Escolar Documentos
Profissional Documentos
Cultura Documentos
So the in scope GPOs for an account consist of all Local policy GPOs, all of
the Site GPOs, all of the Domain GPOs and all GPOs linked to each OU in the
path of the account object. At each stage a new GPO applies it will overwrite
any conflicting settings with its own settings; the final set of policies applied
is known as the Resultant Set of Policies (RSoP) and can be viewed on a
client device via the RSoP.msc console.
Any GPO that has been denied apply rights or filtered out via WMI Filtering is
considered to be Out of scope
Why Loopback
The User Group Policy loopback processing mode option available within the
computer configuration node of a Group Policy Object is a useful tool for
ensuring certain user settings are applied on specified computers.
Replace or Merge
When Enabled you must select which mode loopback processing will operate
in; Replace or Merge.
Replace mode will completely discard the user settings that normally apply
to any users logging on to a machine applying loopback processing and
replace them with the user settings that apply to the computer account
instead.
Merge mode will apply the user settings that apply to any users logging on to
a machine applying loopback processing as normal and then will apply the
user settings that apply to the computer account; in the case of a conflict
between the two, the computer account user settings will overwrite the user
account user settings.
So, without loopback enabled, policy processing looks a little like this:
1. Computer Node policies from all GPOs in scope for the computer account
object are applied during start-up (in the normal Local, Site, Domain, OU
order).
2. User Node policies from all GPOs in scope for the user account object are
applied during logon (in the normal Local, Site, Domain, OU order).
In Conclusion
So all you need to do to ensure the User Node setting you want configured in
loopback processing applies; is ensure that the User Node setting is in a GPO
that is in scope for the computer account object (and that it has precedence
over any competing GPOs).