Hello again! Kim Nichols here again. For this post, I'm taking a break from the AD LDS discussions (hold your applause until the end) and going back to a topic near and dear to my heart - Group Policy loopback processing.
Loopback processing is not a new concept to Group Policy, but it still causes confusion for even the most experienced Group Policy administrators.
This post is the first part of a two part blog series on User Group Policy Loopback processing.
Hopefully these posts will refresh your memory and provide some tips for troubleshooting Group Policy processing when loopback is involved.
Before we dig in too deeply, let's quickly cover normal Group Policy processing. Thinking back to when we first learned about Group Policy processing, we learned that Group Policy
applies in the following order:
You may have heard Active Directory “old timers” refer to this as LSDOU . As a result of LSDOU, settings from GPOs linked closest (lower in OU structure) to the user take precedence over those linked farther from the user (higher in OU structure). GPO configuration options such as Block Inheritance and Enforced (previously called No Override for you old school admins) can modify processing as well, but we will keep things simple for the purposes of this example. Normal user group policy processing applies user settings from GPOs linked to the Site, Domain, and OU containing the user object regardless of the location of the computer object in Active Directory.
Let's use a picture to clarify this. For this example, the user is the "E" OU and the computer is in the "G" OU of the contoso.com domain.
Following normal group policy processing rules (assuming all policies apply to Authenticated Users with no WMI filters or "Block Inheritance" or "Enforced" policies), user settings of Group Policy objects apply in the following order:
That’s pretty straightforward, right? Now, let’s move on to loopback processing!
Group Policy loopback is a computer configuration setting that enables different Group Policy user settings to apply based upon the computer from which logon occurs.
Breaking this down a little more:
Administrators use loopback processing in kiosk, lab, and Terminal Server environments to provide a consistent user experience across all computers regardless of the GPOs linked to user's OU.
Our recommendation for loopback is similar to our recommendations for WMI filters, Block Inheritance and policy Enforcement; use them sparingly. All of these configuration options modify the default processing of policy and thus make your environment more complex to troubleshoot and maintain. As I've mentioned in other posts, whenever possible, keep your designs as simple as possible. You will save yourself countless nights/weekends/holidays in the office because will you be able to identify configuration issues more quickly and easily.
The loopback setting is located under Computer Configuration/Administrative Templates/System/Group Policy in the Group Policy Management Editor (GPME).
Use the policy setting Configure user Group Policy loopback processing mode to configure loopback in Windows 8 and Windows Server 2012 . Earlier versions of Windows have the same policy setting under the name User Group Policy loopback processing mode. The screenshot below is from the Windows 8 version of the GPME.
When you enable loopback processing, you also have to select the desired mode. There are two modes for loopback processing: Merge or Replace.
Prior to the start of user policy processing, the Group Policy engine checks to see if loopback is enabled and, if so, in which mode.
We'll start off with an explanation of Merge mode since it builds on our existing knowledge of user policy processing.
During loopback processing in merge mode, user GPOs process first (exactly as they do during normal policy processing), but with an additional step. Following normal user policy processing the Group Policy engine applies user settings from GPOs linked to the computer's OU. The result-- the user receives all user settings from GPOs applied to the user and all user settings from GPOs applied to the computer. The user settings from the computer’s GPOs win any conflicts since they apply last.
To illustrate loopback merge processing and conflict resolution, let’s use a simple chart. The chart shows us the “winning” configuration in each of three scenarios:
Now, going back to our original example, loopback processing in Merge mode applies user settings from GPOs linked to the user’s OU followed by user settings from GPOs linked to the computer’s OU.
GPOs for the user in OU ”E” apply in the following order (the first part is identical to normal user policy processing from our original example):
Loopback replace is much easier. During loopback processing in replace mode, the user settings applied to the computer “replace” those applied to the user. In actuality, the Group Policy service skips the GPOs linked to the user’s OU. Group Policy effectively processes as if user object was in the OU of the computer rather than its current OU.
The chart for loopback processing in replace mode shows that settings “1” and “2” do not apply since all user settings linked to the user’s OU are skipped when loopback is configured in replace mode.
Returning to our example of the user in the “E” OU, loopback processing in replace mode skips normal user policy processing and only applies user settings from GPOs linked to the computer.
The resulting processing order is:
Those are the basics of user group policy loopback processing. In my next post, I'll cover the troubleshooting process when loopback is enabled.
Kim “Why does it say paper jam, when there is no paper jam!?” Nichols
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.