![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 59%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEM%3C/text%3E%3C/svg%3E)
Active Directory
A set of directory-based technologies included in Windows Server.
5,932 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 62%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDZ%3C/text%3E%3C/svg%3E)
Hello
Thank you for posting here.
Here are the answers for your references.
Q1: Does the "computer object" equals the name that you enter when adding a new PC to the domain?
What if there is no "computer object" with such a name? Will it be created in the general computers "folder" (is it folder? What is the correct term? It definitely isn't an Organizational unit)? What if a computer with the same name is already has been added in the domain?
A1:
Does the "computer object" equals the name that you enter when adding a new PC to the domain?
1.“Computer objects” are logical components in AD.
2.If you join a computer to one domain successfully, the name that you enter when adding a new PC to the domain is one of computer objects.
What if there is no "computer object" with such a name? Will it be created in the general computers "folder" (is it folder? What is the correct term? It definitely isn't an Organizational unit)?
3.It does not matter if there is no "computer object" with such a name, because when you add a computer to a domain, you can rename the computer with such a name or according to your own rules or your company’s rules.
Or we can create such a name for computer object in “Computers” container in “Active Directory Users and Computers”, and join one computer to domain using this name when adding a new PC to the domain.
4.By default, if we join a computer to one domain successfully, the computer object will be in “Computers” container. The “Computers” folder below is called container.
While, domain controllers in OU “Domain Controllers” are special computer objects, because they are computers and are also domain controller servers.
What if a computer with the same name is already has been added in the domain?
5.Two computer objects with the same name are not allowed in the same domain.
If a computer with the same name is already has been added in the domain, then I create two computer objects with the same name in the same domain, I will receive error message below.
The similar error message will appear when we join computer to domain using the same name.
Q2: What does it mean that any user has the right to add 10 new PC? What if this option is disabled? Only an admin will have the right to add new computers? In this case, will the user be able to add a new computer in the domain if there is already created a "computer object"?
A2:
What does it mean that any user has the right to add 10 new PC?
It means the normal domain users can add computers to domain, one domain user can only add 10 computer to domain bu default, if he/she want to join the eleventh computer to domain, he /she will not be able to join the eleventh computer to domain.
We can see the Properties“ms-DS-MachineAccountQuota”below, it controls the number 10.
What if this option is disabled? Only an admin will have the right to add new computers?
Yes, if we change the Properties value for “ms-DS-MachineAccountQuota” to 0, only administrator have rights to join computers to domain.
In this case, will the user be able to add a new computer in the domain if there is already created a "computer object"?
No, he/she can not be able to add computer to domain.
Q3: About application of GPO - I have read in the wise articles that there are two distinct scopes to which a GPO rule is applied:
"Computer configuration" - applied when a computers starts up. After reboot. (Does it applies every 90 minutes?)
"User Configuration" - applied when the user logs in. Every 90 minutes.
Are they completely distinct "levels"?
What if a GPO rule which contains the "Computer Configuration" section is applied to a user? Will all the settings from the "Computer Configuration" sections be completely ignored? Is it always the case? Will they not be applied after 90 minutes have passed since the user has logged in?
Is the reverse true? Will The GPO rules which contain "User Configuration" applied to a computer be completely ignored?
What are the right strategies to resolve these issues?
Do I need to make separate GPO rules for computers and users? What are the other options?
A3: For GPO refresh, we can update GPO as below:
1.For refresh GPO with computer configurations
we can restart the computers or we can run gpupdate /force to refresh GPO.
Or the GPO with computer configuration will refresh in the background 90-120 minutes by default.
2.For refresh GPO with user configurations
we can sign out and sign in the user or we can run gpupdate /force to refresh GPO.
Or the GPO with user configurations will refresh in the background 90-120 minutes by default.
3.For some specific GPO, we must restart the computers or sign out and sign in the users to make GPO take effect.
For example:
Logon and Logoff script
Startup and shutdown script
Folder redirection
Software installation
Disk quotas
Drive maps
4.Computer configurations are applied to computers. User configurations are applied to users.
5.We should make separate GPO rules for computers and users.
Modify Group Policy Refresh Interval for Computers
https://social.technet.microsoft.com/wiki/contents/articles/31623.modify-group-policy-refresh-interval-for-computers.aspx
Q4: Following my previous question:
Could someone please explain in layman terms what "loopback" is? Does it combine "Computer configuration" and "User Configuration"? What are the issues that the "loopback" mechanism resolves? Does it bring more complexity to the system? Does it have some weird and unexpected behavior? Should I use it in a relatively simple network?
A4: For loopback, it combines only user configurations.
This policy setting directs the system to apply the set of Group Policy objects for the computer to any user who logs on to a computer affected by this setting. It is intended for special-use computers, such as those in public places, laboratories, and classrooms, where you must modify the user setting based on the computer that is being used.
By default, the user's Group Policy Objects determine which user settings apply. If this setting is enabled, then, when a user logs on to this computer, the computer's Group Policy Objects determine which set of Group Policy Objects applies.
We can understand “Loopback” as below (an example):
GPO1 with (user setting1 and computer setting1), it applies to user1
GPO2 with (user setting2 and computer setting2), it applies to PC1
If we enable loopback with replace mode:
If uer1 logs on PC1, user1 will use user setting2 and PC1 will use computer setting2.
If we enable loopback with merge mode:
If uer1 logs on PC1, user1 will use user setting1 and user setting2 (if there is any conflict between user setting1 and user setting 2, user1 will use user setting2) and PC1 will use computer setting2.
Usually, we suggest we do not use “Loopback” GPO.
Hope the information is helpful.