One of the things we need to provide is an environment where computers behave one way for a certain group of users in a lab and another way for the same user in a different lab. In order to centrally manage that, we began utilizing Group Policy.
We have users in one OU and computers in another at the same level. As such, a computer policy GPO should never apply user settings without using loopback processing.
My understanding of how it should work is like this:
We apply a group policy with security filtering to a group of computers. Loopback processing is enabled, so the user policy processes. Unfortunately, I discover that without the user group being a part of the security filtering, the user policy in the loopback doesn’t apply because it is security filtered. So the security filters looks like this:
As expected, the group policy processes, loopback applies, and all looks well.
Now, enter LAB-B. LAB-B has a similar setup, however needs different policies. All the computers in the same OU, so the GP is linked at the same location.
However, when a user who is in UserGroup-1 logs into LAB-B, LAB-A’s looped back policy applies for some reason, because LAB-B has looped back, but apparently linkorder comes into play. I would not expect this behavior.
Currently I’m waiting for a response from the Microsoft forums in order to receive advice on how to achieve what we want.