Well, we’ve made it through the debug logs for normal mode and merge mode and now it is on to replace mode and time to answer our original question, “In replace mode, when does the user configuration portion of policies which apply to the computer object get applied. Is it applied when the computer starts up? Or is it applied when a user logs on?”
This post is part 3 of a 3 part series where we are examining the debug output for each policy processing mode:
- Loopback Policy Processing Debug Series – Normal Mode
- Loopback Policy Processing Debug Series – Merge Mode
- Loopback Policy Processing Debug Series – Replace Mode
Our OU structure still hasn’t changed, but here it is again. The workstation that we’ll be using, XP01, is in the HR OU.
The user that will be using, John.Galt, is in the Users OU.
Here is the full text log file: replace_UserEnv.log [171.08 KB] (previously loopbackReplace.log)
At 3:03:07:041 AM, computer policy begins evaluation of workstation XP01.
Policy evaluation for the workstation begins in normal mode.
Policies are enumerated starting with the OU closest to the workstation, then working through the parent OUs, on to site policy, and finally to the local policy.
The computer configuration portion of policy is completed at 3:03:12:018 AM.
A few seconds later, the user John Galt logs on to the workstation and at 3:03:30:996, policy processing begins evaluation of user John Galt.
Policy evaluation for the user begins in replacement mode.
This discards the user account policies and reinitiates enumeration of workstation policy, applying the user portion of those policies which apply to the workstation.
The user configuration portion of policy is completed at 3:03:32:189 AM.
The user configuration portion of the policies which apply to the workstation are not applied with the computer configuration portion because the policy engine evaluates the computer portion of policy and the user configuration portion of policy at separate times. The computer configuration portion is evaluated when a workstation boots. The user configuration portion of policy is evaluated when a user logs on. And this is where the state of the loopback policy setting is evaluated as well (which is how the policy engine knows which policy processing mode to enter).
Well, I am tired of looking at log files and I am sure that you are tired of seeing pictures of log files. In a future loobpack policy processing blog (and hopefully the last for a while) will be a look at how loopback policy processing can go wrong.