Group Policy Loopback Processing

to answer your question The loopback setting is located under Computer Configuration/Administrative Templates/System/Group Policy turn this on and it will enable loop back processing. there are two modes, Replace and Merge.  the GP that you configure for what ever you are trying to do will either override in Replace mode or combine in Merge mode

Loopback Replace
Loopback replace is much easier. During loopback processing in replace mode, the user settings applied to the computer “replace” those applied to the user.  In actuality, the Group Policy service skips the GPOs linked to the user’s OU. Group Policy effectively processes as if user object was in the OU of the computer rather than its current OU.

Loopback Merge
During loopback processing in merge mode, user GPOs process first (exactly as they do during normal policy processing), but with an additional step.  Following normal user policy processing the Group Policy engine applies user settings from GPOs linked to the computer’s OU.  The result– the user receives all user settings from GPOs applied to the user and all user settings from GPOs applied to the computer. The user settings from the computer’s GPOs win any conflicts since they apply last.

Loopback processing with group policy is one of the if not the most difficult concepts to understand and to implement. not to mention stopping them from accessing the C drive is almost impossible. combining your senario with loopback processing would take on extensive testing. . It's very difficult to do. The best thing to do would be just to redirect the common folders where they normally save files (Documents, Desktop, Favorites, etc).

The path to the policies you may want to look at is: User Configuration\Administrative Templates\Windows Components\Windows Explorer

In that location, two policy-settings are available:

Hide these specified drives in My Computer: When you enable this setting, the effect will only be that the selected drives will not be visible in Windows Explorer, My Computer and the standard Open dialog boxes.

Prevent access to these drives from My Computer: If you enable this setting, users can browse the directory structure of the selected drives in My Computer or Windows Explorer, but they cannot open folders and access the contents. Also, they cannot use the Run dialog box or the Map Network Drive dialog box to view the directories on these drives.

Keep in mind that they can still use other methods to access the drives (Command Prompt, etc), so you will want to limit access to, for example, the Command Prompt. Also, if they install an alternate file browser, they will again be able to see those drives. So, to prevent that, you'll want to prevent the installation or use of unauthorized software.

 You definitely do not wan to do this without doing thorough testing.

Hopefully these articles will help:

https://blogs.technet.microsoft.com/askds/2013/02/08/circle-back-to-loopback/
http://support.microsoft.com/kb/231289

How can I use " Loopback processing "  In Group Policy Management  to apply a user configuration to a computer. ?

I'm afraid there's a simple answer to this: you can't. Loopback processing does the opposite: it applies computer policy settings to users.

I'm afraid there's a simple answer to this: you can't. Loopback processing does the opposite: it applies computer policy settings to users.

You are wrong. Loopback applies user settings in a GPO to a computer which has GPO linked to it

You are wrong. Loopback applies user settings in a GPO to a computer which has GPO linked to it

Upon further review, you're exactly right. I guess that shows how often I actually deal with loopback processing.

Loopback processing is a pain and there is very little reason to use loopback unless users log into multiple systems in multiple ways. you can use it for anything that you want but it rarely makes sense if you are just trying to apply a policy.

For example, if you wanted to make sure that a person could not use client redirected drives to a RemoteApp server when they were not in the office but while in the office they were using Microsoft Word as a remote app and redirecting file extension association. This requires client drive redirection and you could use loopback processing.

Create one group policy for RemoteApp and Desktop connection settings including enforcing client drive redirection and drop it in the user OU.  Create a second group policy in the server OU with loopback Replace mode (i think) to disable client drive redirection. put a wmi filter in the loopback gpo that looked something like the one below and substitute the network addresses to match the vpn pool that is provided to a computer that connects to the vpn.

It would only kick in when the wmi filter was true and disable the client drive redirection.  

Select * FROM Win32_IP4RouteTable
WHERE (Mask='255.255.255.255'
AND (Destination Like '191.168.55.%' OR Destination Like '191.168.56.%'))

I would do the following.

Created a child ou in the ou that contains the computer you want to restrict. Call that ou restricted.  Move the computer in question to the new ou. Create one group policy with the restrictions that you want and turn on loop back processing in that policy.  Link the new policy to the new ou.

If you intend to do this to all of your computers follow the step above for one of them to test.

sfdg

I feel like Madison Perkins deserves at least some credit here.