GPO - Not Applying User Policy

2013, Sep 05    

We spent the day working on an issue where our User Policy wasn’t being applied to the User AD Object logging into a computer. We confirmed the usual steps:

  • User AD Object is in the OU where the GPO is applied.
  • GPO is enabled.
  • Security Filtering is not filtering out the User AD Object.

The policy was simply not showing up on the computer (would not display with `gpresult /r`).  After some more digging, we found the issue:

One of the GPOs applied to the Computer AD Object had the Configure user Group Policy loopback processing mode was set to Replace.

Solution:

Change Configure user Group Policy loopback processing mode to Merge.

Note: our default has always been to use Merge in this setting … this one just slipped through the cracks. :(

Explanation

The GPO Explanation of the Replace setting says:

“Replace” indicates that the user settings defined in the computer’s Group Policy Objects replace the user settings normally applied to the user.

To me, this means that Policies applied in the computer’s GPO will overwrite the policies applied, but then we look at the GPO Explanation of the Merge setting:

“Merge” indicates that the user setting defined in the computer’s Group Policy  Objects and the user settings normally applied to the user are combined. If the settings conflict, the user settings in the computer’s Group Policy Objects take precedence over the user’s normal settings.

Wait a minute!  That looks more like what I want!!  So what’s the difference?  To find that answer, I dug in the Microsoft KB.  The Win7 description of the setting wasn’t very useful, but the WinXP description of the setting was the key to my complete understanding.  Quoted here for posterity (the key is bolded):

Merge Mode:
In this mode, when the user logs on, the user’s list of GPOs is typically gathered by using the GetGPOList function. The GetGPOList function is then called again by using the computer’s location in Active Directory. The list of GPOs for the computer is then added to the end of the GPOs for the user. This causes the computer’s GPOs to have higher precedence than the user’s GPOs. In this example, the list of GPOs for the computer is added to the user’s list.

Replace Mode:
In this mode, the user’s list of GPOs is not gathered. Only the list of GPOs based on the computer object is used.

So when do you want to use Replace mode?

A quick scenario might be at a lab computer at a school that allows users to login with their AD credentials instead of using the auto-login account.  You may not want the settings that you allow to be loaded at a user’s office computer to be pulled down to the lab computer.

Twitter Facebook Google+
# Active Directory # group policy # Uncategorized