo's have actual 'user' settings? loopback 'computer' setting, , computer account has read/apply.. that's needed, correct?


thanks!

for q#1, same thing (the same registry keys/value being set), "changed" displayname. result of newer (ws2012/win8) admx files.
(ms trying provide clearer/consistent displaynames)

extracted gp settings reference spreadsheets (which have been dumped admx files)

windows7/windowsserver2008r2

file name:
grouppolicy.admx 

policy setting name:
user group policy loopback processing mode 

scope:
machine 

policy path:
system\group policy 

registry information:
hklm\software\policies\microsoft\windows\system!userpolicymode 

supported on:
at least windows 2000 

help text:
applies alternate user settings when user logs on computer affected setting.\n\n\nthis setting directs system apply set of group policy objects computer user logs on computer affected setting. intended special-use computers, such in public places, laboratories, , classrooms, must modify user setting based on computer being used.\n\n\nby default, user's group policy objects determine user settings apply. if setting enabled, then, when user logs on computer, computer's group policy objects determine set of group policy objects applies.\n\n\nto use setting, select 1 of following modes mode box:\n\n\n--   "replace" indicates user settings defined in computer's group policy objects replace user settings applied user.\n\n\n--   "merge" indicates user settings defined in computer's group policy objects , user settings applied user combined. if settings conflict, user settings in computer's group policy objects take precedence on user's normal settings.\n\n\nif disable setting or not configure it, user's group policy objects determines user settings apply.\n\n\nnote: setting effective when both computer account , user account in windows 2000 domains.


---

windows8/windowsserver2012

file name:
grouppolicy.admx  
  
policy setting name:
configure user group policy loopback processing mode  
  
scope:
machine  
  
policy path:
system\group policy  
  
registry information:
hklm\software\policies\microsoft\windows\system!userpolicymode  
  
supported on:
at least windows 2000  
  
help text:
this policy setting directs system apply set of group policy objects computer user logs on computer affected setting. intended special-use computers, such in public places, laboratories, , classrooms, must modify user setting based on computer being used.by default, user's group policy objects determine user settings apply. if setting enabled, then, when user logs on computer, computer's group policy objects determine set of group policy objects applies.if enable setting, can select 1 of following modes mode box:"replace" indicates user settings defined in computer's group policy objects replace user settings applied user."merge" indicates user settings defined in computer's group policy objects , user settings applied user combined. if settings conflict, user settings in computer's group policy objects take precedence on user's normal settings.if disable setting or not configure it, user's group policy objects determines user settings apply.note: setting effective when both computer account , user account in @ least windows 2000 domains.

 

don
(please take moment "vote helpful" and/or "mark answer", applicable.
helps community, keeps forums tidy, , recognises useful contributions. thanks!)



Windows Server  >  Group Policy



Comments

Post a Comment

Popular posts from this blog

WIMMount (HSM) causing cluster storage to go redirected (2012r2 DC)

-
looking options resolve error , prevent in future. thanks help. hardware: 2 node dell hv cluster running2012r2 dc 8 nic/ea in multiplex mode 4x hyper-v 4x hosts storage: 2x synology nas, accessed through iscsi hosts , cluster relevant logs: log name:      microsoft-windows-failoverclustering/diagnostic source:        microsoft-windows-failoverclustering date:          event id:      2050 task category: none level:         warning keywords:       user:          system computer:      l description: [dcm] filter wimmount found @ unsafe altitude 180700 log name:      system source:        microsoft-windows-failoverclustering date:         event id:      5125 task category: cluster shared volume level:         warning keywords:       user:          system computer: description: cluster shared volume 'volume1' ('cluster disk 1') has identified 1 or more active filter drivers on device stack interfere csv operatio
Read more

Failed to delete the test record dcdiag-test-record in zone test.com

-
ps c:\users\administrator.test> dcdiag /test:dns directory server diagnosis performing initial setup:    trying find home server...    home server = dc02    * identified ad forest.    done gathering initial info. doing initial required tests    testing server: default-first-site-name\dc02       starting test: connectivity          ......................... dc02 passed test connectivity doing primary tests    testing server: default-first-site-name\dc02       starting test: dns          dns tests running , not hung. please wait few minutes...          ......................... dc02 passed test dns    running partition tests on : forestdnszones    running partition tests on : domaindnszones    running partition tests on : schema    running partition tests on : configuration    running partition tests on : test    running enterprise tests on : test.com       starting test: dns          test results domain
Read more

Azure MFA with Azure AD and RDS

-
i have setup following lab in azure , need help. a server (domain controller) , remote desktop services. and server multi factor authentication server. i have setup following one http://www.rdsgurus.com/uncategorized/step-by-step-using-windows-server-2012-r2-rd-gateway-with-azure-multifactor-authentication/ and when im connecting got following error. the user "domain\username", on client computer "xxx.xxx.xxx.xxx", did not meet connection authorization policy requirements , therefore not authorized access rd gateway server. authentication method used was: "ntlm" , connection protocol used: "rpc-http". following error occurred: "23003". also on security log i've got following authentication details: connection request policy name: ts gateway authorization policy network policy name: - authentication provider: radius proxy authentication server: test.test.local authentication type: - eap t
Read more