Awards
- Community Pick
- Experts Exchange Approved
A Little on Standard Group policy Processing
Before we look at how loopback processing works it may be beneficial to have a quick refresh on how standard group policy processing works.
Group Policy Objects (GPO) are a collection of configurable policy settings that are organised as a single object and contain Computer Configuration policies which are applied to computers during Startup and User Configuration policies which are applied to users during logon.
All about Scope
The term in scope is used to refer to any GPO that applies to an object (computer account or user account).
Group policies can be applied at four separate points within a domain structure (Local, Site, Domain and Organisational Unit (OU)) and are applied one after the other in precedence order for each step.
So the in scope GPOs for an account consist of all Local policy GPOs, all of the Site GPOs, all of the Domain GPOs and all GPOs linked to each OU in the path of the account object. At each stage a new GPO applies it will overwrite any conflicting settings with its own settings; the final set of policies applied is known as the Resultant Set of Policies (RSoP) and can be viewed on a client device via the RSoP.msc console.
Any GPO that has been denied apply rights or filtered out via WMI Filtering is considered to be Out of scope
Why Loopback
The User Group Policy loopback processing mode option available within the computer configuration node of a Group Policy Object is a useful tool for ensuring certain user settings are applied on specified computers.
Essentially loopback processing changes the standard group policy processing in a way that allows user configuration settings to be applied based on the computers GPO scope during logon. This means that user configuration options can be applied to all users who log on to a specific computer.
When to use Loopback
Common scenarios where this policy is used include public accessible terminals, machines acting as application kiosks, terminal servers and any other environment where the user settings should be determined by the computer account instead of the user account.
Where to Enable Loopback
The setting is found within the Computer Configuration node of a GPO:
Computer Configuration > Administrative Templates > System > Group Policy > User Group Policy loopback processing mode
Replace or Merge
When Enabled you must select which mode loopback processing will operate in; Replace or Merge.
Replace mode will completely discard the user settings that normally apply to any users logging on to a machine applying loopback processing and replace them with the user settings that apply to the computer account instead.
Merge mode will apply the user settings that apply to any users logging on to a machine applying loopback processing as normal and then will apply the user settings that apply to the computer account; in the case of a conflict between the two, the computer account user settings will overwrite the user account user settings.
How Loopback Works
Loopback processing affects the way in which the GetGPOList function operates, normally when a user logs on the GetGPOList function collects a list of all in scope GPOs and arranges them in precedence order for processing.
When loopback processing is enabled in Merge mode the GetGPOList function also collects all in scope GPOs for the computer account and appends them to the list of GPOs collected for the user account, these then run as higher precedence than the users GPOs.
When loopback processing is enabled in Replace mode the GetGPOList function does not collect the users in scope GPOs.
So, without loopback enabled, policy processing looks a little like this:
1. Computer Node policies from all GPOs in scope for the computer account object are applied during start-up (in the normal Local, Site, Domain, OU order).
2. User Node policies from all GPOs in scope for the user account object are applied during logon (in the normal Local, Site, Domain, OU order).
And, with loopback processing enabled (in Merge Mode):
1. Computer Node policies from all GPOs in scope for the computer account object are applied during start-up (in the normal Local, Site, Domain, OU order), the computer flags that loopback processing (Merge Mode) is enabled.
2. User Node policies from all GPOs in scope for the user account object are applied during logon (in the normal Local, Site, Domain, OU order).
3. As the computer is running in loopback (Merge Mode) it then applies all User Node policies from all GPOs in scope for the computer account object during logon (Local, Site, Domain and OU), if any of these settings conflict with what was applied during step 2. Then the computer account setting will take precedence.
And, with loopback processing enabled (in Replace Mode):
1. Computer Node policies from all GPOs in scope for the computer account object are applied during start-up (in the normal Local, Site, Domain, OU order), the computer flags that loopback processing (Replace Mode) is enabled.
2. User Node policies from all GPOs in scope for the user account object are not applied during logon (as the computer is running loopback processing in Replace mode no list of user GPOs has been collected).
3. As the computer is running in loopback (Replace Mode) it then applies all User Node policies from all GPOs in scope for the computer account object during logon (Local, Site, Domain and OU).
But I don't want everyone who logs on to get these Settings
If you want to add an exception to this rule, for example you have used loopback processing to secure a terminal server using replace mode but would like to ensure that the server administrators do not receive the settings; then you can set a security group containing the administrators accounts in the delegation tab of the GPO(s) whilst viewed from the Group Policy Management Console (GPMC) as Deny for the Apply group policy option. This will have to be set for all GPOs that contain user settings you wish to deny that are in scope for the computer account.
In Conclusion
So all you need to do to ensure the User Node setting you want configured in loopback processing applies; is ensure that the User Node setting is in a GPO that is in scope for the computer account object (and that it has precedence over any competing GPOs).
Before we look at how loopback processing works it may be beneficial to have a quick refresh on how standard group policy processing works.
Group Policy Objects (GPO) are a collection of configurable policy settings that are organised as a single object and contain Computer Configuration policies which are applied to computers during Startup and User Configuration policies which are applied to users during logon.
All about Scope
The term in scope is used to refer to any GPO that applies to an object (computer account or user account).
Group policies can be applied at four separate points within a domain structure (Local, Site, Domain and Organisational Unit (OU)) and are applied one after the other in precedence order for each step.
So the in scope GPOs for an account consist of all Local policy GPOs, all of the Site GPOs, all of the Domain GPOs and all GPOs linked to each OU in the path of the account object. At each stage a new GPO applies it will overwrite any conflicting settings with its own settings; the final set of policies applied is known as the Resultant Set of Policies (RSoP) and can be viewed on a client device via the RSoP.msc console.
Any GPO that has been denied apply rights or filtered out via WMI Filtering is considered to be Out of scope
Why Loopback
The User Group Policy loopback processing mode option available within the computer configuration node of a Group Policy Object is a useful tool for ensuring certain user settings are applied on specified computers.
Essentially loopback processing changes the standard group policy processing in a way that allows user configuration settings to be applied based on the computers GPO scope during logon. This means that user configuration options can be applied to all users who log on to a specific computer.
When to use Loopback
Common scenarios where this policy is used include public accessible terminals, machines acting as application kiosks, terminal servers and any other environment where the user settings should be determined by the computer account instead of the user account.
Where to Enable Loopback
The setting is found within the Computer Configuration node of a GPO:
Computer Configuration > Administrative Templates > System > Group Policy > User Group Policy loopback processing mode
Replace or Merge
When Enabled you must select which mode loopback processing will operate in; Replace or Merge.
Replace mode will completely discard the user settings that normally apply to any users logging on to a machine applying loopback processing and replace them with the user settings that apply to the computer account instead.
Merge mode will apply the user settings that apply to any users logging on to a machine applying loopback processing as normal and then will apply the user settings that apply to the computer account; in the case of a conflict between the two, the computer account user settings will overwrite the user account user settings.
How Loopback Works
Loopback processing affects the way in which the GetGPOList function operates, normally when a user logs on the GetGPOList function collects a list of all in scope GPOs and arranges them in precedence order for processing.
When loopback processing is enabled in Merge mode the GetGPOList function also collects all in scope GPOs for the computer account and appends them to the list of GPOs collected for the user account, these then run as higher precedence than the users GPOs.
When loopback processing is enabled in Replace mode the GetGPOList function does not collect the users in scope GPOs.
So, without loopback enabled, policy processing looks a little like this:
1. Computer Node policies from all GPOs in scope for the computer account object are applied during start-up (in the normal Local, Site, Domain, OU order).
2. User Node policies from all GPOs in scope for the user account object are applied during logon (in the normal Local, Site, Domain, OU order).
And, with loopback processing enabled (in Merge Mode):
1. Computer Node policies from all GPOs in scope for the computer account object are applied during start-up (in the normal Local, Site, Domain, OU order), the computer flags that loopback processing (Merge Mode) is enabled.
2. User Node policies from all GPOs in scope for the user account object are applied during logon (in the normal Local, Site, Domain, OU order).
3. As the computer is running in loopback (Merge Mode) it then applies all User Node policies from all GPOs in scope for the computer account object during logon (Local, Site, Domain and OU), if any of these settings conflict with what was applied during step 2. Then the computer account setting will take precedence.
And, with loopback processing enabled (in Replace Mode):
1. Computer Node policies from all GPOs in scope for the computer account object are applied during start-up (in the normal Local, Site, Domain, OU order), the computer flags that loopback processing (Replace Mode) is enabled.
2. User Node policies from all GPOs in scope for the user account object are not applied during logon (as the computer is running loopback processing in Replace mode no list of user GPOs has been collected).
3. As the computer is running in loopback (Replace Mode) it then applies all User Node policies from all GPOs in scope for the computer account object during logon (Local, Site, Domain and OU).
But I don't want everyone who logs on to get these Settings
If you want to add an exception to this rule, for example you have used loopback processing to secure a terminal server using replace mode but would like to ensure that the server administrators do not receive the settings; then you can set a security group containing the administrators accounts in the delegation tab of the GPO(s) whilst viewed from the Group Policy Management Console (GPMC) as Deny for the Apply group policy option. This will have to be set for all GPOs that contain user settings you wish to deny that are in scope for the computer account.
In Conclusion
So all you need to do to ensure the User Node setting you want configured in loopback processing applies; is ensure that the User Node setting is in a GPO that is in scope for the computer account object (and that it has precedence over any competing GPOs).
by: mkbean on 2009-12-31 at 12:14:42ID: 7569
Agreed good article. Voted Yes too