Someone today on our GPTalk Group Policy Mailing List asked a simple question for which there is a fairly long, complicated answer, "Could you please explain Group Policy Loopback Processing ? I’m finding this very difficult to understand"
One would think that this question should be easy to answer, but in fact, loopback processing confounds a lot of folks. I took some time to try and answer the question using examples, and so I figured it was worth re-posting here. Hopefully this helps others understand this powerful, yet often confusing feature of Group Policy:
Its a complex topic for many (including me!) so I will try to attack it from a solution perspective. Essentially loopback is designed to help answer the following challenge, “How do I control user policy on a particular computer or set of computers such that, no matter who logs onto those computers, they always get the same user policy?”. As you know, GP is processed by computers and users and the policy that a computer or user gets is determined by where the computer and user account resides in AD, where the GPO is linked, and whether its filtered or not. Loopback is a special mode of GP processing that you set on a per-computer basis. When a computer has loopback enabled, any user that logs onto that computer can be given a set of per-user policies that is different than the ones they would normally receive by virtue of where their user account is. The simplest example is a Terminal Server environment. A common configuration is to create an OU called “Terminal Servers”. In that OU, you place computer accounts that are your Terminal Server machines. Now, linked to that OU, you create a GPO called “TS Loopback Policy”. In that GPO, you enable loopback under Computer ConfigurationAdministrative TemplatesSystemGroup PolicyUser Group Policy Loopback Processing Mode. When you enable the policy, you have two options—merge or replace. Merge says, “first apply the user’s normal user policies (as if they were logging into their normal workstation) then apply the loopback user settings”. Replace says, “Just apply the loopback user settings”. I generally tell people to choose “replace” mode unless you have a specific requirement for merging.
So, now that loopback is enabled, on that same TS GPO (assuming the simplest case) under User Configuration, you can set all of the loopback user settings that you want to apply to users logging into these TS boxes. When the user logs on, these user settings are applied instead of their “home” ones.
Hope that helps!