Just the other day I was talking to a customer about Group Policy loopback. If you’ll recall, loopback is that feature in Group Policy processing that allows you to override a user’s *normal* user policy settings when they log into specific machines–such as kiosks or Remote Desktop Services/Citix XenApp servers or VDI systems, where it’s mostly commonly used. When a Windows computer has been enabled for loopback–using the following policy found under Computer Configuration\Policies\Administrative Templates\System\Group Policy\User Group Policy Loopback processing mode, you have the option to use either “Replace” or “Merge” loopback.
Just to review, the way loopback works is different, depending upon whether you choose Replace or Merge, as follows:
- Replace: When the user logs into a computer enabled for loopback, instead of getting the user policy settings they would normally by virtue of their user account’s location in AD, they get user settings in GPOs that apply to the computer object.
- Merge: When the user logs into a computer enabled for loopback, they first process their “normal” user settings for their user account, then they process any user settings in GPOs that apply to the computer object. If there are conflicts, then the computer-object-linked GPO user settings override the user’s normal settings, while logged into that computer.
Loopback is great for those scenarios I described above, when you have regular users occasionally logging into these specialized machines with their regular user accounts. However, occasionally in the past and in this recent customer discussion, I have encountered environments that have loopback enabled on ALL of their workstations. Now, when I first saw this, my initial reaction was, “Uh-oh”. Loopback processing can add complexity to a Group Policy if it’s not designed well, and making all of your workstations loopback-enabled can cause no end of issues if it’s not planned out.
The Downside of Loopback Everywhere
For example, imagine a GPO, linked at the domain level, that contains a logon script that all users in the domain run. Then imagine a user in the Marketing OU, logging into a loopback merge enabled VDI instance. When they log in, they will first process the user settings for their “normal” user location, which means they’ll run that domain-linked logon script. Then they will process the user settings that apply to the computer object, which also includes that domain-linked GPO with the same logon script. The result? The same logon script runs twice for the user! Now if all workstations in the domain are set to loopback merge mode, this happens every time the user logs on. If you multiply this time all the other settings that apply at the domain level, or any higher level in your AD hierarchy, then suddenly Group Policy processing times increase for no good reason.
Add to that the complexity of having to know which GPOs user settings are applying to a given computer, in addition to regular user settings, and you can quickly envision the mess that “Loopback Everywhere” can cause.
So what are the reasons why you might consider doing Loopback Everywhere?
When It Makes Sense
Well, one scenario where Loopback Everywhere makes sense, might be the following. What if you have an AD structure where all of your users are in a single, flat OU, and you can’t or won’t re-organize them? The normal way we distinguish per-user settings is by linking those GPOs to OUs that are specific to the user type (e.g. Marketing, Sales, Dev, etc.). If you don’t have the luxury of such granularity, then you are forced to rely on something like security group filtering on those GPOs linked to the single user OU. Not a great solution in many cases because accidental targeting becomes a real challenge. So, in those cases, if your workstations ARE segregated by business function, you could rely on Loopback to provide the user settings targeting by virtue of computer location in AD. Totally legitimate!
That said, for this kind of scenario, it still requires planning. Just deciding to turn on loopback everywhere, without thinking about where your existing user setting GPOs are linked is a recipe for disaster. So what I would say is that, while I no longer think its just a bad idea to do this, I think it does require proper planning, and care should be taken to ensure that you know what you’re getting into. Loopback DOES increase the complexity of delivering user settings, so as you go in eyes-wide-open to that, it’s all good!
Darren
Hello Darren,
Your words are ringing true to me about using loopback for a complex flat environments and we admins need strategies to assist us for targeting and keeping things simple.
I have just gone through implementing such a structure using the REPLACE option in a workstation refresh from WinXP to Win7. Because ALL the users for the entire company are in a flat OU and previous administrations have put GPOs in that users OU setup for multiple reasons. To design, test, and implement a clean Win7 solution with GPOs was very difficult to plan without changing the entire company structure.
Using the loopback replace scenario I was able to make a clean container for the Win7 environment whilst not having to audit, measure all the old GPOs that were against the users OU for the older workstations and other server environments.
This has given me a very successful outcome. Now I am now in the process for finalising the documentation for the continue support of this structure for it moving forward.
The only downside I have found is that the current AD support administrators initially are afraid of loopback and just don’t have a full understanding due to their lack experience or exposure. In my case I am needing to ensure my support documentation I am writing and possibly a pizza with the guys will cover this off.
Thanks for the great topic.
Barry.
Thanks for that story Barry. Good to hear that this approach is working for you!
Darren
Hi there,
thx for making this perspective more popular.
Loopback-replace is the simplest way to divide your IT into several GPO Worlds without coexistence probs. Therefore I’m using that at every outsourcing project.
Wolfgang