Sunday, 26 July 2009

Loopback processing of Group Policy, explained.

Hi guys,

Today I want to write a few words about Loopback processing of Group Policy. When you deal with this setting for the first time it may be a little bit confusing. You can find explanations of this policy setting on the internet, but in my case I will try to explain everything in simple words.

As we know group policy has two main configurations, user and computer. Accordingly, the computer policy is applied to the computer despite of the logged user and the user configuration is applied to the user despite of the computer he is logged on.
For example we have a Domain, this Domain has two different organizational units (OU) Green and Red, Green OU contains a Computer account and Red OU contains User account. The Green policy, which has settings “Computer Configuration 2” and “User Configuration 2” is applied to the OU with the computer account. The Red policy, which has settings “Computer Configuration 1” and “User Configuration 1”, is applied to the OU with the User account. If you have a look at the picture below it will become clearer.




















If Loopback processing of Group Policy is not enabled and our User logs on to our Computer, the following is true:


















As we can see from the picture, the User gets Computer Configuration 2 and User Configuration 1. This is absolutely standard situation, where policies are applied according to the belonging to the OU. User belongs to the Red OU, he gets the Red User configuration 1 accordingly.

Now let’s enable the Loopback processing of Group Policy for the Green OU. In this case if the User logs on to the Computer, the policies applied in the following way:


















As we can see, now the User is getting User Configuration 2 despite of the fact that he belongs to the Red OU. So, what has happened in this scenario, the User Configuration 1 was replaced with the User Configuration 2, i.e. with the configuration applied to the Computer account.

As you have probably noticed, the picture above says “Loopback in replace mode”. I have to mention that the Loopback processing of Group Policy has two different modes, Replace and Merge. It is obvious that Replace mode replaces User Configuration with the one applied to the Computer, whereas Merge mode merges two User Configurations.





















In Merge mode, if there is a conflict, for example two policies provide different values for the same configuration setting, the Computer’s policy has more privilege. For example in our scenario, in case of the conflict the User Configuration 2 would be enforced.

In the real work environment Loopback processing of Group Policy is usually used on Terminal Servers. For example you have users with enabled folder redirection settings, but you do not want these folder redirection to work when the users log on to the Terminal Server, in this case we enable Loopback processing of Group Policy in the Policy linked to the Terminal Server’s Computer account and do not enable the folder redirection settings. In this case, once the User logged on to the Terminal Server his folder redirection policy will not be applied.

To enable Loopback Processing navigate to: Computer Configuration/Administrative Templates/System/Group Policy/Configure user Group Policy loopback processing mode

If you liked the post, please feel free to click on a few Ads on this page ;-)

Thank you!

Kudrat

171 comments:

  1. First time i am understanding this! You've a great teacher!...Thanks alot.

    ReplyDelete
  2. Perfect -- i now fully understand.. thank you very much

    ReplyDelete
  3. I have an issue where I have users on a domain but also have a terminal server Icon on the desktop. I want lock down polices on the terminal server session but not on the local machines. Is loopback the answerer here?

    ReplyDelete
  4. Hi,
    Mostly Loopback Processing is used for the Terminal Services Servers, in order to set policies User Configuration policies different from the normal environment. In your situation it really depends on what exactly you want to achieve. If by "lock down polices" you mean set different folder redirections or anything else related to the user configuration, then the answer is YES, loopback processing is what you need. But if you want to do something else, then, as I said, it really depends on the task.

    If you will have more questions about Terminal Services, please feel free to post your question here:

    http://social.technet.microsoft.com/Forums/ru-RU/winserverTS/threads

    Me and other IT professionals will be happy to help.

    ReplyDelete
  5. Thanks very much, really appreciate your help

    ReplyDelete
  6. Excellent example.. at last I get it.. many thanks

    ReplyDelete
  7. Amazing explanation.......

    ReplyDelete
  8. Hi Kudrat

    Once again thank you for the simple way you have explained this.

    I am puzzled by 'if there is a conflict, for example two policies provide different values for the same configuration setting, the Computer’s policy has more privilege.'

    I have a loopback 'merge' policy on the terminal server OU, where 'Hide Internet Explorer icon on desktop' is Not configured. I also have a policy on the users OU with 'Hide Internet Explorer icon on desktop' set to enabled.

    BUT when I log on as a user from that OU, Internet explorer icon is not hidden!

    Any ideas?

    Simon

    ReplyDelete
  9. Hi Simon,

    Thanks for your comment.
    Could you please try to set "Hide Internet Explorer icon on desktop" setting in the Terminal Services GPO to Disabled and see if it will resolve the problem.

    If you will have questions, could you please post them to this forum:


    http://social.technet.microsoft.com/Forums/ru-RU/winserverTS/threads
    Thanks,

    Kudrat

    ReplyDelete
  10. Is there any way to get 'Computer Configuration 1' to apply to the Green OU?

    I have a Computer Policy that I do not want to apply to a specific group of users.

    ReplyDelete
  11. Hi,

    Computer configuration is applied to the computers. Any user logged to that computer will be subject to that policy. Maybe in your case there is different possible solution. Can you post your configuration and task to this forum?

    http://social.technet.microsoft.com/Forums/ru-RU/winserverTS/threads

    There we can try to help you with the solution.

    Thanks,

    ReplyDelete
  12. This is by far the best example I've read so far. Right now I'm preparing for my 70-294 and this topic has been haunting me. I keep getting it wrong my practice exams!

    But hopefully not anymore!

    ReplyDelete
  13. Thank you!
    And good luck with your 70-294

    ReplyDelete
  14. From Brazil.

    Excelent tutorial ! Thanks !

    ReplyDelete
  15. that is very helpful thank you

    ReplyDelete
  16. I am glad it has helped.
    Thank you.

    ReplyDelete
  17. At last. I have a AD exam coming up and GP Loopback processing was really making my head hurt - I couldn't get the concept sorted out. Your explanation clicked after one read.

    Thanks a lot - top work.

    ReplyDelete
  18. Thanks very much, and good luck with your exam!

    ReplyDelete
  19. Hi, I have question, In the above given example you explained that how loop back processing works, But I want to know the name of GPO where we should enable loop back setting. Or we can create a separate GPO on computer OU and enable Loop Back setting. and if yes then will this GPO filter out all the user settings inherited from the parent GPOs?

    ReplyDelete
  20. Hi Neeraj,

    About the place to enable the policy take a look at this article: http://support.microsoft.com/kb/231287

    I would not recommend to set Loopback Processing on the default Computers OU. If you need to enable this policy for some computers, it would be a good idea to separate them in a different OU, it does not have to be under Computers OU.

    Also keep in mind that Computers OU contains computer objects and if the GPO linked to the Computers OU has any User settings they will not take effect on the logged in user unless you have Loopback Processing enabled.

    If you will have more questions about the Group Policy, please feel free to ask them in this forum: http://social.technet.microsoft.com/Forums/en/winserverGP/threads

    ReplyDelete
  21. hey man... perfect! can i translate this post and put in my blog, giving the credits for you?

    perg@tech4it.com.br
    http://blog.tech4it.com.br

    JMB

    ReplyDelete
  22. Hi,

    Yes sure, if it helps other people I am always happy to help.

    Thanks,

    ReplyDelete
  23. I read many articles and never understood it clearly until i read this article. Thnks alot!
    Bastiaan

    ReplyDelete
  24. brilliantly explained

    ReplyDelete
  25. Great and very helpful Explanation!

    ReplyDelete
  26. dall'Italia... Grazie davvero! Esempio chiarissimo! Thanks! Michele CMV

    ReplyDelete
  27. Hi Kudrat,
    I am facing a situation where I need to disable the shutdown option for a group of people. Unfortunately I am dealing with 70 plus servers and some of these users have local admin access on the servers.
    How would I tackle this issue?? Any help is much appreciated.

    ReplyDelete
  28. Hi,

    Thanks for your question. It is a bit inconvenient to discuss it here, so if you could publish your question on this forum would be good:

    http://social.technet.microsoft.com/Forums/hu-
    HU/winserverTS/threads

    Thanks,

    ReplyDelete
  29. How nicely explained. Even a layman can understand this. Thankyou

    ReplyDelete
  30. hi, that's a clear explanation. Thanks a lot.

    ReplyDelete
  31. Thanks Kundrat to take the time to explain this without taking anything in return.

    TaD

    ReplyDelete
  32. Nice.
    Thank you.

    ReplyDelete
  33. Hi Kudrat

    This is very good explanation and easy to understand. Thanks....

    ReplyDelete
  34. Very Simple Thanks

    ReplyDelete
  35. If only knowledge base articles were this clear and to the point. Excellent Job Kudrat!

    The only thing you should add is where to find the loopback processing option, and the fact that it is enabled individually per GPO.

    It's found in EACH GPO under: Computer Configuration, Policies, Administrative Templates, System, Group Policy,"User Group Policy loopback processing mode"


    Bravo!

    ReplyDelete
  36. Very good explanation! Made everything clear for me! thanks!

    ReplyDelete
  37. this is the first time i have ever understood this!! thank you!! you have saved my brain :)

    ReplyDelete
  38. Thanks a lot!!!! First time I understood........

    ReplyDelete
  39. A very good explanation...Kudos !!

    ReplyDelete
  40. Even 3 years after your original post... You continue help someone to understand the loopback processing. Thank you for your help.

    ReplyDelete
  41. Wow.. Loved to read these red and green codes. After 3-4 years I got clear concept.

    ReplyDelete
  42. Thank you for making this clear :)

    ReplyDelete
  43. Nicely explained.. Great

    ReplyDelete
  44. nice one dude!! i was totolly confused with this one.!! thanks.. :))

    ReplyDelete
  45. This is like someone has just switched the light on! I knew Loopback Processing existed (and I still think the title of it sucks!) but I couldn't quite grasp what it was all about.

    Now I really think I get it! It's a Eureka moment!! And it will help achieve what I may need it to (depending on a business decision that needs to be made).

    Thank you, Kudrat.

    JJ

    ReplyDelete
  46. Thanks a lot, greate explanation.

    ReplyDelete
  47. one of the best documents I read in a long time. Thank you

    ReplyDelete
  48. I truly thank you for this article!!! You've helped us setup TS policies in our environment as everywhere else on the net, it was very confusing.

    ReplyDelete
  49. Thank you Kudrat, you are GEM!!

    ReplyDelete
  50. Atlast I understood it now. Thanks a lot brother. This page should appear first when we google "Loop Back Policy"

    Thomas C

    ReplyDelete
  51. Great Explanation

    ReplyDelete
  52. Firt time its clear to me...really excellent explanation!

    ReplyDelete
  53. Thanks a lot.
    It helps me a lot in understanding, very good!!

    ReplyDelete
  54. For years I have tried to grasp the complex explanations of this from AD manuals and online forums. They never made sense. This one is simple and perfectly explained. Thanks!

    ReplyDelete
  55. I really appreciate your help. The article helped me to understand what it is for and how it work.
    Thank you very much for that.

    ReplyDelete
  56. Thanks a lot for this explanation. All this loopback business now makes sense :)
    Keep up the good work!

    ReplyDelete
  57. great, very easy to understand

    ReplyDelete
  58. Trank you very much. Best explanation i was googling for.
    You should be a teacher bro!

    ReplyDelete
  59. Well done I like ur style of explanation...

    ReplyDelete
  60. Awsome explanation... Thanks for writing!

    ReplyDelete
  61. First time I am understanding this. Thanks

    ReplyDelete
  62. thanks ....... the first time i fully understand it ...need more for other feature ...waiting you

    ReplyDelete
  63. Great Article, well written and easy to understand what potentially is a very confusing setting.

    ReplyDelete
  64. Great and thanks for such clear explanation...

    ReplyDelete
  65. and there's the light bulb.

    ReplyDelete
  66. simply put and understandable.

    Thanks.

    ReplyDelete
  67. Great job, clear and precise.

    TY

    ReplyDelete
  68. Great explanation.

    ReplyDelete
  69. Thank you buddy, you are gonna help he get through this exam.

    ReplyDelete
  70. Great Example with description...

    ReplyDelete
  71. Good Job. Nice Explanation

    ReplyDelete
  72. I want to add my name to this long list. Thank you very much! I have struggle with this for about a month and a half.

    ReplyDelete
  73. Thanks guys,

    I am glad that four years after publishing this article is still helping people.

    ReplyDelete
  74. Very good way to explain. crystal clear .

    ReplyDelete
  75. I wish Microsoft could explain things so simply !

    ReplyDelete
  76. Superb Teaching keep it up....

    ReplyDelete
  77. I was working for several years with GPOs, but never fully understand Loopback...until reading your Article, thanks a lot!

    ReplyDelete
  78. Perfect article if you add how you turn it on as stated in a previous comment.

    Keep up the good work ;-), you have helped a lot by clarifying this subject.

    ReplyDelete
  79. Thanks again. Microsoft should hire you to write their articles!

    ReplyDelete
  80. I could not fully understand what the loopback processing is , despite of being MCITP certified . After reading your post the loopback processing idea is absolutely clear to me . thanks a lot ! You definitely have talent of explaining things ..............

    ReplyDelete
  81. Very nice. Nicely done. Easily understood.

    ReplyDelete
  82. Excellent Job. Very easy to understand.

    ReplyDelete
  83. You are the one who should be a teacher. Thats the best explanation.

    Thanks you

    ReplyDelete
  84. Pretty! This has been an incredibly wonderful article.
    Many thanks for providing this information.

    Feel free to visit my blog :: web page

    ReplyDelete
  85. Great Article....thanks a lot for explaining in simple terms....

    ReplyDelete
  86. Great explanation... Thank you very much!

    ReplyDelete
  87. Thnx a clear explanation!

    ReplyDelete
  88. Finally understood thanks!

    ReplyDelete
  89. Pretty! This has been an extremely wonderful article.
    Thanks for providing this info.

    My homepage :: pop over to these guys

    ReplyDelete
  90. Many thanks Kudrat. Fantastic explanation.

    ReplyDelete
  91. Thanks Kudrat, this really helped me to understand! I have one more question: I want to apply a user-policy to specific computers, but I don't want to put this computers in a separate OU. I prefer doing it by group membership. I don't get this work... Has anyone a suggestion?

    ReplyDelete
  92. Hi, You could try filtering the GPO: http://kudratsapaev.blogspot.co.uk/2010/02/filterin-group-policy-from-applying.html
    You can filter using Computer Objects as well.

    ReplyDelete
  93. Finally a very clear explanation....

    ReplyDelete
  94. best explanation on loopback processing

    ReplyDelete
  95. That's awesome. Thanks Kudrat

    ReplyDelete
  96. Kudrat, this is very helpful! Thanks for taking the time out to make this easy to understand.

    ReplyDelete
  97. Struggled with this before. This post save me from unnecessary troubleshooting

    ReplyDelete
  98. Really excellent article......understood completely before coming to the last point......Thanks Pro

    ReplyDelete
  99. WOW...what an explanation.....keep up the good work for others.

    ReplyDelete
  100. Fantastic explanation! Thanks a million!

    ReplyDelete
  101. very good explanation. simple and to the point!~

    ReplyDelete
  102. good ...!! I clicked on ads too .......!

    ReplyDelete
  103. Thank You Very Much Dude.................

    Arunabha

    ReplyDelete
  104. Thanks. you really explained that well.

    ReplyDelete
  105. First time i am understanding it.. Thanks Sir!

    ReplyDelete
  106. Excellent.. right in the bullseye...

    ReplyDelete
  107. Excellent. I have never ever read this concept so easily despite having read the same concept from other source so many times at the time of need. I THINK NOW THIS IS THE LAST TIME I GOOGLE FOR LOOPBACK PROCESSING. :-)
    Thanks

    ReplyDelete
  108. very gud buddy, very easy to understand, well explained, laymans' explanation, keep posting such articles , cheers

    ReplyDelete
  109. Six years later, still a gem. Thanks for the refresher.

    ReplyDelete
  110. Awesome! I have been struggling with this very same situation for two weeks now. This is EXACTLY what I was looking for and this article explained it very simply
    Thanks a million!
    by the way, I did click on the ads in this page :)

    ReplyDelete
  111. Oh my Gosh! This has been causing me many a sleepless night! PERFECT............ thanks for bringing this up!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

    ReplyDelete
  112. Its really useful for me.... Eagerly waiting for your next Tech articles......... :)
    Thanks man....!!!

    ReplyDelete
  113. Good Article....Very clear with Diagrams to help understand

    ReplyDelete
  114. thank you for the excellent explanation - i didnt understand the explanation in the microsoft course manual but i had no problem understanding your explanation.

    ReplyDelete
  115. Nice one man. Great job !!!

    ReplyDelete
  116. Thank you! that was much easier to understand. compared to other explanations...

    ReplyDelete
  117. This is excellent, Kudrat! And I tried to click on what I believe is every ad :)

    ReplyDelete
  118. Best example ever! Thank you.

    Fil.

    ReplyDelete
  119. Well explained.. Thansk

    ReplyDelete
  120. First time, a common bug clears my mind.Millions of Thanks for this article. you have to put on web from time to time as the time changes. It's a best example forever.

    ReplyDelete
  121. Awesome... Very easy to understand. :)

    ReplyDelete
  122. You are awesome.. that's all i can say.so neatly explained.
    thanks a lot.

    ReplyDelete
  123. This is brilliant. Thanks a lot!
    Ash

    ReplyDelete
  124. You are just awwweeeesome..!!!

    ReplyDelete
  125. Thanks mate, awesome explanation, much appreciated

    ReplyDelete
  126. In Merge mode, if there is a conflict, for example two policies provide different values for the same configuration setting, the Computer’s policy has more privilege. For example in our scenario, in case of the conflict the User Configuration 2 would be enforced.

    Can you pls elaborate it, (how user configuration 2 is a computer's policy)

    ReplyDelete
    Replies
    1. Hi, I can see how this could be confusing. So let me elaborate :-) What I meant is, if there is a conflict, the User Settings in the Computer's policy (i.e. the Green policy linked to the OU which contains the Computer account) will take precedence. I hope this makes it clearer.

      Delete
  127. HEllo
    Thank you for your Explanation on Loopback Policy. i am getting ready for a MCSA exam and i was struggling to understand the functioning of LooPbak.
    Thank you Thank you Thank you

    Regards

    ReplyDelete
  128. This is a very simple, concise and very effective explanation of loopback processing. thank you very much. textbooks are so confusing on this topic.
    thanks again. I will click a few ads. :)

    ReplyDelete
  129. I am a newbie....and this explains the Loopback Policy the best of all I've found on Mr. Google.

    ReplyDelete
  130. Thank you for keeping this page up. This is why we all love the internet. For being able to find kind and intelligent people that help explain stuff for others.

    ReplyDelete
  131. Greetings from 2018, This was very helpful. Thanks for keeping this up.

    ReplyDelete
  132. Very interesting read. Nicely explained. Thank you.

    ReplyDelete

3