RE: [ActiveDir] Duplicate application of group policy
Hey Alan- Hope things are going well! With respect to the flags below, those are the codes thrown by userenv during so-called core GP processing. If you're looking at codes or flags within a particular CSE, then each CSE can throw its own codes. Unfortunately, I've never seen them fully documented anywhere. In some cases, they might be just Win32 error codes. In other cases, they are specific to the CSE. When you do see userenv flags, I believe they are derived by doing a bitwise-or on the various flags below. It doesn't look like the error of 0x6 is the result of these flags. Darren From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED] Sent: Sat 1/7/2006 3:56 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Duplicate application of group policy Hi Steve, Just noted your comment on trying to interpret the Userenv Log. I always found it very confusing so I wrote a utility that picks it apart. You can download it from http://www.sysprosoft.com/policyreporter.shtml I just ran it on your file and it shows quite clearly the process involved (it is made clearer if you click on user Policy Processing). Basically it is the way Darren explains it. It goes and finds all polices the user would normally get then gets all the policies that the user would get if they were in the Machine's OU. One thing I have tried doing was to interpret the flags returned from Extension processing to try and make them meaningful, but haven't had any success. I did get the following definitions, but they don't seem to work. For instance your log reports Security Processing with flags 6x, which doesn't seem to apply. :- '0x0001 // Apply machine policy rather than user policy '0x0010 // Background refresh of policy (ok to do slow stuff) '0x0020 // Policy is being applied across a slow link '0x0040 // Verbose output to the eventlog '0x0080 // No changes were detected to the Group Policy Objects '0x0100 // A change in link speed was detected between previous policy application and current policy application '0x0200 // A Change in Rsop Logging was detected between previous policy application and current policy application, (new intf only) '0x0400 // Forced Refresh is being applied. redo policies. '0x0800 // windows safe mode boot flag '0x1000 // Asynchronous foreground refresh of policy '0x2000 // Report all settings for one GPO rather than the resultant settings across multiple GPOs If anyone can tell me how they work (or where I am misprocessing it), I will include it in the utility Feel free to download the utility if only to better understand how it all works! Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/index.php?ref=activedirf=pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/index.php?ref=activedirf=adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/index.php?ref=activedirf=policyreporter.shtml - Original Message - From: Steve Rochford [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, January 06, 2006 4:54 AM Subject: RE: [ActiveDir] Duplicate application of group policy I'm glad that you say loopback shouldn't cause this - I was sure I'd used something like this successfully before! I've now put a copy of the complete results of gpresult /v and userenv.log on http://195.194.12.22/data/gp.htm (they're a bit big to email to the list!) I've tried looking at userenv.log files before and while I can understand some of what's going on, I can't really see what's going wrong! I've loaded the syspro Policy Log Viewer (http://www.sysprosoft.com/policyreporter.shtml) which you mention on your website. On the Performance History tab it says Via Loopback next to the policies which are being duplicated. Not sure where this gets me but it's now time for me to go home (and brave the snow which has just started falling in London!) Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: 04 January 2006 18:14 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Duplicate application of group policy John- I don't doubt this is the behavior you're seeing, but loopback *should* not cause this. At least not given the way its *supposed* to work. So, that is why a userenv log would be very interesting here. My guess is that even though Gpresult is showing it as running twice, the given GPO is really only being processed once. I will also try to test this on my end to see if I can discover what's up. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, January 04, 2006 9:57 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Duplicate application of group policy Not to doubt your expertise Darren, but we use a worksation loopback here for the screen saver. Not my idea, but in our situation
RE: [ActiveDir] Duplicate application of group policy
Thanks for this - I'd guess it's all working as designed - I just didn't design it right :-( I used merge mode because I didn't want what you describe for replace mode - ignoring all user specific settings from all other GPOs - I just wanted to add one user specific setting (I did actually try replace mode and it did what I expected - skipped all the other settings) I think I'll just stick with the login script changing the proxy settings for now - the only reason for not using it was that I'm trying to simplify the login script and it's quite easy to just link a GPO to a room of computers when I want to change the proxy. I'll have to remember this because I can see myself getting this wrong again if I don't! Steve From: [EMAIL PROTECTED] on behalf of Darren Mar-Elia Sent: Fri 06/01/2006 22:10 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Duplicate application of group policy Okey dokey. I figured this out after a bit of repro in my lab. Its kinda interesting. So, basically the duplicate GPO processing is a function of using Loopback policy in merge mode only (replace mode doesn't cause this). And, when I looked at the userenv log, it made total sense why it was doing this, even though I hadn't really thought about it until now, mostly because I don't' often see merge mode loopback used. What is going on is, with replace mode, Windows basically says, don't do any user-specific policy processing for the user logging into a loopback machine. So basically any GPOs that would normally be processed by the user, including local, site, domain and OU- linked ones, are just not processed in replace mode. Instead, all user settings come from any GPOs that apply to the loopback computer, including those linked at the local, site,domain and OU level. Makes sense. Now enter merge mode... Merge mode says, first process all user GPOs that the user account would normally get. Then, process all user GPOs that the loopback computer would normally get. So, what that means is that policies that are higher in the hierarchy, like site and domain-linked GPOs that are processed both by the computer and the user, get processed twice. Since the computer-based loopback user settings process last, the result would normally be that any conflicting user-specific settings (like Admin. Template registry settings) would be overriden by the loopback computer settings. And that happens, however, certain policy extensions, like scripts or software installation, don't exhibit override behavior. If two scripts are in the path to be processed, they will process cumulatively rather than one overriding the other. Same with software. Hence the reason you see logon scripts running twice. So, bottom line here is that if you want to use merge mode, you're probably going to need to play with it a bit. For example, you might want to set block inheritance on the OU containing the loopback machines, and then if there are any, non-script-based GPOs higher up that you need to apply to those computers, you can set them to Enforced. Even in this case, RSOP will still report that some GPOs run twice, so that won't go away at all in merge mode. In any case, very interesting. Thanks for bringing it up. Good fodder for a new FAQ on my website :) Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Rochford Sent: Thursday, January 05, 2006 9:55 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Duplicate application of group policy I'm glad that you say loopback shouldn't cause this - I was sure I'd used something like this successfully before! I've now put a copy of the complete results of gpresult /v and userenv.log on http://195.194.12.22/data/gp.htm (they're a bit big to email to the list!) I've tried looking at userenv.log files before and while I can understand some of what's going on, I can't really see what's going wrong! I've loaded the syspro Policy Log Viewer (http://www.sysprosoft.com/policyreporter.shtml) which you mention on your website. On the Performance History tab it says Via Loopback next to the policies which are being duplicated. Not sure where this gets me but it's now time for me to go home (and brave the snow which has just started falling in London!) Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: 04 January 2006 18:14 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Duplicate application of group policy John- I don't doubt this is the behavior you're seeing, but loopback *should* not cause this. At least not given the way its *supposed* to work. So, that is why a userenv log would be very interesting here. My guess is that even though Gpresult is showing it as running twice, the given GPO is really only being processed once. I will also try to test this on my end to see if I can discover what's up. Darren -Original
Re: [ActiveDir] Duplicate application of group policy
Hi Steve, Just noted your comment on trying to interpret the Userenv Log. I always found it very confusing so I wrote a utility that picks it apart. You can download it from http://www.sysprosoft.com/policyreporter.shtml I just ran it on your file and it shows quite clearly the process involved (it is made clearer if you click on user Policy Processing). Basically it is the way Darren explains it. It goes and finds all polices the user would normally get then gets all the policies that the user would get if they were in the Machine's OU. One thing I have tried doing was to interpret the flags returned from Extension processing to try and make them meaningful, but haven't had any success. I did get the following definitions, but they don't seem to work. For instance your log reports Security Processing with flags 6x, which doesn't seem to apply. :- '0x0001 // Apply machine policy rather than user policy '0x0010 // Background refresh of policy (ok to do slow stuff) '0x0020 // Policy is being applied across a slow link '0x0040 // Verbose output to the eventlog '0x0080 // No changes were detected to the Group Policy Objects '0x0100 // A change in link speed was detected between previous policy application and current policy application '0x0200 // A Change in Rsop Logging was detected between previous policy application and current policy application, (new intf only) '0x0400 // Forced Refresh is being applied. redo policies. '0x0800 // windows safe mode boot flag '0x1000 // Asynchronous foreground refresh of policy '0x2000 // Report all settings for one GPO rather than the resultant settings across multiple GPOs If anyone can tell me how they work (or where I am misprocessing it), I will include it in the utility Feel free to download the utility if only to better understand how it all works! Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/index.php?ref=activedirf=pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/index.php?ref=activedirf=adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/index.php?ref=activedirf=policyreporter.shtml - Original Message - From: Steve Rochford [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, January 06, 2006 4:54 AM Subject: RE: [ActiveDir] Duplicate application of group policy I'm glad that you say loopback shouldn't cause this - I was sure I'd used something like this successfully before! I've now put a copy of the complete results of gpresult /v and userenv.log on http://195.194.12.22/data/gp.htm (they're a bit big to email to the list!) I've tried looking at userenv.log files before and while I can understand some of what's going on, I can't really see what's going wrong! I've loaded the syspro Policy Log Viewer (http://www.sysprosoft.com/policyreporter.shtml) which you mention on your website. On the Performance History tab it says Via Loopback next to the policies which are being duplicated. Not sure where this gets me but it's now time for me to go home (and brave the snow which has just started falling in London!) Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: 04 January 2006 18:14 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Duplicate application of group policy John- I don't doubt this is the behavior you're seeing, but loopback *should* not cause this. At least not given the way its *supposed* to work. So, that is why a userenv log would be very interesting here. My guess is that even though Gpresult is showing it as running twice, the given GPO is really only being processed once. I will also try to test this on my end to see if I can discover what's up. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, January 04, 2006 9:57 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Duplicate application of group policy Not to doubt your expertise Darren, but we use a worksation loopback here for the screen saver. Not my idea, but in our situation, it is easier to figure out machines that need to be exempt, rather than users. They could run a certain test for weeks on one pc, but on their administrative pc, the screen saver is OK, and required. RSOP certainly shows the domain policies being run twice. Might be because of merge mode, never really bothered into looking into the mechanics. I also fool around with my local policy to test a setting here and there, and it also shows that as being run twice in certain situations. We even use site policies, and they show being run twice, and that's done before the domain. Certainly he should turn on the logging as you say, but Steve's situation sounds very familiar to me. Thanks, John Darren Mar-Elia [EMAIL PROTECTED] uest.com
RE: [ActiveDir] Duplicate application of group policy
Okey dokey. I figured this out after a bit of repro in my lab. Its kinda interesting. So, basically the duplicate GPO processing is a function of using Loopback policy in merge mode only (replace mode doesn't cause this). And, when I looked at the userenv log, it made total sense why it was doing this, even though I hadn't really thought about it until now, mostly because I don't' often see merge mode loopback used. What is going on is, with replace mode, Windows basically says, don't do any user-specific policy processing for the user logging into a loopback machine. So basically any GPOs that would normally be processed by the user, including local, site, domain and OU- linked ones, are just not processed in replace mode. Instead, all user settings come from any GPOs that apply to the loopback computer, including those linked at the local, site,domain and OU level. Makes sense. Now enter merge mode... Merge mode says, first process all user GPOs that the user account would normally get. Then, process all user GPOs that the loopback computer would normally get. So, what that means is that policies that are higher in the hierarchy, like site and domain-linked GPOs that are processed both by the computer and the user, get processed twice. Since the computer-based loopback user settings process last, the result would normally be that any conflicting user-specific settings (like Admin. Template registry settings) would be overriden by the loopback computer settings. And that happens, however, certain policy extensions, like scripts or software installation, don't exhibit override behavior. If two scripts are in the path to be processed, they will process cumulatively rather than one overriding the other. Same with software. Hence the reason you see logon scripts running twice. So, bottom line here is that if you want to use merge mode, you're probably going to need to play with it a bit. For example, you might want to set block inheritance on the OU containing the loopback machines, and then if there are any, non-script-based GPOs higher up that you need to apply to those computers, you can set them to Enforced. Even in this case, RSOP will still report that some GPOs run twice, so that won't go away at all in merge mode. In any case, very interesting. Thanks for bringing it up. Good fodder for a new FAQ on my website :) Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Rochford Sent: Thursday, January 05, 2006 9:55 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Duplicate application of group policy I'm glad that you say loopback shouldn't cause this - I was sure I'd used something like this successfully before! I've now put a copy of the complete results of gpresult /v and userenv.log on http://195.194.12.22/data/gp.htm (they're a bit big to email to the list!) I've tried looking at userenv.log files before and while I can understand some of what's going on, I can't really see what's going wrong! I've loaded the syspro Policy Log Viewer (http://www.sysprosoft.com/policyreporter.shtml) which you mention on your website. On the Performance History tab it says Via Loopback next to the policies which are being duplicated. Not sure where this gets me but it's now time for me to go home (and brave the snow which has just started falling in London!) Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: 04 January 2006 18:14 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Duplicate application of group policy John- I don't doubt this is the behavior you're seeing, but loopback *should* not cause this. At least not given the way its *supposed* to work. So, that is why a userenv log would be very interesting here. My guess is that even though Gpresult is showing it as running twice, the given GPO is really only being processed once. I will also try to test this on my end to see if I can discover what's up. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, January 04, 2006 9:57 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Duplicate application of group policy Not to doubt your expertise Darren, but we use a worksation loopback here for the screen saver. Not my idea, but in our situation, it is easier to figure out machines that need to be exempt, rather than users. They could run a certain test for weeks on one pc, but on their administrative pc, the screen saver is OK, and required. RSOP certainly shows the domain policies being run twice. Might be because of merge mode, never really bothered into looking into the mechanics. I also fool around with my local policy to test a setting here and there, and it also shows that as being run twice in certain situations. We even use site policies, and they show being run twice, and that's done before the domain
RE: [ActiveDir] Duplicate application of group policy
I'm glad that you say loopback shouldn't cause this - I was sure I'd used something like this successfully before! I've now put a copy of the complete results of gpresult /v and userenv.log on http://195.194.12.22/data/gp.htm (they're a bit big to email to the list!) I've tried looking at userenv.log files before and while I can understand some of what's going on, I can't really see what's going wrong! I've loaded the syspro Policy Log Viewer (http://www.sysprosoft.com/policyreporter.shtml) which you mention on your website. On the Performance History tab it says Via Loopback next to the policies which are being duplicated. Not sure where this gets me but it's now time for me to go home (and brave the snow which has just started falling in London!) Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: 04 January 2006 18:14 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Duplicate application of group policy John- I don't doubt this is the behavior you're seeing, but loopback *should* not cause this. At least not given the way its *supposed* to work. So, that is why a userenv log would be very interesting here. My guess is that even though Gpresult is showing it as running twice, the given GPO is really only being processed once. I will also try to test this on my end to see if I can discover what's up. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, January 04, 2006 9:57 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Duplicate application of group policy Not to doubt your expertise Darren, but we use a worksation loopback here for the screen saver. Not my idea, but in our situation, it is easier to figure out machines that need to be exempt, rather than users. They could run a certain test for weeks on one pc, but on their administrative pc, the screen saver is OK, and required. RSOP certainly shows the domain policies being run twice. Might be because of merge mode, never really bothered into looking into the mechanics. I also fool around with my local policy to test a setting here and there, and it also shows that as being run twice in certain situations. We even use site policies, and they show being run twice, and that's done before the domain. Certainly he should turn on the logging as you say, but Steve's situation sounds very familiar to me. Thanks, John Darren Mar-Elia [EMAIL PROTECTED] uest.com To Sent by: ActiveDir@mail.activedir.org [EMAIL PROTECTED] cc ail.activedir.org Subject RE: [ActiveDir] Duplicate 01/04/2006 11:09 application of group policy AM Please respond to [EMAIL PROTECTED] tivedir.org Steve- In this situation, I would enable verbose userenv logging and see if you can track down what is actually happening during the processing cycle. I am kinda doubting that loopback would cause things like the local GPO or Default Domain Policy from processing twice, because these should be processing well before you OU-based loopback policies kick in. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, January 04, 2006 7:50 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Duplicate application of group policy Hi Steve... That's about the only way to apply user settings to computers, using the loopback. Not sure of your OU structure, if you had your users seperated, you could apply the actual user policies (loginscripts etc.) at the user OU level. As long as that was a different scope it would eliminate them trying to run the scripts twice, which is where I would expect these things to hang some. Or even generate errors, if trying to remap an already mapped drive. Not sure if Im explaining it clearly enough? John Steve Rochford [EMAIL PROTECTED] nwl.ac.uk To Sent by: ActiveDir@mail.activedir.org [EMAIL PROTECTED] cc ail.activedir.org Subject RE: [ActiveDir] Duplicate 01/04/2006 09:12 application of group policy AM Please respond to [EMAIL PROTECTED] tivedir.org Thanks; I spotted that proxy_isa was only once but John's other message about loopback makes me start thinking that this is very relevant. The proxy_isa just sets a particular OU to use an ISA server as proxy (rather than Squid - we have some software which won't work with ISA so a couple of OUs link to a GPO called ISA_Squid which points them at the Squid proxy server
Re: [ActiveDir] Duplicate application of group policy
Hi Steve,... Looks like you have a loopback policy. That would be under computer configuration/administrative templates/system/Group Policy/User Group Policy loopback processing mode Hope this helps, John Steve Rochford [EMAIL PROTECTED] nwl.ac.uk To Sent by: ActiveDir@mail.activedir.org [EMAIL PROTECTED] cc ail.activedir.org Subject [ActiveDir] Duplicate application 01/04/2006 03:00 of group policy AM Please respond to [EMAIL PROTECTED] tivedir.org Most group policy objects are being applied twice - what do I need to look for to fix this? Running gpresult /v shows that they're being picked up twice - eg the the start of the user section is shown below. There is only one link for each policy object but there's obviously something I'm missing. All the policies are working but it's causing problems because logging on takes twice as long and the user login script (set in the logonlogoffscripts group policy) runs twice. Steve USER SETTINGS -- CN=Administrator,CN=Users,DC=student,DC=cnwl,DC=ac,DC=uk Last time Group Policy was applied: 04/01/2006 at 08:23:52 Group Policy was applied from: pstud1.student.cnwl.ac.uk Group Policy slow link threshold: 500 kbps Applied Group Policy Objects - allpcs Proxy_ISA Default Domain Policy LogonLogoffScripts Local Group Policy Default Domain Policy LogonLogoffScripts Local Group Policy List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Duplicate application of group policy
Steve, it looks like, from that list that you're not applying all GPO's twice. Some are and some aren't. That seems to me like it would be a configuration issue. allpcs Proxy_ISA -applied once Default Domain Policy - applied twiceLogonLogoffScripts Local Group Policy Default Domain Policy LogonLogoffScripts Local Group Policy Some things to look for: Check to see what the GPO's are linked to. Look over recent changes to see if any of them could have affected this behavior. Verify that the slow logon is due to the application of group policy. You may have something else going on. Al On 1/4/06, Steve Rochford [EMAIL PROTECTED] wrote: Most group policy objects are being applied twice - what do I need to look for to fix this?Running gpresult /v shows that they're being picked up twice - eg the the start of the user section is shown below. There is only one link for each policy object but there's obviously something I'm missing. All the policies are working but it's causing problems because logging on takes twice as long and the user login script (set in the logonlogoffscripts group policy) runs twice. SteveUSER SETTINGS-- CN=Administrator,CN=Users,DC=student,DC=cnwl,DC=ac,DC=uk Last time Group Policy was applied: 04/01/2006 at 08:23:52 Group Policy was applied from: pstud1.student.cnwl.ac.uk Group Policy slow link threshold: 500 kbps Applied Group Policy Objects - allpcs Proxy_ISA Default Domain Policy LogonLogoffScripts Local Group Policy Default Domain Policy LogonLogoffScripts Local Group PolicyList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Duplicate application of group policy
Thanks; I spotted that proxy_isa was only once but John's other message about loopback makes me start thinking that this is very relevant. The proxy_isa just sets a particular OU to use an ISA server as proxy (rather than Squid - we have some software which won't work with ISA so a couple of OUs link to a GPO called ISA_Squid which points them at the Squid proxy server). The policy is applied to a group of machines (because it's particular rooms which need the proxy set like this rather than particular people) but loopback processing is set because the proxy settings themselves are user specific rather than machine specific. I'm sure I've used loopback processing for actually this sort of thing before but I'd guess I'm doing something wrong! I've tried to copy the settings screen from the proxy_isa GPO below - is this where I should be looking or could something else be wrong? If necessary, I can remove the GPO and just use the login script to set proxy settings - there was just a nice feel to doing things with the GPO Steve Computer Configuration (Enabled) Administrative Templates System/Group Policy Policy Setting Enabled Mode:Merge User Configuration (Enabled) Windows Settings Internet Explorer Maintenance Connection/Proxy Settings Enable proxy settings Protocol Server Port HTTP witproxy8080 Secure witproxy8080 FTP witproxy8080 Gopher witproxy8080 Sockswitproxy8080 Exceptions: Do not use proxy server for addresses beginning with www.student.cnwl.ac.uk, moodle.student.cnwl.ac.uk, learnwise.student.cnwl.ac.uk, wstud3.student.cnwl.ac.uk, mail.student.cnwl.ac.uk, Do not use proxy server for local (intranet) addresses Enabled From: [EMAIL PROTECTED] on behalf of Al Mulnick Sent: Wed 04/01/2006 14:16 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Duplicate application of group policy Steve, it looks like, from that list that you're not applying all GPO's twice. Some are and some aren't. That seems to me like it would be a configuration issue. allpcs Proxy_ISA -applied once Default Domain Policy - applied twice LogonLogoffScripts Local Group Policy Default Domain Policy LogonLogoffScripts Local Group Policy Some things to look for: Check to see what the GPO's are linked to. Look over recent changes to see if any of them could have affected this behavior. Verify that the slow logon is due to the application of group policy. You may have something else going on. Al On 1/4/06, Steve Rochford [EMAIL PROTECTED] wrote: Most group policy objects are being applied twice - what do I need to look for to fix this? Running gpresult /v shows that they're being picked up twice - eg the the start of the user section is shown below. There is only one link for each policy object but there's obviously something I'm missing. All the policies are working but it's causing problems because logging on takes twice as long and the user login script (set in the logonlogoffscripts group policy) runs twice. Steve USER SETTINGS -- CN=Administrator,CN=Users,DC=student,DC=cnwl,DC=ac,DC=uk Last time Group Policy was applied: 04/01/2006 at 08:23:52 Group Policy was applied from: pstud1.student.cnwl.ac.uk Group Policy slow link threshold: 500 kbps Applied Group Policy Objects - allpcs Proxy_ISA Default Domain Policy LogonLogoffScripts Local Group Policy Default Domain Policy LogonLogoffScripts Local Group Policy List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ winmail.dat
RE: [ActiveDir] Duplicate application of group policy
Hi Steve... That's about the only way to apply user settings to computers, using the loopback. Not sure of your OU structure, if you had your users seperated, you could apply the actual user policies (loginscripts etc.) at the user OU level. As long as that was a different scope it would eliminate them trying to run the scripts twice, which is where I would expect these things to hang some. Or even generate errors, if trying to remap an already mapped drive. Not sure if Im explaining it clearly enough? John Steve Rochford [EMAIL PROTECTED] nwl.ac.uk To Sent by: ActiveDir@mail.activedir.org [EMAIL PROTECTED] cc ail.activedir.org Subject RE: [ActiveDir] Duplicate 01/04/2006 09:12 application of group policy AM Please respond to [EMAIL PROTECTED] tivedir.org Thanks; I spotted that proxy_isa was only once but John's other message about loopback makes me start thinking that this is very relevant. The proxy_isa just sets a particular OU to use an ISA server as proxy (rather than Squid - we have some software which won't work with ISA so a couple of OUs link to a GPO called ISA_Squid which points them at the Squid proxy server). The policy is applied to a group of machines (because it's particular rooms which need the proxy set like this rather than particular people) but loopback processing is set because the proxy settings themselves are user specific rather than machine specific. I'm sure I've used loopback processing for actually this sort of thing before but I'd guess I'm doing something wrong! I've tried to copy the settings screen from the proxy_isa GPO below - is this where I should be looking or could something else be wrong? If necessary, I can remove the GPO and just use the login script to set proxy settings - there was just a nice feel to doing things with the GPO Steve Computer Configuration (Enabled) Administrative Templates System/Group Policy Policy Setting Enabled Mode: Merge User Configuration (Enabled) Windows Settings Internet Explorer Maintenance Connection/Proxy Settings Enable proxy settings ProtocolServerPort HTTP witproxy 8080 Secure witproxy 8080 FTP witproxy 8080 Gopher witproxy 8080 Socks witproxy 8080 Exceptions: Do not use proxy server for addresses beginning with www.student.cnwl.ac.uk, moodle.student.cnwl.ac.uk, learnwise.student.cnwl.ac.uk, wstud3.student.cnwl.ac.uk, mail.student.cnwl.ac.uk, Do not use proxy server for local (intranet) addresses Enabled From: [EMAIL PROTECTED] on behalf of Al Mulnick Sent: Wed 04/01/2006 14:16 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Duplicate application of group policy Steve, it looks like, from that list that you're not applying all GPO's twice. Some are and some aren't. That seems to me like it would be a configuration issue. allpcs Proxy_ISA -applied once Default Domain Policy - applied twice LogonLogoffScripts Local Group Policy Default Domain Policy LogonLogoffScripts Local Group Policy Some things to look for: Check to see what the GPO's are linked to. Look over recent changes to see if any of them could have affected this behavior. Verify that the slow logon is due to the application of group policy. You may have something else going on. Al On 1/4/06, Steve Rochford [EMAIL PROTECTED] wrote: Most group policy objects are being applied twice - what do I need to look for to fix this? Running gpresult /v shows that they're being picked up twice - eg the the start of the user section is shown below. There is only one link for each policy object
RE: [ActiveDir] Duplicate application of group policy
That makes sense. We do have users separated from computers although not as well as I now realise I'd like (we've got an allpcs OU, a Staff OU and a Students OU; what I think I want is those last two under an allpeople OU but back in 2000 when we first put this together that wasn't so obvious as it is now...) I've now removed the ISA_proxy GPO and all is back to normal. What I still don't understand is why loopback mode on one GPO appears to affect other GPOs linked elsewhere - I thought it just changed the way that that one GPO was applied??? Steve From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED] Sent: Wed 04/01/2006 15:50 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Duplicate application of group policy Hi Steve... That's about the only way to apply user settings to computers, using the loopback. Not sure of your OU structure, if you had your users seperated, you could apply the actual user policies (loginscripts etc.) at the user OU level. As long as that was a different scope it would eliminate them trying to run the scripts twice, which is where I would expect these things to hang some. Or even generate errors, if trying to remap an already mapped drive. Not sure if Im explaining it clearly enough? John Steve Rochford [EMAIL PROTECTED] nwl.ac.uk To Sent by: ActiveDir@mail.activedir.org [EMAIL PROTECTED] cc ail.activedir.org Subject RE: [ActiveDir] Duplicate 01/04/2006 09:12 application of group policy AM Please respond to [EMAIL PROTECTED] tivedir.org Thanks; I spotted that proxy_isa was only once but John's other message about loopback makes me start thinking that this is very relevant. The proxy_isa just sets a particular OU to use an ISA server as proxy (rather than Squid - we have some software which won't work with ISA so a couple of OUs link to a GPO called ISA_Squid which points them at the Squid proxy server). The policy is applied to a group of machines (because it's particular rooms which need the proxy set like this rather than particular people) but loopback processing is set because the proxy settings themselves are user specific rather than machine specific. I'm sure I've used loopback processing for actually this sort of thing before but I'd guess I'm doing something wrong! I've tried to copy the settings screen from the proxy_isa GPO below - is this where I should be looking or could something else be wrong? If necessary, I can remove the GPO and just use the login script to set proxy settings - there was just a nice feel to doing things with the GPO Steve Computer Configuration (Enabled) Administrative Templates System/Group Policy Policy Setting Enabled Mode: Merge User Configuration (Enabled) Windows Settings Internet Explorer Maintenance Connection/Proxy Settings Enable proxy settings ProtocolServerPort HTTP witproxy 8080 Secure witproxy 8080 FTP witproxy 8080 Gopher witproxy 8080 Socks witproxy 8080 Exceptions: Do not use proxy server for addresses beginning with www.student.cnwl.ac.uk, moodle.student.cnwl.ac.uk, learnwise.student.cnwl.ac.uk, wstud3.student.cnwl.ac.uk, mail.student.cnwl.ac.uk, Do not use proxy server for local (intranet) addresses Enabled From: [EMAIL PROTECTED] on behalf of Al Mulnick Sent: Wed 04/01/2006 14:16 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Duplicate application of group policy Steve, it looks like, from that list that you're not applying all GPO's twice. Some are and some aren't. That seems to me like it would be a configuration issue. allpcs Proxy_ISA -applied once Default Domain Policy
RE: [ActiveDir] Duplicate application of group policy
Steve- In this situation, I would enable verbose userenv logging and see if you can track down what is actually happening during the processing cycle. I am kinda doubting that loopback would cause things like the local GPO or Default Domain Policy from processing twice, because these should be processing well before you OU-based loopback policies kick in. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, January 04, 2006 7:50 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Duplicate application of group policy Hi Steve... That's about the only way to apply user settings to computers, using the loopback. Not sure of your OU structure, if you had your users seperated, you could apply the actual user policies (loginscripts etc.) at the user OU level. As long as that was a different scope it would eliminate them trying to run the scripts twice, which is where I would expect these things to hang some. Or even generate errors, if trying to remap an already mapped drive. Not sure if Im explaining it clearly enough? John Steve Rochford [EMAIL PROTECTED] nwl.ac.uk To Sent by: ActiveDir@mail.activedir.org [EMAIL PROTECTED] cc ail.activedir.org Subject RE: [ActiveDir] Duplicate 01/04/2006 09:12 application of group policy AM Please respond to [EMAIL PROTECTED] tivedir.org Thanks; I spotted that proxy_isa was only once but John's other message about loopback makes me start thinking that this is very relevant. The proxy_isa just sets a particular OU to use an ISA server as proxy (rather than Squid - we have some software which won't work with ISA so a couple of OUs link to a GPO called ISA_Squid which points them at the Squid proxy server). The policy is applied to a group of machines (because it's particular rooms which need the proxy set like this rather than particular people) but loopback processing is set because the proxy settings themselves are user specific rather than machine specific. I'm sure I've used loopback processing for actually this sort of thing before but I'd guess I'm doing something wrong! I've tried to copy the settings screen from the proxy_isa GPO below - is this where I should be looking or could something else be wrong? If necessary, I can remove the GPO and just use the login script to set proxy settings - there was just a nice feel to doing things with the GPO Steve Computer Configuration (Enabled) Administrative Templates System/Group Policy Policy Setting Enabled Mode: Merge User Configuration (Enabled) Windows Settings Internet Explorer Maintenance Connection/Proxy Settings Enable proxy settings ProtocolServerPort HTTP witproxy 8080 Secure witproxy 8080 FTP witproxy 8080 Gopher witproxy 8080 Socks witproxy 8080 Exceptions: Do not use proxy server for addresses beginning with www.student.cnwl.ac.uk, moodle.student.cnwl.ac.uk, learnwise.student.cnwl.ac.uk, wstud3.student.cnwl.ac.uk, mail.student.cnwl.ac.uk, Do not use proxy server for local (intranet) addresses Enabled From: [EMAIL PROTECTED] on behalf of Al Mulnick Sent: Wed 04/01/2006 14:16 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Duplicate application of group policy Steve, it looks like, from that list that you're not applying all GPO's twice. Some are and some aren't. That seems to me like it would be a configuration issue. allpcs Proxy_ISA -applied once Default Domain Policy - applied twice LogonLogoffScripts Local Group Policy Default Domain Policy LogonLogoffScripts Local Group Policy Some things to look for: Check to see what the GPO's are linked to. Look over recent changes to see if any of them could have affected this behavior. Verify that the slow logon is due to the application of group policy. You may have something else going on. Al On 1/4/06, Steve Rochford [EMAIL PROTECTED] wrote: Most group policy objects are being applied twice - what do I need to look for to fix this? Running gpresult /v shows that they're being picked up twice - eg the the start of the user section is shown below. There is only one link for each policy object but there's obviously something I'm missing. All the policies are working but it's causing problems because logging on takes twice as long and the user login script (set in the logonlogoffscripts group policy) runs twice. Steve USER SETTINGS
RE: [ActiveDir] Duplicate application of group policy
Not to doubt your expertise Darren, but we use a worksation loopback here for the screen saver. Not my idea, but in our situation, it is easier to figure out machines that need to be exempt, rather than users. They could run a certain test for weeks on one pc, but on their administrative pc, the screen saver is OK, and required. RSOP certainly shows the domain policies being run twice. Might be because of merge mode, never really bothered into looking into the mechanics. I also fool around with my local policy to test a setting here and there, and it also shows that as being run twice in certain situations. We even use site policies, and they show being run twice, and that's done before the domain. Certainly he should turn on the logging as you say, but Steve's situation sounds very familiar to me. Thanks, John Darren Mar-Elia [EMAIL PROTECTED] uest.com To Sent by: ActiveDir@mail.activedir.org [EMAIL PROTECTED] cc ail.activedir.org Subject RE: [ActiveDir] Duplicate 01/04/2006 11:09 application of group policy AM Please respond to [EMAIL PROTECTED] tivedir.org Steve- In this situation, I would enable verbose userenv logging and see if you can track down what is actually happening during the processing cycle. I am kinda doubting that loopback would cause things like the local GPO or Default Domain Policy from processing twice, because these should be processing well before you OU-based loopback policies kick in. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, January 04, 2006 7:50 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Duplicate application of group policy Hi Steve... That's about the only way to apply user settings to computers, using the loopback. Not sure of your OU structure, if you had your users seperated, you could apply the actual user policies (loginscripts etc.) at the user OU level. As long as that was a different scope it would eliminate them trying to run the scripts twice, which is where I would expect these things to hang some. Or even generate errors, if trying to remap an already mapped drive. Not sure if Im explaining it clearly enough? John Steve Rochford [EMAIL PROTECTED] nwl.ac.uk To Sent by: ActiveDir@mail.activedir.org [EMAIL PROTECTED] cc ail.activedir.org Subject RE: [ActiveDir] Duplicate 01/04/2006 09:12 application of group policy AM Please respond to [EMAIL PROTECTED] tivedir.org Thanks; I spotted that proxy_isa was only once but John's other message about loopback makes me start thinking that this is very relevant. The proxy_isa just sets a particular OU to use an ISA server as proxy (rather than Squid - we have some software which won't work with ISA so a couple of OUs link to a GPO called ISA_Squid which points them at the Squid proxy server). The policy is applied to a group of machines (because it's particular rooms which need the proxy set like this rather than particular people) but loopback processing is set because the proxy settings themselves are user specific rather than machine specific. I'm sure I've used loopback processing for actually this sort of thing before but I'd guess I'm doing something wrong! I've tried to copy the settings screen from the proxy_isa GPO below - is this where I should be looking or could something else be wrong? If necessary, I can remove the GPO and just use the login script to set proxy settings - there was just a nice feel to doing things with the GPO Steve Computer Configuration (Enabled) Administrative Templates System/Group Policy Policy Setting
RE: [ActiveDir] Duplicate application of group policy
John- I don't doubt this is the behavior you're seeing, but loopback *should* not cause this. At least not given the way its *supposed* to work. So, that is why a userenv log would be very interesting here. My guess is that even though Gpresult is showing it as running twice, the given GPO is really only being processed once. I will also try to test this on my end to see if I can discover what's up. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, January 04, 2006 9:57 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Duplicate application of group policy Not to doubt your expertise Darren, but we use a worksation loopback here for the screen saver. Not my idea, but in our situation, it is easier to figure out machines that need to be exempt, rather than users. They could run a certain test for weeks on one pc, but on their administrative pc, the screen saver is OK, and required. RSOP certainly shows the domain policies being run twice. Might be because of merge mode, never really bothered into looking into the mechanics. I also fool around with my local policy to test a setting here and there, and it also shows that as being run twice in certain situations. We even use site policies, and they show being run twice, and that's done before the domain. Certainly he should turn on the logging as you say, but Steve's situation sounds very familiar to me. Thanks, John Darren Mar-Elia [EMAIL PROTECTED] uest.com To Sent by: ActiveDir@mail.activedir.org [EMAIL PROTECTED] cc ail.activedir.org Subject RE: [ActiveDir] Duplicate 01/04/2006 11:09 application of group policy AM Please respond to [EMAIL PROTECTED] tivedir.org Steve- In this situation, I would enable verbose userenv logging and see if you can track down what is actually happening during the processing cycle. I am kinda doubting that loopback would cause things like the local GPO or Default Domain Policy from processing twice, because these should be processing well before you OU-based loopback policies kick in. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, January 04, 2006 7:50 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Duplicate application of group policy Hi Steve... That's about the only way to apply user settings to computers, using the loopback. Not sure of your OU structure, if you had your users seperated, you could apply the actual user policies (loginscripts etc.) at the user OU level. As long as that was a different scope it would eliminate them trying to run the scripts twice, which is where I would expect these things to hang some. Or even generate errors, if trying to remap an already mapped drive. Not sure if Im explaining it clearly enough? John Steve Rochford [EMAIL PROTECTED] nwl.ac.uk To Sent by: ActiveDir@mail.activedir.org [EMAIL PROTECTED] cc ail.activedir.org Subject RE: [ActiveDir] Duplicate 01/04/2006 09:12 application of group policy AM Please respond to [EMAIL PROTECTED] tivedir.org Thanks; I spotted that proxy_isa was only once but John's other message about loopback makes me start thinking that this is very relevant. The proxy_isa just sets a particular OU to use an ISA server as proxy (rather than Squid - we have some software which won't work with ISA so a couple of OUs link to a GPO called ISA_Squid which points them at the Squid proxy server). The policy is applied to a group of machines (because it's particular rooms which need the proxy set like this rather than particular people) but loopback processing is set because the proxy settings themselves are user specific rather than machine specific. I'm sure I've used loopback processing for actually this sort of thing before but I'd guess I'm doing something wrong! I've tried to copy the settings screen from the proxy_isa GPO below - is this where I should be looking or could something else be wrong? If necessary, I can remove the GPO and just use the login script to set proxy settings - there was just a nice feel to doing things with the GPO Steve Computer Configuration (Enabled) Administrative Templates System/Group Policy Policy Setting Enabled Mode: Merge User Configuration (Enabled) Windows Settings Internet Explorer Maintenance Connection/Proxy Settings Enable proxy settings ProtocolServerPort HTTP
RE: [ActiveDir] Duplicate application of group policy
Absolutely I'd love to know the answer also. I've seen this behavior for years, and just figured it was the nature of loopbacks, and having other policies in their scope. The case in point as I said before, is that if your users are in a different OU structure (scope) and you put say the login scripts policy there, that one will be run only once. I'll be very interested in what develops from this, I haven't noticed a real processing problem doing this, as long as the user scope is seperated, but it surely can't help. As you're saying though, it probably just looks at them again or something like that. Thanks again, John Darren Mar-Elia [EMAIL PROTECTED] uest.com To Sent by: ActiveDir@mail.activedir.org [EMAIL PROTECTED] cc ail.activedir.org Subject RE: [ActiveDir] Duplicate 01/04/2006 12:13 application of group policy PM Please respond to [EMAIL PROTECTED] tivedir.org John- I don't doubt this is the behavior you're seeing, but loopback *should* not cause this. At least not given the way its *supposed* to work. So, that is why a userenv log would be very interesting here. My guess is that even though Gpresult is showing it as running twice, the given GPO is really only being processed once. I will also try to test this on my end to see if I can discover what's up. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, January 04, 2006 9:57 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Duplicate application of group policy Not to doubt your expertise Darren, but we use a worksation loopback here for the screen saver. Not my idea, but in our situation, it is easier to figure out machines that need to be exempt, rather than users. They could run a certain test for weeks on one pc, but on their administrative pc, the screen saver is OK, and required. RSOP certainly shows the domain policies being run twice. Might be because of merge mode, never really bothered into looking into the mechanics. I also fool around with my local policy to test a setting here and there, and it also shows that as being run twice in certain situations. We even use site policies, and they show being run twice, and that's done before the domain. Certainly he should turn on the logging as you say, but Steve's situation sounds very familiar to me. Thanks, John Darren Mar-Elia [EMAIL PROTECTED] uest.com To Sent by: ActiveDir@mail.activedir.org [EMAIL PROTECTED] cc ail.activedir.org Subject RE: [ActiveDir] Duplicate 01/04/2006 11:09 application of group policy AM Please respond to [EMAIL PROTECTED] tivedir.org Steve- In this situation, I would enable verbose userenv logging and see if you can track down what is actually happening during the processing cycle. I am kinda doubting that loopback would cause things like the local GPO or Default Domain Policy from processing twice, because these should be processing well before you OU-based loopback policies kick in. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, January 04, 2006 7:50 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Duplicate application of group policy Hi Steve... That's about the only way to apply user settings to computers, using the loopback. Not sure of your OU structure, if you had your users seperated, you could apply the actual user policies (loginscripts etc.) at the user OU level. As long as that was a different scope it would eliminate them trying to run the scripts twice, which is where I would expect these things to hang some
RE: [ActiveDir] Duplicate application of group policy
Sorry, I did forget one thing though. We have had situations where a loginscript policy was misplaced, and in the scope of the loopback, it will cause the specified device is already in use error. Which does suspiciously sound like the login script ran twice, and does not dismount first. I know that moving that out of scope resolves the problem. Which is why I suggested that could be causing Steve to hang upon logins. Looking forward to finding out mechanically what's happening though. Thanks again, John Darren Mar-Elia [EMAIL PROTECTED] uest.com To Sent by: ActiveDir@mail.activedir.org [EMAIL PROTECTED] cc ail.activedir.org Subject RE: [ActiveDir] Duplicate 01/04/2006 12:13 application of group policy PM Please respond to [EMAIL PROTECTED] tivedir.org John- I don't doubt this is the behavior you're seeing, but loopback *should* not cause this. At least not given the way its *supposed* to work. So, that is why a userenv log would be very interesting here. My guess is that even though Gpresult is showing it as running twice, the given GPO is really only being processed once. I will also try to test this on my end to see if I can discover what's up. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, January 04, 2006 9:57 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Duplicate application of group policy Not to doubt your expertise Darren, but we use a worksation loopback here for the screen saver. Not my idea, but in our situation, it is easier to figure out machines that need to be exempt, rather than users. They could run a certain test for weeks on one pc, but on their administrative pc, the screen saver is OK, and required. RSOP certainly shows the domain policies being run twice. Might be because of merge mode, never really bothered into looking into the mechanics. I also fool around with my local policy to test a setting here and there, and it also shows that as being run twice in certain situations. We even use site policies, and they show being run twice, and that's done before the domain. Certainly he should turn on the logging as you say, but Steve's situation sounds very familiar to me. Thanks, John Darren Mar-Elia [EMAIL PROTECTED] uest.com To Sent by: ActiveDir@mail.activedir.org [EMAIL PROTECTED] cc ail.activedir.org Subject RE: [ActiveDir] Duplicate 01/04/2006 11:09 application of group policy AM Please respond to [EMAIL PROTECTED] tivedir.org Steve- In this situation, I would enable verbose userenv logging and see if you can track down what is actually happening during the processing cycle. I am kinda doubting that loopback would cause things like the local GPO or Default Domain Policy from processing twice, because these should be processing well before you OU-based loopback policies kick in. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, January 04, 2006 7:50 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Duplicate application of group policy Hi Steve... That's about the only way to apply user settings to computers, using the loopback. Not sure of your OU structure, if you had your users seperated, you could apply the actual user policies (loginscripts etc.) at the user OU level. As long as that was a different scope it would eliminate them trying to run the scripts twice, which is where I would expect these things to hang some. Or even generate errors, if trying to remap an already mapped drive. Not sure if Im explaining it clearly enough