Machine policy and loopback . . .

[Guest]

http://support.microsoft.com/default.aspx?scid=kb;en-us;231287&Product=win2000

and it says for loopback (amongst other things): "This policy directs the system to apply the set of GPOs for the computer to any user who logs on to a computer affected by this policy. This policy is intended for special-use computers (for example, computers in public places, laboratories, and classrooms), where you must modify the user policy based on the computer that is being used. "

I read that as loopback will force the user to use the MACHINE GPO for the machine's OU rather than his/her GPO for their user OU. Is that correct? Useful for kiosk, right?

2) If I exclude admins from Domain GPOs as well as the L.S.O GPOs, if the admin logs into a kiosk, will the kiosk machine then fully function on the network for the admin, or will it remain the kiosk because of loopback?

Thanks, this seemed appropriate to ask in this thread.

Keith

 

[Steven L Umbach]

Yes, the user will be assigned the user configuration defined settings for the GPO
for the container/OU that the computer resides in with a replace or merge mode. If
you do not want that loopback policy to apply to administrators, give the
administrators group deny apply permissions to the GPO that applies to the computer
account OU. If you run gpresult while logged onto that computer it should show that
GPO as denied or filtered. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;231287&Product=win2000

and it says for loopback (amongst other things): "This policy directs the system

to apply the set of GPOs for the computer to any user who logs on to a computer
affected by this policy. This policy is intended for special-use computers (for
example, computers in public places, laboratories, and classrooms), where you must
modify the user policy based on the computer that is being used. "

I read that as loopback will force the user to use the MACHINE GPO for the

machine's OU rather than his/her GPO for their user OU. Is that correct? Useful for
kiosk, right?

2) If I exclude admins from Domain GPOs as well as the L.S.O GPOs, if the admin

logs into a kiosk, will the kiosk machine then fully function on the network for the
admin, or will it remain the kiosk because of loopback?

 

[Guest]

Thank you!

Yes, the user will be assigned the user configuration defined settings for the GPO
for the container/OU that the computer resides in with a replace or merge mode. If
you do not want that loopback policy to apply to administrators, give the
administrators group deny apply permissions to the GPO that applies to the computer
account OU. If you run gpresult while logged onto that computer it should show that
GPO as denied or filtered. --- Steve



to apply the set of GPOs for the computer to any user who logs on to a computer
affected by this policy. This policy is intended for special-use computers (for
example, computers in public places, laboratories, and classrooms), where you must
modify the user policy based on the computer that is being used. "
machine's OU rather than his/her GPO for their user OU. Is that correct? Useful for
kiosk, right?
logs into a kiosk, will the kiosk machine then fully function on the network for the
admin, or will it remain the kiosk because of loopback?