The “Run in Logged on User’s Security Context” option is one of the least understood (and used) features of Group Policy Preferences. Understanding how to use it (and when) can save you hours of frustrating and fruitless troubleshooting! In this post, we will cover a practical example showing when to use “Run in Logged on User’s Security Context”. First, a little introduction on this cool little Group Policy setting:
All of my life, I have been told that a computer is a computer and a user is a user. Want to apply a default printer to a computer? Want to set the homepage in an entire lab? By using Loopback Policy Processing, we can give our computers some real identity issues – we can make them believe they’re users! How’s that for a Jedi mind trick?
A Note about Nodes
Group Policy has two nodes: Computer Configuration and User Configuration. If you’ve read this post, you know that users are the only objects that can process user configuration settings. You also know that computers are the only objects that can process settings under computer configuration. Let’s look at an example using the picture below.
The horribly named Domain Computers GPO has settings configured under both the Computer and User configuration nodes. As expected, any computer under the Domain Computers OU will ignore the user side “Remove Task Manager” setting. The only setting applied would be the “Do not process the run once list” policy.
Create a GPO similar to this. Be sure that you have at least one setting in each node configured. Ensure that the computer configuration setting is being applied.
Before we introduce Loopback Policy Processing, let’s look at the two processing phases with Group Policy: