Hi guys,
Today I want to write a few words about Loopback processing of Group Policy. When you deal with this setting for the first time it may be a little bit confusing. You can find explanations of this policy setting on the internet, but in my case I will try to explain everything in simple words.
As we know group policy has two main configurations, user and computer. Accordingly, the computer policy is applied to the computer despite of the logged user and the user configuration is applied to the user despite of the computer he is logged on.
For example we have a Domain, this Domain has two different organizational units (OU) Green and Red, Green OU contains a Computer account and Red OU contains User account. The Green policy, which has settings “Computer Configuration 2” and “User Configuration 2” is applied to the OU with the computer account. The Red policy, which has settings “Computer Configuration 1” and “User Configuration 1”, is applied to the OU with the User account. If you have a look at the picture below it will become clearer.
If Loopback processing of Group Policy is not enabled and our User logs on to our Computer, the following is true:
As we can see from the picture, the User gets Computer Configuration 2 and User Configuration 1. This is absolutely standard situation, where policies are applied according to the belonging to the OU. User belongs to the Red OU, he gets the Red User configuration 1 accordingly.
Now let’s enable the Loopback processing of Group Policy for the Green OU. In this case if the User logs on to the Computer, the policies applied in the following way:
As we can see, now the User is getting User Configuration 2 despite of the fact that he belongs to the Red OU. So, what has happened in this scenario, the User Configuration 1 was replaced with the User Configuration 2, i.e. with the configuration applied to the Computer account.
As you have probably noticed, the picture above says “Loopback in replace mode”. I have to mention that the Loopback processing of Group Policy has two different modes, Replace and Merge. It is obvious that Replace mode replaces User Configuration with the one applied to the Computer, whereas Merge mode merges two User Configurations.
In Merge mode, if there is a conflict, for example two policies provide different values for the same configuration setting, the Computer’s policy has more privilege. For example in our scenario, in case of the conflict the User Configuration 2 would be enforced.
In the real work environment Loopback processing of Group Policy is usually used on Terminal Servers. For example you have users with enabled folder redirection settings, but you do not want these folder redirection to work when the users log on to the Terminal Server, in this case we enable Loopback processing of Group Policy in the Policy linked to the Terminal Server’s Computer account and do not enable the folder redirection settings. In this case, once the User logged on to the Terminal Server his folder redirection policy will not be applied.
To enable Loopback Processing navigate to: Computer Configuration/Administrative Templates/System/Group Policy/Configure user Group Policy loopback processing mode
If you liked the post, please feel free to click on a few Ads on this page ;-)
Thank you!
Kudrat
Today I want to write a few words about Loopback processing of Group Policy. When you deal with this setting for the first time it may be a little bit confusing. You can find explanations of this policy setting on the internet, but in my case I will try to explain everything in simple words.
As we know group policy has two main configurations, user and computer. Accordingly, the computer policy is applied to the computer despite of the logged user and the user configuration is applied to the user despite of the computer he is logged on.
For example we have a Domain, this Domain has two different organizational units (OU) Green and Red, Green OU contains a Computer account and Red OU contains User account. The Green policy, which has settings “Computer Configuration 2” and “User Configuration 2” is applied to the OU with the computer account. The Red policy, which has settings “Computer Configuration 1” and “User Configuration 1”, is applied to the OU with the User account. If you have a look at the picture below it will become clearer.
If Loopback processing of Group Policy is not enabled and our User logs on to our Computer, the following is true:
As we can see from the picture, the User gets Computer Configuration 2 and User Configuration 1. This is absolutely standard situation, where policies are applied according to the belonging to the OU. User belongs to the Red OU, he gets the Red User configuration 1 accordingly.
Now let’s enable the Loopback processing of Group Policy for the Green OU. In this case if the User logs on to the Computer, the policies applied in the following way:
As we can see, now the User is getting User Configuration 2 despite of the fact that he belongs to the Red OU. So, what has happened in this scenario, the User Configuration 1 was replaced with the User Configuration 2, i.e. with the configuration applied to the Computer account.
As you have probably noticed, the picture above says “Loopback in replace mode”. I have to mention that the Loopback processing of Group Policy has two different modes, Replace and Merge. It is obvious that Replace mode replaces User Configuration with the one applied to the Computer, whereas Merge mode merges two User Configurations.
In Merge mode, if there is a conflict, for example two policies provide different values for the same configuration setting, the Computer’s policy has more privilege. For example in our scenario, in case of the conflict the User Configuration 2 would be enforced.
In the real work environment Loopback processing of Group Policy is usually used on Terminal Servers. For example you have users with enabled folder redirection settings, but you do not want these folder redirection to work when the users log on to the Terminal Server, in this case we enable Loopback processing of Group Policy in the Policy linked to the Terminal Server’s Computer account and do not enable the folder redirection settings. In this case, once the User logged on to the Terminal Server his folder redirection policy will not be applied.
To enable Loopback Processing navigate to: Computer Configuration/Administrative Templates/System/Group Policy/Configure user Group Policy loopback processing mode
If you liked the post, please feel free to click on a few Ads on this page ;-)
Thank you!
Kudrat
First time i am understanding this! You've a great teacher!...Thanks alot.
ReplyDeleteI am glad it has helped you :-)
ReplyDeletePerfect -- i now fully understand.. thank you very much
ReplyDeleteYou are very welcome :-)
ReplyDeleteI have an issue where I have users on a domain but also have a terminal server Icon on the desktop. I want lock down polices on the terminal server session but not on the local machines. Is loopback the answerer here?
ReplyDeleteHi,
ReplyDeleteMostly Loopback Processing is used for the Terminal Services Servers, in order to set policies User Configuration policies different from the normal environment. In your situation it really depends on what exactly you want to achieve. If by "lock down polices" you mean set different folder redirections or anything else related to the user configuration, then the answer is YES, loopback processing is what you need. But if you want to do something else, then, as I said, it really depends on the task.
If you will have more questions about Terminal Services, please feel free to post your question here:
http://social.technet.microsoft.com/Forums/ru-RU/winserverTS/threads
Me and other IT professionals will be happy to help.
Thanks very much, really appreciate your help
ReplyDeleteNot at all :-)
ReplyDeleteExcellent example.. at last I get it.. many thanks
ReplyDeleteThank you for your feedback!
ReplyDeleteAmazing explanation.......
ReplyDeleteThank you :-)
ReplyDeleteHi Kudrat
ReplyDeleteOnce again thank you for the simple way you have explained this.
I am puzzled by 'if there is a conflict, for example two policies provide different values for the same configuration setting, the Computer’s policy has more privilege.'
I have a loopback 'merge' policy on the terminal server OU, where 'Hide Internet Explorer icon on desktop' is Not configured. I also have a policy on the users OU with 'Hide Internet Explorer icon on desktop' set to enabled.
BUT when I log on as a user from that OU, Internet explorer icon is not hidden!
Any ideas?
Simon
Hi Simon,
ReplyDeleteThanks for your comment.
Could you please try to set "Hide Internet Explorer icon on desktop" setting in the Terminal Services GPO to Disabled and see if it will resolve the problem.
If you will have questions, could you please post them to this forum:
http://social.technet.microsoft.com/Forums/ru-RU/winserverTS/threads
Thanks,
Kudrat
Is there any way to get 'Computer Configuration 1' to apply to the Green OU?
ReplyDeleteI have a Computer Policy that I do not want to apply to a specific group of users.
Hi,
ReplyDeleteComputer configuration is applied to the computers. Any user logged to that computer will be subject to that policy. Maybe in your case there is different possible solution. Can you post your configuration and task to this forum?
http://social.technet.microsoft.com/Forums/ru-RU/winserverTS/threads
There we can try to help you with the solution.
Thanks,
This is by far the best example I've read so far. Right now I'm preparing for my 70-294 and this topic has been haunting me. I keep getting it wrong my practice exams!
ReplyDeleteBut hopefully not anymore!
Thank you!
ReplyDeleteAnd good luck with your 70-294
From Brazil.
ReplyDeleteExcelent tutorial ! Thanks !
Obrigado! :-)
ReplyDeletethat is very helpful thank you
ReplyDeleteI am glad it has helped.
ReplyDeleteThank you.
At last. I have a AD exam coming up and GP Loopback processing was really making my head hurt - I couldn't get the concept sorted out. Your explanation clicked after one read.
ReplyDeleteThanks a lot - top work.
Thanks very much, and good luck with your exam!
ReplyDeleteHi, I have question, In the above given example you explained that how loop back processing works, But I want to know the name of GPO where we should enable loop back setting. Or we can create a separate GPO on computer OU and enable Loop Back setting. and if yes then will this GPO filter out all the user settings inherited from the parent GPOs?
ReplyDeleteHi Neeraj,
ReplyDeleteAbout the place to enable the policy take a look at this article: http://support.microsoft.com/kb/231287
I would not recommend to set Loopback Processing on the default Computers OU. If you need to enable this policy for some computers, it would be a good idea to separate them in a different OU, it does not have to be under Computers OU.
Also keep in mind that Computers OU contains computer objects and if the GPO linked to the Computers OU has any User settings they will not take effect on the logged in user unless you have Loopback Processing enabled.
If you will have more questions about the Group Policy, please feel free to ask them in this forum: http://social.technet.microsoft.com/Forums/en/winserverGP/threads
hey man... perfect! can i translate this post and put in my blog, giving the credits for you?
ReplyDeleteperg@tech4it.com.br
http://blog.tech4it.com.br
JMB
Hi,
ReplyDeleteYes sure, if it helps other people I am always happy to help.
Thanks,
I read many articles and never understood it clearly until i read this article. Thnks alot!
ReplyDeleteBastiaan
Thanks Bastiaan
ReplyDeletebrilliantly explained
ReplyDeleteGreat and very helpful Explanation!
ReplyDeleteThanks!
ReplyDeletedall'Italia... Grazie davvero! Esempio chiarissimo! Thanks! Michele CMV
ReplyDeleteGrazie :-)
ReplyDeleteHi Kudrat,
ReplyDeleteI am facing a situation where I need to disable the shutdown option for a group of people. Unfortunately I am dealing with 70 plus servers and some of these users have local admin access on the servers.
How would I tackle this issue?? Any help is much appreciated.
Hi,
ReplyDeleteThanks for your question. It is a bit inconvenient to discuss it here, so if you could publish your question on this forum would be good:
http://social.technet.microsoft.com/Forums/hu-
HU/winserverTS/threads
Thanks,
How nicely explained. Even a layman can understand this. Thankyou
ReplyDeleteThanks
ReplyDeletehi, that's a clear explanation. Thanks a lot.
ReplyDeleteThanks Kundrat to take the time to explain this without taking anything in return.
ReplyDeleteTaD
Not at all, glad it has helped.
ReplyDeleteTHANKS !!
ReplyDeleteNice.
ReplyDeleteThank you.
Hi Kudrat
ReplyDeleteThis is very good explanation and easy to understand. Thanks....
Very Simple Thanks
ReplyDeleteCheers!!
ReplyDeleteIf only knowledge base articles were this clear and to the point. Excellent Job Kudrat!
ReplyDeleteThe only thing you should add is where to find the loopback processing option, and the fact that it is enabled individually per GPO.
It's found in EACH GPO under: Computer Configuration, Policies, Administrative Templates, System, Group Policy,"User Group Policy loopback processing mode"
Bravo!
Very good explanation! Made everything clear for me! thanks!
ReplyDeletethis is the first time i have ever understood this!! thank you!! you have saved my brain :)
ReplyDeleteThanks a lot!!!! First time I understood........
ReplyDeleteThanks guys, glad it helped you.
ReplyDeleteA very good explanation...Kudos !!
ReplyDeleteEven 3 years after your original post... You continue help someone to understand the loopback processing. Thank you for your help.
ReplyDeleteWow.. Loved to read these red and green codes. After 3-4 years I got clear concept.
ReplyDeleteThank you for making this clear :)
ReplyDeleteThanks guys,
ReplyDeleteGlad to help.
Nicely explained.. Great
ReplyDeletenice one dude!! i was totolly confused with this one.!! thanks.. :))
ReplyDeleteThis is like someone has just switched the light on! I knew Loopback Processing existed (and I still think the title of it sucks!) but I couldn't quite grasp what it was all about.
ReplyDeleteNow I really think I get it! It's a Eureka moment!! And it will help achieve what I may need it to (depending on a business decision that needs to be made).
Thank you, Kudrat.
JJ
Thanks guys
ReplyDeleteThanks a lot, greate explanation.
ReplyDeleteone of the best documents I read in a long time. Thank you
ReplyDeleteThanks guys, happy to help.
ReplyDeleteI truly thank you for this article!!! You've helped us setup TS policies in our environment as everywhere else on the net, it was very confusing.
ReplyDeleteGlad it helped.
ReplyDeleteThanks,
Thank you Kudrat, you are GEM!!
ReplyDeleteAtlast I understood it now. Thanks a lot brother. This page should appear first when we google "Loop Back Policy"
ReplyDeleteThomas C
Thanks..!! Great Work..
ReplyDeleteThanks Mate!
ReplyDeleteGreat Explanation
ReplyDeleteFirt time its clear to me...really excellent explanation!
ReplyDeleteThanks a lot.
ReplyDeleteIt helps me a lot in understanding, very good!!
Thanks guys!
ReplyDeleteFor years I have tried to grasp the complex explanations of this from AD manuals and online forums. They never made sense. This one is simple and perfectly explained. Thanks!
ReplyDeleteI really appreciate your help. The article helped me to understand what it is for and how it work.
ReplyDeleteThank you very much for that.
Thanks a lot for this explanation. All this loopback business now makes sense :)
ReplyDeleteKeep up the good work!
Good one
ReplyDeletegreat, very easy to understand
ReplyDeleteTrank you very much. Best explanation i was googling for.
ReplyDeleteYou should be a teacher bro!
Well done I like ur style of explanation...
ReplyDeleteAwsome explanation... Thanks for writing!
ReplyDeleteFirst time I am understanding this. Thanks
ReplyDeleteCheers guys, glad it is helping.
ReplyDeleteThank you
ReplyDeletethanks ....... the first time i fully understand it ...need more for other feature ...waiting you
ReplyDeleteGreat Article, well written and easy to understand what potentially is a very confusing setting.
ReplyDeleteGreat and thanks for such clear explanation...
ReplyDeleteand there's the light bulb.
ReplyDeletesimply put and understandable.
ReplyDeleteThanks.
Great job, clear and precise.
ReplyDeleteTY
Great explanation.
ReplyDeleteThank you buddy, you are gonna help he get through this exam.
ReplyDeleteGreat Example with description...
ReplyDeleteGood Job. Nice Explanation
ReplyDeleteI want to add my name to this long list. Thank you very much! I have struggle with this for about a month and a half.
ReplyDeleteThanks guys,
ReplyDeleteI am glad that four years after publishing this article is still helping people.
Very good way to explain. crystal clear .
ReplyDeleteI wish Microsoft could explain things so simply !
ReplyDeleteSuperb Teaching keep it up....
ReplyDeleteI was working for several years with GPOs, but never fully understand Loopback...until reading your Article, thanks a lot!
ReplyDeletePerfect article if you add how you turn it on as stated in a previous comment.
ReplyDeleteKeep up the good work ;-), you have helped a lot by clarifying this subject.
Thanks again. Microsoft should hire you to write their articles!
ReplyDeleteThanks
ReplyDeleteI could not fully understand what the loopback processing is , despite of being MCITP certified . After reading your post the loopback processing idea is absolutely clear to me . thanks a lot ! You definitely have talent of explaining things ..............
ReplyDeleteVery nice. Nicely done. Easily understood.
ReplyDeleteExcellent Job. Very easy to understand.
ReplyDeleteYou are the one who should be a teacher. Thats the best explanation.
ReplyDeleteThanks you
Pretty! This has been an incredibly wonderful article.
ReplyDeleteMany thanks for providing this information.
Feel free to visit my blog :: web page
Great Article....thanks a lot for explaining in simple terms....
ReplyDeleteGreat explanation... Thank you very much!
ReplyDeleteThnx a clear explanation!
ReplyDeleteNice!
ReplyDeleteFinally understood thanks!
ReplyDeletePretty! This has been an extremely wonderful article.
ReplyDeleteThanks for providing this info.
My homepage :: pop over to these guys
Many thanks Kudrat. Fantastic explanation.
ReplyDeleteThanks Kudrat, this really helped me to understand! I have one more question: I want to apply a user-policy to specific computers, but I don't want to put this computers in a separate OU. I prefer doing it by group membership. I don't get this work... Has anyone a suggestion?
ReplyDeleteHi, You could try filtering the GPO: http://kudratsapaev.blogspot.co.uk/2010/02/filterin-group-policy-from-applying.html
ReplyDeleteYou can filter using Computer Objects as well.
Finally a very clear explanation....
ReplyDeletebest explanation on loopback processing
ReplyDeleteThat's awesome. Thanks Kudrat
ReplyDeleteKudrat, this is very helpful! Thanks for taking the time out to make this easy to understand.
ReplyDeleteStruggled with this before. This post save me from unnecessary troubleshooting
ReplyDeleteReally excellent article......understood completely before coming to the last point......Thanks Pro
ReplyDeleteWOW...what an explanation.....keep up the good work for others.
ReplyDeleteFantastic explanation! Thanks a million!
ReplyDeletevery good explanation. simple and to the point!~
ReplyDeletegood ...!! I clicked on ads too .......!
ReplyDeleteThank You :-)
ReplyDeleteThaks very much. Good explanation
ReplyDeleteThank You Very Much Dude.................
ReplyDeleteArunabha
Thanks. you really explained that well.
ReplyDeleteFirst time i am understanding it.. Thanks Sir!
ReplyDeleteExcellent.. right in the bullseye...
ReplyDeleteExcellent. I have never ever read this concept so easily despite having read the same concept from other source so many times at the time of need. I THINK NOW THIS IS THE LAST TIME I GOOGLE FOR LOOPBACK PROCESSING. :-)
ReplyDeleteThanks
very gud buddy, very easy to understand, well explained, laymans' explanation, keep posting such articles , cheers
ReplyDeleteSix years later, still a gem. Thanks for the refresher.
ReplyDeleteAwesome! I have been struggling with this very same situation for two weeks now. This is EXACTLY what I was looking for and this article explained it very simply
ReplyDeleteThanks a million!
by the way, I did click on the ads in this page :)
Thanks :-)
ReplyDeleteOh my Gosh! This has been causing me many a sleepless night! PERFECT............ thanks for bringing this up!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
ReplyDeleteIts really useful for me.... Eagerly waiting for your next Tech articles......... :)
ReplyDeleteThanks man....!!!
Good Article....Very clear with Diagrams to help understand
ReplyDeletethank you for the excellent explanation - i didnt understand the explanation in the microsoft course manual but i had no problem understanding your explanation.
ReplyDeleteNice one man. Great job !!!
ReplyDeleteThank you! that was much easier to understand. compared to other explanations...
ReplyDeleteThis is excellent, Kudrat! And I tried to click on what I believe is every ad :)
ReplyDeleteThanks :-)
DeleteBest example ever! Thank you.
ReplyDeleteFil.
Well explained.. Thansk
ReplyDeleteFirst time, a common bug clears my mind.Millions of Thanks for this article. you have to put on web from time to time as the time changes. It's a best example forever.
ReplyDeleteAwesome... Very easy to understand. :)
ReplyDeleteYou are awesome.. that's all i can say.so neatly explained.
ReplyDeletethanks a lot.
This is brilliant. Thanks a lot!
ReplyDeleteAsh
Thank you guys
ReplyDeleteYou are just awwweeeesome..!!!
ReplyDeleteThanks mate, awesome explanation, much appreciated
ReplyDeleteIn Merge mode, if there is a conflict, for example two policies provide different values for the same configuration setting, the Computer’s policy has more privilege. For example in our scenario, in case of the conflict the User Configuration 2 would be enforced.
ReplyDeleteCan you pls elaborate it, (how user configuration 2 is a computer's policy)
Hi, I can see how this could be confusing. So let me elaborate :-) What I meant is, if there is a conflict, the User Settings in the Computer's policy (i.e. the Green policy linked to the OU which contains the Computer account) will take precedence. I hope this makes it clearer.
DeleteHEllo
ReplyDeleteThank you for your Explanation on Loopback Policy. i am getting ready for a MCSA exam and i was struggling to understand the functioning of LooPbak.
Thank you Thank you Thank you
Regards
This is a very simple, concise and very effective explanation of loopback processing. thank you very much. textbooks are so confusing on this topic.
ReplyDeletethanks again. I will click a few ads. :)
I am a newbie....and this explains the Loopback Policy the best of all I've found on Mr. Google.
ReplyDeleteThanks :-)
ReplyDeleteThank you for keeping this page up. This is why we all love the internet. For being able to find kind and intelligent people that help explain stuff for others.
ReplyDeleteNice Blog Post !
ReplyDeleteGreetings from 2018, This was very helpful. Thanks for keeping this up.
ReplyDeleteVery interesting read. Nicely explained. Thank you.
ReplyDelete