Well, we’ve made it through the debug logs for normal mode and merge mode and now it is on to replace mode and time to answer our original question, “In replace mode, when does the user configuration portion of policies which apply to the computer object get applied.  Is it applied when the computer starts up?  Or is it applied when a user logs on?”

This post is part 3 of a 3 part series where we are examining the debug output for each policy processing mode:

  1. Loopback Policy Processing Debug Series – Normal Mode
  2. Loopback Policy Processing Debug Series – Merge Mode
  3. Loopback Policy Processing Debug Series – Replace Mode

Our OU structure still hasn’t changed, but here it is again.  The workstation that we’ll be using, XP01, is in the HR OU.

loopback_1

The user that will be using, John.Galt, is in the Users OU.

loopback_2

Replace Mode

Here is the full text log file: replace_UserEnv.log [171.08 KB] (previously loopbackReplace.log)

At 3:03:07:041 AM, computer policy begins evaluation of workstation XP01.

loopback_3

 

Policy evaluation for the workstation begins in normal mode.

loopback_4

 

 

Policies are enumerated starting with the OU closest to the workstation, then working through the parent OUs, on to site policy, and finally to the local policy.

loopback_5

 

The computer configuration portion of policy is completed at 3:03:12:018 AM.

loopback_6

A few seconds later, the user John Galt logs on to the workstation and at 3:03:30:996, policy processing begins evaluation of user John Galt.

loopback_7

Policy evaluation for the user begins in replacement mode.

loopback_8

This discards the user account policies and reinitiates enumeration of workstation policy, applying the user portion of those policies which apply to the workstation.

loopback_9

The user configuration portion of policy is completed at 3:03:32:189 AM.

loopback_10

The user configuration portion of the policies which apply to the workstation are not applied with the computer configuration portion because the policy engine evaluates the computer portion of policy and the user configuration portion of policy at separate times.  The computer configuration portion is evaluated when a workstation boots.  The user configuration portion of policy is evaluated when a user logs on.  And this is where the state of the loopback policy setting is evaluated as well (which is how the policy engine knows which policy processing mode to enter).

Well, I am tired of looking at log files and I am sure that you are tired of seeing pictures of log files.  In a future loobpack policy processing blog (and hopefully the last for a while) will be a look at how loopback policy processing can go wrong.