Group Policy processing question and Loopback

Posted on 2007-03-27
Last Modified: 2010-05-18
I am trying to get my head around the order of group policy processing and the difference loopback makes to it.

Now first of all I have read a load of MS articles and web resources and for me none of them are completely clear.

I know the processing order is Local, site, domain, OU

I know that each GPO processes user configuration first and computer configuration second (making computer configuration take precedence)

Now my first question is are the GPOs linked to BOTH the user account and to the computer account applied (assuming there are GPOs for each)? if so in what order, whcih one takes presedence? and are both parts of the GPO applied (i.e. computer and user configuration settings?)

My next question is how does Loopback change this?

I appreciate the help - its driving me crazy!
Question by:mistaking
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 27

Expert Comment

by:Jason Watkins
ID: 18801553

The computer configuration is processed against the computer account first, so it will cover anyone who may log on.  The user settings are then applied after the user's access token has been granted from the domain controller.  Those settings are specific to the user.  

Loopback settings can either merge or replace the tallied GPO settings for a particular user.  merge combines the user's effective GPO settings with the prescribed settings from loopback.  Replace, does exactly that, but is geared to giving everyone the same settings on a given machine irregardless of who logs on.  Replace is good for kiosks and public computers,


Author Comment

ID: 18801691
Ok  so if there is a setting in computer configuration of a GPO that I change for example and I apply that GPO to an OU that contains only users - that setting will never be applied beacuse there are no computers in that OU and so computer configuration will never be applied?

Expert Comment

ID: 18801748
I hear ya... this stuff drives me crazy too.
I have found the Group Policy Management Console (GPMC.MSC) to help in understanding the Link Order, Precedence, status etc...
If you don't have it, you may want to try it out.
LVL 27

Expert Comment

by:Jason Watkins
ID: 18801863
The configuration will be applied, but it will be transparent without any settings...

LVL 84

Accepted Solution

oBdA earned 500 total points
ID: 18802380
The basics:
Any policy that you configure in the "Computer Configuration" part will only be applied to computer objects in or below the OU to which the GPO is linked. This might or might not have an impact on users. These are machine specific settings: policies defined here write to the HKLM hive.
Any policy that you configure in the "User Configuration" part will only be applied to user objects in or below the OU to which the GPO is linked. These are user specific settings: policies defined here write to the HKCU hive.
It doesn't matter at all if both settings are present in a single GPO, and both the user and the computer account are in or below the OU to which the GPO is linked. The Computer Configuration is applied at the computer's startup (and refreshed periodically), the User Configuration is applied during the user's logon (and refreshed periodically). They have absolutely nothing in common, since they write to different sections in the registry. There can only be a precedence of some sorts if the *software* (Windows Explorer, Internet Explorer, whatever) that evaluates the policies created created is configured to check both machine and user specific settings, but this has nothing to do with the application of the policies themselves.

Now to the Loopback feature.
As I said above, the User Configuration part is applied only to user objects in or below a certain OU. But often there's a need for different policies, depending on the computer the user is logging on to. With the standard possibilities mentioned above, this would not be possible: the user account is always the same, no matter where the user is logging on, so there's *nothing* you can do (no security group filtering, no playing around with inheritance) to have different policies.
That is, unless you're using the Loopback feature. If you enable the loopback processing for computers in an OU, any *User* *Configuration* applied to this OU will be applied to *all* users logging on to those computers, *regardless* where the user objects are in AD.
The two processing modes (Merge and Replace) define what happens with the user's "regular" policies (the policies applied directly to the user's account).
If the loopback is set to "Replace", the user's regular policies will not be evaluated, only the Loopback user configuration will be applied.
If the loopback is set to "Merge", the user's regular policies will be applied first, then the Loopback policies will be applied (so if there are conflicting settings, the Loopback policy will win).

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article runs through the process of deploying a single EXE application selectively to a group of user.
This article explains the steps required to use the default Photos screensaver to display branding/corporate images
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question