Problem getting my head around using Loopback processing in Group Policy

Posted on 2006-10-20
Last Modified: 2010-03-18
We have a Group Policy that applies a screensaver Some PCs need to be excluded from having the policy applied (PCs used for presentations etc)
As the screensaver settings are in the User part of the policy I understand the Loopback Processing is the way to go but I'm not sure what steps I have to do to get it working. All of the information I have found about Loopback Processing seems to say how to turn it on but not the other steps!

The screensaver policy is currently applied at Domain level. All our computers are currently in the default Computers container (i.e. not in an OU) I am willing to move the affected PCs to a seperate OU if necessary but would prefer not to if possibly as we are in the process of planning our OU structure and these PCs may need to be in other OUs (arranged by department for example)

So, step by step, what do I need to do?

Question by:SYPTE-IT
  • 3
  • 2
LVL 70

Accepted Solution

Chris Dent earned 500 total points
ID: 17772864

Hi Tim,

Is it a Windows 2003 Domain? If so, download the Group Policy Management Console, it'll make the next steps easier.

First of all create a Security Group, you can call it what you like, but for the sake of this we'll make it "Screensaver Override". You need to add any PCs account to this group that you want to stop the Screensaver applying.

Next, create a new Group Policy, again you can call it what you like, but for the sake or argument we'll call that "Screensaver Override" as well. In here set the Screensaver policy you prefer, then it's time to enable Loopback processing:

Computer Configuration \ Administrative Templates \ System \ Group Policy
Enable: User Group Policy Loopback Processing Mode

In your case this needs to be set to Replace (as you want to override the original settings).

Almost there, in GPMC select the Policy and you should see a "Security Filtering" box. Add the "Screensaver Override" group into here, now the User policy you've set in there will only be applied to the PCs within that group.

Do you have any other policies applied to the Computer OU? If not, then that's where we need to attach this policy. You can do this when you create it from within GPMC. Don't worry if you set it in the wrong place, you can right click to unlink it and relink it in a different place.

Does that all make sense?


Author Comment

ID: 17773398
Yes, thanks
One last clarification

Authenticated Users appears by default in the Security Filtering section of the policy (I'm assuming it is a general default) I have enabled loopback on the policy and added the security group I created that contains the computers that I want the policy to apply to.
However I'm not certain whether I need to leave Authenticated Users in or take it out. From my testing I'm assuming that I leave it in but I want to be certain of this before rolling it out.

LVL 70

Assisted Solution

by:Chris Dent
Chris Dent earned 500 total points
ID: 17774216

You need to remove Authenticated Users; that's everyone in the domain.


Author Comment

ID: 17774344
I wasn't sure whether leaving Authenticated Users in would apply the policy to everyone in Authenticated Users AND to computers in the computer security group (which is what it does) or whether it would only apply to Authenticated Users when they are using the computers in the computer security group. Glad I asked.

Thansk for the help
LVL 70

Expert Comment

by:Chris Dent
ID: 17774514

Pleasure :)


Featured Post

Courses: Start Training Online With Pros, Today

Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A brief overview to explain gateways, default gateways and static routes OR NO - you CANNOT have two default gateways on the same server, PC or other Windows-based network device. In simple terms a gateway is formed when a computer such as a serv…
I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…

815 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now