Group Policy Ordering
Joe Dillon
joseph at outurnate.com
Thu Dec 14 00:20:11 UTC 2023
Suppose I link a policy called "Test Policy 1". When samba-gpupdate runs, this policy will be in changed_gpo_list. Suppose it sets the contents of /etc/test.txt to "testpolicy1". The second time samba-gpupdate runs, it will not be in changed_gpo_list, and the CSE won't rewrite the file. So far so good. Now, I toggle "Test Policy 1" to enforced. Rerunning samba-gpupdate does not process the policy. Again, so far so good. Suppose I link "Test Policy 2", unenforced. Let's say the CSE for "Test Policy 2" would set the content of /etc/test.txt to "testpolicy2". I would expect, since "Test Policy 1" has a higher priority, the contents of /etc/test.txt after a samba-gpupdate to be "testpolicy1". When I run samba-gpupdate, only "Test Policy 2" is processed, since it is the only one that changed. "--force" obviously corrects the issue.
Is this intended behaviour or a bug?
Second question: is it valid for GPOs based on .pol files to not write the registry entries to the local registry? The above behaviour could be avoided if every gpupdate wrote all changes from all applicable GPOs to the registry and deferred processing to the end.
Thanks,
Joe D
More information about the samba-technical
mailing list