Hi guys,
Today I want to write a few words about Loopback processing of Group Policy. When you deal with this setting for the first time it may be a little bit confusing. You can find explanations of this policy setting on the internet, but in my case I will try to explain everything in simple words.
As we know group policy has two main configurations, user and computer. Accordingly, the computer policy is applied to the computer despite of the logged user and the user configuration is applied to the user despite of the computer he is logged on.
For example we have a Domain, this Domain has two different organizational units (OU) Green and Red, Green OU contains a Computer account and Red OU contains User account. The Green policy, which has settings “Computer Configuration 2” and “User Configuration 2” is applied to the OU with the computer account. The Red policy, which has settings “Computer Configuration 1” and “User Configuration 1”, is applied to the OU with the User account. If you have a look at the picture below it will become clearer.
If Loopback processing of Group Policy is not enabled and our User logs on to our Computer, the following is true:
As we can see from the picture, the User gets Computer Configuration 2 and User Configuration 1. This is absolutely standard situation, where policies are applied according to the belonging to the OU. User belongs to the Red OU, he gets the Red User configuration 1 accordingly.
Now let’s enable the Loopback processing of Group Policy for the Green OU. In this case if the User logs on to the Computer, the policies applied in the following way:
As we can see, now the User is getting User Configuration 2 despite of the fact that he belongs to the Red OU. So, what has happened in this scenario, the User Configuration 1 was replaced with the User Configuration 2, i.e. with the configuration applied to the Computer account.
As you have probably noticed, the picture above says “Loopback in replace mode”. I have to mention that the Loopback processing of Group Policy has two different modes, Replace and Merge. It is obvious that Replace mode replaces User Configuration with the one applied to the Computer, whereas Merge mode merges two User Configurations.
In Merge mode, if there is a conflict, for example two policies provide different values for the same configuration setting, the Computer’s policy has more privilege. For example in our scenario, in case of the conflict the User Configuration 2 would be enforced.
In the real work environment Loopback processing of Group Policy is usually used on Terminal Servers. For example you have users with enabled folder redirection settings, but you do not want these folder redirection to work when the users log on to the Terminal Server, in this case we enable Loopback processing of Group Policy in the Policy linked to the Terminal Server’s Computer account and do not enable the folder redirection settings. In this case, once the User logged on to the Terminal Server his folder redirection policy will not be applied.
If you have any questions, feel free to ask me.
Thank you!
Kudrat
Today I want to write a few words about Loopback processing of Group Policy. When you deal with this setting for the first time it may be a little bit confusing. You can find explanations of this policy setting on the internet, but in my case I will try to explain everything in simple words.
As we know group policy has two main configurations, user and computer. Accordingly, the computer policy is applied to the computer despite of the logged user and the user configuration is applied to the user despite of the computer he is logged on.
For example we have a Domain, this Domain has two different organizational units (OU) Green and Red, Green OU contains a Computer account and Red OU contains User account. The Green policy, which has settings “Computer Configuration 2” and “User Configuration 2” is applied to the OU with the computer account. The Red policy, which has settings “Computer Configuration 1” and “User Configuration 1”, is applied to the OU with the User account. If you have a look at the picture below it will become clearer.
If Loopback processing of Group Policy is not enabled and our User logs on to our Computer, the following is true:
As we can see from the picture, the User gets Computer Configuration 2 and User Configuration 1. This is absolutely standard situation, where policies are applied according to the belonging to the OU. User belongs to the Red OU, he gets the Red User configuration 1 accordingly.
Now let’s enable the Loopback processing of Group Policy for the Green OU. In this case if the User logs on to the Computer, the policies applied in the following way:
As we can see, now the User is getting User Configuration 2 despite of the fact that he belongs to the Red OU. So, what has happened in this scenario, the User Configuration 1 was replaced with the User Configuration 2, i.e. with the configuration applied to the Computer account.
As you have probably noticed, the picture above says “Loopback in replace mode”. I have to mention that the Loopback processing of Group Policy has two different modes, Replace and Merge. It is obvious that Replace mode replaces User Configuration with the one applied to the Computer, whereas Merge mode merges two User Configurations.
In Merge mode, if there is a conflict, for example two policies provide different values for the same configuration setting, the Computer’s policy has more privilege. For example in our scenario, in case of the conflict the User Configuration 2 would be enforced.
In the real work environment Loopback processing of Group Policy is usually used on Terminal Servers. For example you have users with enabled folder redirection settings, but you do not want these folder redirection to work when the users log on to the Terminal Server, in this case we enable Loopback processing of Group Policy in the Policy linked to the Terminal Server’s Computer account and do not enable the folder redirection settings. In this case, once the User logged on to the Terminal Server his folder redirection policy will not be applied.
If you have any questions, feel free to ask me.
Thank you!
Kudrat
First time i am understanding this! You've a great teacher!...Thanks alot.
ReplyDeleteI am glad it has helped you :-)
ReplyDeletePerfect -- i now fully understand.. thank you very much
ReplyDeleteYou are very welcome :-)
ReplyDeleteI have an issue where I have users on a domain but also have a terminal server Icon on the desktop. I want lock down polices on the terminal server session but not on the local machines. Is loopback the answerer here?
ReplyDeleteHi,
ReplyDeleteMostly Loopback Processing is used for the Terminal Services Servers, in order to set policies User Configuration policies different from the normal environment. In your situation it really depends on what exactly you want to achieve. If by "lock down polices" you mean set different folder redirections or anything else related to the user configuration, then the answer is YES, loopback processing is what you need. But if you want to do something else, then, as I said, it really depends on the task.
If you will have more questions about Terminal Services, please feel free to post your question here:
http://social.technet.microsoft.com/Forums/ru-RU/winserverTS/threads
Me and other IT professionals will be happy to help.
Thanks very much, really appreciate your help
ReplyDeleteNot at all :-)
ReplyDeleteExcellent example.. at last I get it.. many thanks
ReplyDeleteThank you for your feedback!
ReplyDeleteAmazing explanation.......
ReplyDeleteThank you :-)
ReplyDeleteHi Kudrat
ReplyDeleteOnce again thank you for the simple way you have explained this.
I am puzzled by 'if there is a conflict, for example two policies provide different values for the same configuration setting, the Computer’s policy has more privilege.'
I have a loopback 'merge' policy on the terminal server OU, where 'Hide Internet Explorer icon on desktop' is Not configured. I also have a policy on the users OU with 'Hide Internet Explorer icon on desktop' set to enabled.
BUT when I log on as a user from that OU, Internet explorer icon is not hidden!
Any ideas?
Simon
Hi Simon,
ReplyDeleteThanks for your comment.
Could you please try to set "Hide Internet Explorer icon on desktop" setting in the Terminal Services GPO to Disabled and see if it will resolve the problem.
If you will have questions, could you please post them to this forum:
http://social.technet.microsoft.com/Forums/ru-RU/winserverTS/threads
Thanks,
Kudrat
thanks
ReplyDeleteIs there any way to get 'Computer Configuration 1' to apply to the Green OU?
ReplyDeleteI have a Computer Policy that I do not want to apply to a specific group of users.
Hi,
ReplyDeleteComputer configuration is applied to the computers. Any user logged to that computer will be subject to that policy. Maybe in your case there is different possible solution. Can you post your configuration and task to this forum?
http://social.technet.microsoft.com/Forums/ru-RU/winserverTS/threads
There we can try to help you with the solution.
Thanks,
This is by far the best example I've read so far. Right now I'm preparing for my 70-294 and this topic has been haunting me. I keep getting it wrong my practice exams!
ReplyDeleteBut hopefully not anymore!
Thank you!
ReplyDeleteAnd good luck with your 70-294
From Brazil.
ReplyDeleteExcelent tutorial ! Thanks !
Obrigado! :-)
ReplyDeletethat is very helpful thank you
ReplyDeleteI am glad it has helped.
ReplyDeleteThank you.
At last. I have a AD exam coming up and GP Loopback processing was really making my head hurt - I couldn't get the concept sorted out. Your explanation clicked after one read.
ReplyDeleteThanks a lot - top work.
Thanks very much, and good luck with your exam!
ReplyDeleteHi, I have question, In the above given example you explained that how loop back processing works, But I want to know the name of GPO where we should enable loop back setting. Or we can create a separate GPO on computer OU and enable Loop Back setting. and if yes then will this GPO filter out all the user settings inherited from the parent GPOs?
ReplyDeleteHi Neeraj,
ReplyDeleteAbout the place to enable the policy take a look at this article: http://support.microsoft.com/kb/231287
I would not recommend to set Loopback Processing on the default Computers OU. If you need to enable this policy for some computers, it would be a good idea to separate them in a different OU, it does not have to be under Computers OU.
Also keep in mind that Computers OU contains computer objects and if the GPO linked to the Computers OU has any User settings they will not take effect on the logged in user unless you have Loopback Processing enabled.
If you will have more questions about the Group Policy, please feel free to ask them in this forum: http://social.technet.microsoft.com/Forums/en/winserverGP/threads
hey man... perfect! can i translate this post and put in my blog, giving the credits for you?
ReplyDeleteperg@tech4it.com.br
http://blog.tech4it.com.br
JMB
Hi,
ReplyDeleteYes sure, if it helps other people I am always happy to help.
Thanks,
I read many articles and never understood it clearly until i read this article. Thnks alot!
ReplyDeleteBastiaan
Thanks Bastiaan
ReplyDeletebrilliantly explained
ReplyDeleteThanks
ReplyDeleteGreat and very helpful Explanation!
ReplyDeleteThanks!
ReplyDeletedall'Italia... Grazie davvero! Esempio chiarissimo! Thanks! Michele CMV
ReplyDeleteGrazie :-)
ReplyDeleteHi Kudrat,
ReplyDeleteI am facing a situation where I need to disable the shutdown option for a group of people. Unfortunately I am dealing with 70 plus servers and some of these users have local admin access on the servers.
How would I tackle this issue?? Any help is much appreciated.
Hi,
ReplyDeleteThanks for your question. It is a bit inconvenient to discuss it here, so if you could publish your question on this forum would be good:
http://social.technet.microsoft.com/Forums/hu-
HU/winserverTS/threads
Thanks,
How nicely explained. Even a layman can understand this. Thankyou
ReplyDeleteThanks
ReplyDeletehi, that's a clear explanation. Thanks a lot.
ReplyDeleteThanks Kundrat to take the time to explain this without taking anything in return.
ReplyDeleteTaD
Not at all, glad it has helped.
ReplyDeleteTHANKS !!
ReplyDeleteHi Kudrat
ReplyDeleteThis is very good explanation and easy to understand. Thanks....
Very Simple Thanks
ReplyDeleteCheers!!
ReplyDeleteIf only knowledge base articles were this clear and to the point. Excellent Job Kudrat!
ReplyDeleteThe only thing you should add is where to find the loopback processing option, and the fact that it is enabled individually per GPO.
It's found in EACH GPO under: Computer Configuration, Policies, Administrative Templates, System, Group Policy,"User Group Policy loopback processing mode"
Bravo!
Very good explanation! Made everything clear for me! thanks!
ReplyDeletethis is the first time i have ever understood this!! thank you!! you have saved my brain :)
ReplyDeleteThanks a lot!!!! First time I understood........
ReplyDeleteThanks guys, glad it helped you.
ReplyDelete