This post is part 2 of a 3 part series where we are examining the debug output for each policy processing mode:
- Loopback Policy Processing Debug Series – Normal Mode
- Loopback Policy Processing Debug Series – Merge Mode
- Loopback Policy Processing Debug Series – Replace Mode
In our last post, we reviewed the UserEnv log to see how policy is applied to workstations and users under normal circumstances. In normal mode, processing of workstation group policy restricts itself to those settings configured in the computer configuration node of applicable policies and user group policy restricts itself to those settings configured in the user configuration node of applicable policies.
Now things are going to change a little bit with the introduction of loopback policy processing in merge mode. Our OU structure has not changed, but so you don’t have to go look at previous posts I have included it here. The workstation that we’ll be using, XP01, is in the HR OU.
The user that will be using, John.Galt, is in the Users OU.
Merge Mode
Here is the full text log file: merge_UserEnv.log [171.92 KB] (previously loopbackMerge.log)
Here is the consolidated log file: consolidated_UserEnv.log [15.93 KB]
At 2:47:02:753 AM, computer policy begins evaluation of workstation XP01.
Policy evaluation for the workstation begins in normal mode.
Policies are enumerated starting with the OU closest to the workstation, then working through the parent OUs, on to site policy, and finally to the local policy.
The computer configuration portion of policy is completed at 2:47:02:993 AM.
A few seconds later, the user John Galt logs on to the workstation and at 2:54:38:098 AM, user policy processing begins evaluation of user John Galt.
Policy evaluation for the user begins in merge mode.
Policies are enumerated starting with the OU closest to the user, then working through the parent OUs, on to site policy, and finally to the local policy.
Once both lists are defined, they are merged together. Settings configured in the user portion of policies linked to the workstation’s parents apply last.
The user configuration portion of policy is completed at 02:47:29:824 AM.
Policy application has completed successfully and any user configuration settings which were applied to policies which are applicable to XP01 have overwritten those policy settings which applied to John.Galt. The initial evaluation of XP01 evaluated the GPOs which applied but then only applied those settings in the computer configuration node of the applicable policies. When John.Galt logged on, then the user policy processing engine evaluated the applicable policies for John.Galt and XP01, applying only the policy settings in the user configuration node.
This process is very similar to what we saw in Loopback Policy Processing Debug Series – Normal Mode except with the additional evaluation of the user configuration policies for the workstation after evaluation of the user policy settings.
In part 3, Loopback Policy Processing Debug Series – Replace Mode, we’ll get far away from normal and see how policy processing works in replace mode.