Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Group Policy processing question and Loopback

Posted on 2007-03-27
Medium Priority
Last Modified: 2010-05-18
I am trying to get my head around the order of group policy processing and the difference loopback makes to it.

Now first of all I have read a load of MS articles and web resources and for me none of them are completely clear.

I know the processing order is Local, site, domain, OU

I know that each GPO processes user configuration first and computer configuration second (making computer configuration take precedence)

Now my first question is are the GPOs linked to BOTH the user account and to the computer account applied (assuming there are GPOs for each)? if so in what order, whcih one takes presedence? and are both parts of the GPO applied (i.e. computer and user configuration settings?)

My next question is how does Loopback change this?

I appreciate the help - its driving me crazy!
Question by:mistaking
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 27

Expert Comment

by:Jason Watkins
ID: 18801553

The computer configuration is processed against the computer account first, so it will cover anyone who may log on.  The user settings are then applied after the user's access token has been granted from the domain controller.  Those settings are specific to the user.  

Loopback settings can either merge or replace the tallied GPO settings for a particular user.  merge combines the user's effective GPO settings with the prescribed settings from loopback.  Replace, does exactly that, but is geared to giving everyone the same settings on a given machine irregardless of who logs on.  Replace is good for kiosks and public computers,


Author Comment

ID: 18801691
Ok  so if there is a setting in computer configuration of a GPO that I change for example and I apply that GPO to an OU that contains only users - that setting will never be applied beacuse there are no computers in that OU and so computer configuration will never be applied?

Expert Comment

ID: 18801748
I hear ya... this stuff drives me crazy too.
I have found the Group Policy Management Console (GPMC.MSC) to help in understanding the Link Order, Precedence, status etc...
If you don't have it, you may want to try it out.
LVL 27

Expert Comment

by:Jason Watkins
ID: 18801863
The configuration will be applied, but it will be transparent without any settings...

LVL 85

Accepted Solution

oBdA earned 2000 total points
ID: 18802380
The basics:
Any policy that you configure in the "Computer Configuration" part will only be applied to computer objects in or below the OU to which the GPO is linked. This might or might not have an impact on users. These are machine specific settings: policies defined here write to the HKLM hive.
Any policy that you configure in the "User Configuration" part will only be applied to user objects in or below the OU to which the GPO is linked. These are user specific settings: policies defined here write to the HKCU hive.
It doesn't matter at all if both settings are present in a single GPO, and both the user and the computer account are in or below the OU to which the GPO is linked. The Computer Configuration is applied at the computer's startup (and refreshed periodically), the User Configuration is applied during the user's logon (and refreshed periodically). They have absolutely nothing in common, since they write to different sections in the registry. There can only be a precedence of some sorts if the *software* (Windows Explorer, Internet Explorer, whatever) that evaluates the policies created created is configured to check both machine and user specific settings, but this has nothing to do with the application of the policies themselves.

Now to the Loopback feature.
As I said above, the User Configuration part is applied only to user objects in or below a certain OU. But often there's a need for different policies, depending on the computer the user is logging on to. With the standard possibilities mentioned above, this would not be possible: the user account is always the same, no matter where the user is logging on, so there's *nothing* you can do (no security group filtering, no playing around with inheritance) to have different policies.
That is, unless you're using the Loopback feature. If you enable the loopback processing for computers in an OU, any *User* *Configuration* applied to this OU will be applied to *all* users logging on to those computers, *regardless* where the user objects are in AD.
The two processing modes (Merge and Replace) define what happens with the user's "regular" policies (the policies applied directly to the user's account).
If the loopback is set to "Replace", the user's regular policies will not be evaluated, only the Loopback user configuration will be applied.
If the loopback is set to "Merge", the user's regular policies will be applied first, then the Loopback policies will be applied (so if there are conflicting settings, the Loopback policy will win).

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question