Servers take an endless time at applying group policy settings

Similar Messages

• Stuck at Applying Group Policy Printers Policy on Windows 2008 Servers

  xp clients seem to be fine and map all printers at logon. The 2k8 servers all hang at logon for 30min or more at the Applying Group Policy Printers Policy. The print server is a DC in the same domain and it does not experience the issues at logon and gets to the desktop immediately.

  a DHCP workstation
  Microsoft Windows XP [Version 5.1.2600]
  (C) Copyright 1985-2001 Microsoft Corp.
  U:\>ipconfig /all
  Windows IP Configuration
          Host Name . . . . . . . . . . . . : CP0030621
          Primary Dns Suffix  . . . . . . . : us.tms.local
          Node Type . . . . . . . . . . . . : Unknown
          IP Routing Enabled. . . . . . . . : No
          WINS Proxy Enabled. . . . . . . . : No
          DNS Suffix Search List. . . . . . : us.tms.local
                                              us.tms.local
                                              tms.local
  Ethernet adapter Local Area Connection:
          Connection-specific DNS Suffix  . : us.tms.local
          Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
          Physical Address. . . . . . . . . : 00-19-BB-5F-EE-75
          Dhcp Enabled. . . . . . . . . . . : Yes
          Autoconfiguration Enabled . . . . : Yes
          IP Address. . . . . . . . . . . . : 10.1.10.165
          Subnet Mask . . . . . . . . . . . : 255.255.254.0
          Default Gateway . . . . . . . . . : 10.1.10.1
          DHCP Server . . . . . . . . . . . : 10.1.10.27
          DNS Servers . . . . . . . . . . . : 10.1.10.27
                                              10.1.10.28
          Lease Obtained. . . . . . . . . . : Monday, August 24, 2009 8:24:12 AM
          Lease Expires . . . . . . . . . . : Saturday, August 29, 2009 8:24:12 A
  Ethernet adapter Bluetooth Network Connection:
          Media State . . . . . . . . . . . : Media disconnected
          Description . . . . . . . . . . . : Bluetooth Device (Personal Area Net
  ork)
          Physical Address. . . . . . . . . : 00-0D-3A-A6-BA-28
  win2k3 web server which logs in successfully
  Microsoft Windows [Version 5.2.3790]
  (C) Copyright 1985-2003 Microsoft Corp.
  U:\>ipconfig /all
  Windows IP Configuration
     Host Name . . . . . . . . . . . . : wlfdweb01
     Primary Dns Suffix  . . . . . . . : us.tms.local
     Node Type . . . . . . . . . . . . : Unknown
     IP Routing Enabled. . . . . . . . : No
     WINS Proxy Enabled. . . . . . . . : No
     DNS Suffix Search List. . . . . . : us.tms.local
                                         tms.local
  Ethernet adapter Local Area Connection 2:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : HP NC7782 Gigabit Server Adapter #2
     Physical Address. . . . . . . . . : 00-14-C2-C3-DA-3A
     DHCP Enabled. . . . . . . . . . . : No
     IP Address. . . . . . . . . . . . : 10.1.10.29
     Subnet Mask . . . . . . . . . . . : 255.255.254.0
     IP Address. . . . . . . . . . . . : 10.1.10.30
     Subnet Mask . . . . . . . . . . . : 255.255.254.0
     Default Gateway . . . . . . . . . : 10.1.10.1
     DNS Servers . . . . . . . . . . . : 10.1.10.27
                                         10.1.10.28
  Print Server that logs in fine (also a DC and DNS Server)
  Microsoft Windows [Version 6.0.6002]
  Copyright (c) 2006 Microsoft Corporation.  All rights reserved.
  U:\>ipconfig /all
  Windows IP Configuration
     Host Name . . . . . . . . . . . . : wlfddc02
     Primary Dns Suffix  . . . . . . . : us.tms.local
     Node Type . . . . . . . . . . . . : Hybrid
     IP Routing Enabled. . . . . . . . : No
     WINS Proxy Enabled. . . . . . . . : No
     DNS Suffix Search List. . . . . . : us.tms.local
                                         tms.local
  Ethernet adapter Local Area Connection 4:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : HP NC373i Multifunction Gigabit Server Ad
  apter #2
     Physical Address. . . . . . . . . : 00-1C-C4-EF-B7-A4
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
     IPv4 Address. . . . . . . . . . . : 10.1.10.28(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.254.0
     Default Gateway . . . . . . . . . : 10.1.10.1
     DNS Servers . . . . . . . . . . . : 10.1.10.28
                                         10.1.10.27
     NetBIOS over Tcpip. . . . . . . . : Enabled
  Tunnel adapter Local Area Connection* 9:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : isatap.{9FB5C233-FB93-471F-873E-6DFDFCFED
  2AE}
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  server that hangs at applying group policy printers (the other dc and dns server for the domain)
  Microsoft Windows [Version 6.0.6002]
  Copyright (c) 2006 Microsoft Corporation.  All rights reserved.
  U:\>ipconfig /all
  Windows IP Configuration
     Host Name . . . . . . . . . . . . : wlfddc01
     Primary Dns Suffix  . . . . . . . : us.tms.local
     Node Type . . . . . . . . . . . . : Hybrid
     IP Routing Enabled. . . . . . . . : No
     WINS Proxy Enabled. . . . . . . . : No
     DNS Suffix Search List. . . . . . : us.tms.local
                                         tms.local
  Ethernet adapter Local Area Connection:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
     Physical Address. . . . . . . . . : 00-0F-1F-68-D6-42
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
     IPv4 Address. . . . . . . . . . . : 10.1.10.27(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.254.0
     Default Gateway . . . . . . . . . : 10.1.10.1
     DNS Servers . . . . . . . . . . . : 127.0.0.1
                                         10.1.10.25
     NetBIOS over Tcpip. . . . . . . . : Enabled
  Tunnel adapter Local Area Connection* 8:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : isatap.{C0EEED04-498A-42FC-9C42-86A37BD4D
  8D5}
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes

• User Group Policy Settings not applied to new user profiles at first logon

  Good Afternoon,
  We have an issue that occurs to a new user when they first log on to their machines. They log on and a new profile creates from the Default User Profile. We can see that a number of our Group Policy Settings applied as "User Configuration" are
  not applying.A log off and back on is required before the policies apply.
  Any thoughts to this behaviour please?
  Regards
  LeeB
  Lee Bowman MCITP MCTS

  Hi,
  How about your problem now? How many system encounter this problem? Is all policy couldn't be applied? Is there any feedback when using gpresult to check policy applied status?
  As Group Policy applies after user identity authentication, generally speaking, user logoff and back doesn't helpful with this problem.
  When this problem occures, have you checked event log if it identify this problem?
  Roger Lu
  TechNet Community Support

• Cases in which Domain Group Policy settings would be reverted to default settings on a Win7 client

  Hi - I'm sure this info is out there somewhere, but I'm having a hard time finding it.  Basically, I'm trying to identify the cases in which settings deployed via Domain Group Policy on 2008R2/Win7SP1 would get reverted back to "default settings"
  on a Win7SP1 client that is still a member of the domain, and is in a proper OU, properly targeted, WMI filters should still evaluate true, etc...
  For instance, it appears that if machine-level registry settings contained within a LocalGPO file on a client get corrupted (C:\Windows\System32\GroupPolicy\Machine\registry.pol), all of those settings, plus all machine level administrative template settings
  defined in Domain Group Policy, get reverted to default settings (corresponds with Event ID 1096 in System Event Log where it references "LocalGPO").  I have not confirmed if this is the case for machine level settings defined outside of administrative
  templates in Domain Group Policy, or for any user level settings though.  (But I suspect not.)
  When a workstation is unable to talk to a Domain Controller in order to identify applicable Domain Group Policy settings (for instance, this issue:
  http://support.microsoft.com/kb/2421599/en-us), do administrative templates Domain Group Policy settings revert to defaults up until the next successful processing interval?  I don't believe
  so, but would like confirmation.
  Are there any other cases in which Domain Group Policy settings for a client still joined to the Domain would be reverted to defaults?
  And when a client is unjoined from the Domain, what Domain Group Policy settings would remain on the client?  I understand that some Domain Group Policy settings outside of administrative templates are "tattooed" to the registry.  Does
  anyone know of a full list of these settings?  I believe that most or all of the ones in Windows Settings\Security Settings are tattooed, and the only way to get these settings removed is to explicitly change them via registry edit or LocalGPO/Local Security
  Policy, after unjoining the domain.
  Any info/insight/links to other doc/etc would be much appreciated!

  Hi Shaun,
  >>If a client cannot talk to a domain controller at all, admin template settings still stay in-place on the client, correct?   
  As far as I know, it's not this case. If a client can't communicate with domain controllers, it means that the GPOs applied to the client are out of scope. As suggested by
  the article I provided, for native policy, "when a Group Policy object (GPO) goes out of scope, the policy setting is removed allowing the original configuration value to be used."
  >>What if a client looses network connectivity while reading Domain GPO?
  Group policy will be get updated when computers start up and users log on. Besides, for workstations, group policy will get refreshed at background with by default an interval
  of 90 minutes. As long as workstations can restore network connectivity, the group policy settings will get updated.
  >>Are there any other failure cases like this where some or all Group Policy settings (admin template or other areas) would get reverted?
  There are many reasons which can cause GP malfunction. However, Windows itself provides necessary tools for troubleshooting various issues. When GP malfunctions, we can check
  Event Viewer, collect group policy result, or generate group policy log to troubleshoot.
  TechNet Subscriber Support
  If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
  Best regards,
  Frank Shen

• EMET 5.0 Group Policy Settings Ignored (Probable race condition with Policy application)

  In our deployment, EMET 5 seems to be ignoring group policy settings from immediately after the first group policy refresh post-boot.
  Settings are being applied to the computer correctly, and are appearing in the registry correctly, and on boot, a set of Event ID 50 events are logged containing ConfigAppmitGPO (and similar for the other settings) elements with the correct settings.
  Upon the first group policy refresh, further eventID 50 events are logged, with empty ConfigAppmitGPO elements.
  Investigation with Process Monitor seems to indicate this is a race condition between Group Policy Registry settings being refreshed (which deletes the entries) and the EMET service reading out these settings from the registry (which appears to be triggered
  by Group Policy application or by a notification on the registry keys themselves)
  This is reproducible on Windows 7 and Windows 8.1.
  Is there any way to arrange for settings to be applied correctly at all times, or is this a bug that will need to be fixed in a future update?

  We're experiencing the exact same behavior currently. I was starting to think I was going crazy. Glad to know others are experiencing the same behavior.
  I've found that using the method from pervious versions to read and update settings from Group Policy, using "emet_conf.exe --refresh" still works, and upon every execution, the event log shows the GPO settings being read and applied. While I welcome the
  move to have EMET update from GPO settings without requiring running a separate task, as it stands now in its current condition, it is a step back.
  Scott Ladewig http://www.ladewig.com

• Any applicable\recommended Group Policy settings (Local & Domain) for configuring windows 8.1 "gold master image" for collection

  Happy Friday everybody -
  I'm working on implementing Microsoft RDS 2012\VDI for the folks here at work.  I've read - online - a lot of articles on VDI and RDS 2012 - and have a working model that is working somewhat satisfactorily.  I haven't seen much online about steps
  I could take in Local Group Policy on my Windows 8.1 'gold image' - or for that matter Domain level group policy - that can assist in creating a better, more reliable/robust Windows 2012 VDI environment.
  Anybody out there got any information or opinions or advice on Group Policy settings for VDI environments?
  Thanks again, everyone!
  Adrian
  anr

  Hi Adrian,
  Thank you for posting in Windows Server Forum.
  In regards to your issue you can refer beneath article for detail information.
  1. Group Policy Best Practices for VDI Environments
  2.Some Basic Group Policy Settings for VDI
  Hope it helps!
  Thanks.
  Dharmesh Solanki

• Backup & Restore non-administrators Group Policy Settings

  Hi,
  I'm trying to setup a few reference images of Windows 7 which will be deployed to our client computers. The baseline Group Policies are configured through Local Group Policies set in the image. I've setup a Master GPO machine on which to build the policies
  and test them.
  The Local Group Policies have been set for Local Computer Configuration, Local User Configuration and for Local Non-Administrators Configuration. The thinking is that members of the local Administrators group on the computer are unrestricted and still have
  the ability to do most things. Users which log onto the computer abide by the more restrictive Non-Administrators Group Policy settings.
  Using the "LocalGPO.wsf" script I'm able to backup and restore Computer and User Configuration which affects all users of the machine but it does not backup the Non-Administrators Policies. Is this possible?
  After some digging around in the "GPOPack.wsf" files I've found that the Machine & All Users Policies are restored by the "LocalPol.exe" file. This utility has command line switches for '-m' machine and '-u' user. So I'm guessing
  that it's not possible to restore the Non-Administrators Policies?
  For what it was worth I've tried copying the "Registry.pol" file from "%windir%\System32\GroupPolicyUsers\S-1-5-32-545\User" folder on the GPO Master machine and placed the file in the same location on target computer. A test which had
  one value set worked on the reference computer but when the policies were copied form the GPO Master machine, the target computer ignored all the settings.
  Any ideas how to backup/restore Local Machine Non-Administrator Group Polices?
  Thanks!

  Not entirely sure of the specific policies you're dealing with, but you would typically use the Microsoft Security Compliance Manager to create GPO packs that you would then apply using the Apply Local GPO Package task sequence step in MDT.
  I'd encourage you to look over the Applying Group Policy Object Packs section of the
  Using the Microsoft Deployment Toolkit.docx file in the MDT 2013 documentation for more details.
  MDT 2013 documentation can be downloaded here: LINK

• Auto reboot / Manual reboot : easy way to apply group policy for each group without multiple AD links? Help appreciated

  Good morning,
  I have two policies for WSUS, one that auto-reboots the client and one that allows for manual reboots.  I'm sure this is very obvious, but i'm wanting to make sure I do this correctly.
  What's the easiest way to apply the policy for manual/auto reboots without having to go through my entire active directory tree and link it to each OU containing mixed computers?  
  I hope this makes sense, but I know i can set security groups and then set it for the scope, but if I go that route is there a way to apply it to all Domain Computers, EXCEPT those who are a member of security group "MPS - WSUS Manual" for example?
  Any input here is greatly appreciated
  Thank you

  If all the machines that you want to have the manual option are in a few select OUs then you could apply the auto reboot GPO to the root of the domain, and then link the manual GPO just to those GPOs containing the relevant machines. As explained here
  http://technet.microsoft.com/en-gb/library/cc785665(v=ws.10).aspx a policy applied to an OU overrides a policy applied to the domain as a whole.
  While I'm not sure, from your description I'm guessing that's the case, and they're actually mixed in throughout the domain? In which case, the other option might be to make use of group policies order or precedence. As described here
  http://blogs.msdn.com/b/muaddib/archive/2012/08/22/determine-gpo-precedence-with-gpmc-gpresult.aspx you'll see that the order that the GPOs are listed makes a difference to the order that they are applied, and the last to be applied takes precedence over
  those that come before. Therefore using that, if you applied the reboot policy to everyone, and then applied the manual one with a security filter so it only applied to your "MPS - WSUS Manual" group such that it had a higher precedence, all machines would
  receive the first GPO, but those machines in that group would have that overridden by the second policy.

• Apply Group Policy to external clients

  Is it possible to apply GPO's to clients on external networks such as their own personal networks. I'm looking at solutions such as authenticating them through a proxy on the perimeter network and are pushed to the Domain Controller to force these policies.
  As it stands, the clients use a VPN client to gain access to the corporate network, and I know that group policy will use the Network Location Service to detect the Domain Controller, but the VPN connection is not mandatory and most be established by the client,
  if this connection is not required for their job, the may never connect and not get updated GPO's.

  Hi,
  I agree with Joseph. Unlike many traditional VPN connections, which must be initiated and terminated by explicit user action, DirectAccess connections are designed to connect automatically as soon as the computer connects to the Internet.
  Regarding DirectAcces, the following articles can be referred to for more information.
  Using DirectAccess
  http://technet.microsoft.com/en-in/windows/dn168168.aspx
  Windows Server 2012 Direct Access – Part 1 What’s New
  http://blogs.technet.com/b/meamcs/archive/2012/05/03/windows-server-2012-direct-access-part-1-what-s-new.aspx
  In addition, for this question mainly focuses on network, in order to get more and better help, we can also ask for suggestions in the following forum.
  Network Access Protection
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverNAP
  Best regards,
  Frank Shen

• How can I apply group policy but exception some users like administrator?

  Hello all.
  How can I set a group policy and apply it to users exception the administrator ?
  Cheers.

  Hello,
  please see
  http://www.grouppolicy.biz/2015/03/how-to-stop-local-administrators-from-bypassing-group-policy/if you talk about local administrator accounts. In shortyou CAN'T.
  Best regards
  Meinolf Weber
  MVP, MCP, MCTS
  Microsoft MVP - Directory Services
  My Blog: http://blogs.msmvps.com/MWeber
  Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
  Twitter:  

• Windows Update Group Policy Settings?

  I browsed through SCCM 2012 documentation for an answer of what to set in a GPO when wanting to use SCCM 2012 SP1 to handle updates.
  At the moment I have:
  WSUS/Reporting pointing to wsus server and its appropriate ports
  Allow Automatic Updates immediate installation: Enabled
  All signed updates from intranet Microsoft Updates: Enabled
  Configure Automatic Updates: Enabled
    Configure automatic Updating - 4 Auto download and schedule the install
    Scheduled install day: Every Friday
    Scheduled install time: 21:00
  Enabling Windows Update Power Management to auto wakeup the system to install Enabled
  No auto-restart with logged on users for scheduled automatic updates installations: Enabled
  Reschedule Automatic Updates scheduled installation: Disabled
  I didn't see any hint, perhaps it is there and I missed it, on what might be the prescribed settings for a GPO.
  What is happening is Windows 8ish is drawing a band across the screen and reporting that your computer needs to reboot; and then reboots.  From what I could tell in the WindowsUpdate.log file is that round the time it was observed rebooting smsexec
  requested a reboot. But oddly I also saw in the Windows Update log was a reboot was scheduled to expire on the 26th, two days after the observed behavior and I also saw that other reboot requests either expired or had been scheduled.
  What I have recently done to various Windows Update deployments was to remove the check boxes for Deadline behavior to prevent Software Updates and System restarts outside the Maintenance Window and also checked Device restart behavior
  Suppress system restart on the following devices Servers and Workstations.
  At the moment I would like to figure out what the GPO settings should be and also how to determine what had requested reboot and when and if the reboot actually happened.
  Thanks!

  This blog series by Jason should help you with that (it's still applicable):
  http://blog.configmgrftw.com/software-update-management-and-group-policy-for-configmgr-what-else/
  http://blog.configmgrftw.com/software-updates-management-and-group-policy-for-configmgr-cont/
  My Blog: http://www.petervanderwoude.nl/
  Follow me on twitter: pvanderwoude

• Specify Office 2013 kms host trough group policy settings

  Hello.
  Can someone please help me get the right registry key for Office 2013. I want to specify kms host for my clients in domain - trough group policy. Dont want to use dns or config.xml to specify the host.
  For Windows i use this key, activation works greate.
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\KeyManagementServiceName (REG_SZ)
  Have found the key for Office 2010 but cant use this for 2013
  HKLM\Software\Microsoft\OfficeSoftwareProtectionPlatform\KeyManagementServiceName (REG_SZ).
  I have searched the web but cant find the key.
  I realy need some help here.
  Best regards
  Nils S.

  Have found the key for Office 2010 but cant use this for 2013
  HKLM\Software\Microsoft\OfficeSoftwareProtectionPlatform\KeyManagementServiceName (REG_SZ).
  I have searched the web but cant find the key.
  Hi,
  according to the documentation, it is the same registry key ?
  http://technet.microsoft.com/en-us/library/ee624350(v=office.15).aspx#section1
  Don
  (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
  This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

• How to install Windows Updates on a 2012 Domain Controller w/Group Policy Settings

  Hello All,
  I'm having an issue installing Windows Updates on my Windows Server 2012 Standard with AD DS role, acting as a backup DC.
  I have Group Policies setup for the Domain Controllers to download updates from my WSUS server but not to install them. When I go to my Windows Server 2003 R2 Domain Controller, I can install updates via the "Install Updates and Shutdown". That
  option doesn't show up on the 2012 server. I can see from my WSUS server and the event viewer that the updates are being downloaded to the 2012 server........just no option for me to install the updates.
  Am I just missing something or will I need to change the way my Group Policy is setup to allow installs and/or downloads? Any help would be greatly appreciated!
  Tony

  So I've totally removed the GPO settings for configuring updates on the Default Domain Controllers OU and I can get the Windows Server 2003 Server to get updates from Windows Updates, but the 2012 Server still won't show me how to download or install any
  updates. It just states on the log-in screen that there are "Windows Updates Sign in and install important updates".
  Well guess what Microsoft! I've signed in and still don't see where I can install updates!!!
  I guess because you've set AU=3.
  There doesn't seem to be much documented in depth about AU/WUAgent (not in the history of forever), but Lawrence and others in the WSUS forum do cover a lot of related question about the agent and also GP settings.
  Lawrence has blogged a lot of detail about the registry settings which are available for AU/WU, and how some of those settings are not practically of any use since WinXP.
  So, even though your question isn't about WSUS, the WSUS forum is a great place to visit for help for WUAgent etc.
  Anyway, "where can I install updates?" :
  on the Start screen, Search for "Windows Update"
  or
  Settings charm
  Change PC Settings
  Update and Recovery
  Windows Update
  or
  Control Panel\System and Security\Windows Update
  Some further (light) discussion on the "new" behaviour:
  http://blogs.msdn.com/b/b8/archive/2011/11/14/minimizing-restarts-after-automatic-updating-in-windows-update.aspx
  Don
  (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
  This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

• Why does it take a long time to apply certain apps, music, etc. to download onto my iPod?

  I do have the iOS 4.2.1 version for my iPod.  Please give me a few solutions of how to fix this problem, thanks.

  How are you "downloading" them?
  USB?
  wifi?
  How long is a long time?

• Using WMI Filter to apply group policy to users on computers in a security group

  Hello all,
  I've got a bunch of computers that I want to apply some user side polices that affect all users that log on to these specific computers (they are used for exams).
  Unfortunately it is company policy to have a flat OU structure and as such moving these computers into their own OU is out of the question. Which brings me to wanting to create a WMI filter to limit the policy to running on computers only within the security
  group and then set the security filtering to "Authenticated Users". The policy will be linked to the all student computers OU where a few thousand machines sit, but will only apply to 20 or so machines (I know it's messy).
  Anyway that brings me to my question, can someone point me in the right direction for how I would go about creating this WMI query?
  Cheers

  > I've got a bunch of computers that I want to apply some user side
  > polices that affect all users that log on to these specific computers
  > (they are used for exams).
  That's what "Loopback" initially was designed for. Nowadays, we can use
  some other tricks :)
  http://evilgpo.blogspot.de/2012/02/loopback-demystified.html
  http://blogs.technet.com/b/askds/archive/2013/02/08/circle-back-to-loopback.aspx
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))