When you configure a computer that is running a version of Windows that was released before Windows Vista and Server 2008, it was only necessary to ensure that Group Policy permissions are configured to allow user to read and apply the GPO containing user settings.
Starting in Windows Vista and Windows Server 2008, this behavior changed.
Consider the following scenarios:
- A computer that is running Windows Vista, Windows Server 2008, or later version of Windows is configured for User Group Policy Loopback processing in Merge mode.
The Group Policy Service reads the Group Policy Object Information from the Active Directory in the security context of the machine. In this scenario, the computer account must have at least read permissions to the Group Policy object that contains the user settings, and a user should have at least Read and Apply permission in order to successfully apply the policy. - A computer that is running Windows Vista, Windows Server 2008 or later version of Windows is configured for User Group Policy Loopback processing in Replace mode.
In this case, the Group Policy service impersonates the user when reading Group Policy Object information from the Active Directory. Therefore, only the user needs access to the GPO. In order to successfully apply a policy, a user should have at least the Read and Apply permission.