Unexpected Group Policy Behavior


One of the things we need to provide is an environment where computers behave one way for a certain group of users in a lab and another way for the same user in a different lab. In order to centrally manage that, we began utilizing Group Policy.

We have users in one OU and computers in another at the same level. As such, a computer policy GPO should never apply user settings without using loopback processing.

My understanding of how it should work is like this:

We apply a group policy with security filtering to a group of computers. Loopback processing is enabled, so the user policy processes. Unfortunately, I discover that without the user group being a part of the security filtering, the user policy in the loopback doesn’t apply because it is security filtered. So the security filters looks like this:

LAB-A-Computers
UserGroup-1

As expected, the group policy processes, loopback applies, and all looks well.

Now, enter LAB-B. LAB-B has a similar setup, however needs different policies. All the computers in the same OU, so the GP is linked at the same location.

However, when a user who is in UserGroup-1 logs into LAB-B, LAB-A’s looped back policy applies for some reason, because LAB-B has looped back, but apparently linkorder comes into play. I would not expect this behavior.

Currently I’m waiting for a response from the Microsoft forums in order to receive advice on how to achieve what we want.

Leave a Reply