Someone today on our GPTalk Group Policy Mailing List asked a simple question for which there is a fairly long, complicated answer, "Could you please explain Group Policy Loopback Processing ? I’m finding this very difficult to understand"
One would think that this question should be easy to answer, but in fact, loopback processing confounds a lot of folks. I took some time to try and answer the question using examples, and so I figured it was worth re-posting here. Hopefully this helps others understand this powerful, yet often confusing feature of Group Policy:
Its a complex topic for many (including me!) so I will try to attack it from a solution perspective. Essentially loopback is designed to help answer the following challenge, “How do I control user policy on a particular computer or set of computers such that, no matter who logs onto those computers, they always get the same user policy?”. As you know, GP is processed by computers and users and the policy that a computer or user gets is determined by where the computer and user account resides in AD, where the GPO is linked, and whether its filtered or not. Loopback is a special mode of GP processing that you set on a per-computer basis. When a computer has loopback enabled, any user that logs onto that computer can be given a set of per-user policies that is different than the ones they would normally receive by virtue of where their user account is. The simplest example is a Terminal Server environment. A common configuration is to create an OU called “Terminal Servers”. In that OU, you place computer accounts that are your Terminal Server machines. Now, linked to that OU, you create a GPO called “TS Loopback Policy”. In that GPO, you enable loopback under Computer ConfigurationAdministrative TemplatesSystemGroup PolicyUser Group Policy Loopback Processing Mode. When you enable the policy, you have two options—merge or replace. Merge says, “first apply the user’s normal user policies (as if they were logging into their normal workstation) then apply the loopback user settings”. Replace says, “Just apply the loopback user settings”. I generally tell people to choose “replace” mode unless you have a specific requirement for merging.
So, now that loopback is enabled, on that same TS GPO (assuming the simplest case) under User Configuration, you can set all of the loopback user settings that you want to apply to users logging into these TS boxes. When the user logs on, these user settings are applied instead of their “home” ones.
Hope that helps!
Darren
Tags:
Am I correct in thinking that once you set loopback in any GPO applied to a machine, all GPOs are processed in loopback mode, not just the GPO with the loopback option set?
Hi Darren, Aaron,
I have the exact same question, once it’s set on a computer does that apply to each and every policy processed on that computer or does it need to be set in every policy you was to be loopback processed?
Thanks!
It does not need to be set in every GPO that applies to the computer. It only needs to be set once, for a given group of machines.
Darren
I also had a hard time with this concept when I started looking at Group Policy. I found that the biggest reason for initial confusion lies deeper, in the fact that there are no separate “User”-only and “Computer”-only type GPOs. (i.e. that would only show either one in the GPEditor GUI)
Of course this approach enables advanced functionality like loopback processing, as you later come to understand, but at the most basic level of GPO understanding it just looks initially that there isn’t any need to combine “Computer” and “User” settings in one and the same configuration item, since normally Users will not be combined with Computers in the same OUs.
Seeing the “computer” settings appear in the GUI in each and every GPO linked to User-OUs, and likewise “User” settings in the GUI of each and every GPO linked to Computer-OUs while trying to understand that you should in principle consider them “non-existing” (in the basic scenarios) , is just a perfect recipee for terminal confusion.
What also doesn’t help is the often-encountered sentence that “in case user and computer settings conflict, computer settings win”., which when you read it seems to indicate that even in “normal”, “non-loopback” processing, the “user” part of GPO’s linked to computers will be processed alongside the “user” part in GPO’s linked to users. Until you understand the potential conflict refers to one between settings that appear both in the “computer” and “user” parts, which is far from obvious or visible…
It really requires some getting familiar with. 🙂
Thanks for great explanation! I got confused by these as well. http://www.omnisecu.com/windows-2003/group-policy/group-policy-loop-back-processing.php basically this explanation is correct, other sources like reddit have made it worse for me.
well explained !!