Scribd Logo
Upload

Welcome to Scribd!

  • Understand GP Loopback

    Uploaded by

    horacero3843
    21 views6 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    21 views6 pages

    Understand GP Loopback

    Uploaded by

    horacero3843

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 6

    Understand “User Group Policy Loopback

    Processing Mode”

    Group Policy Objects (GPO) is a set of rules for Users and Computers, thus the policies for computers will be applied to
    computers and the policies for users will be applied to users. This article applies to Windows Server scenarios.

    Let’s assume that you have two organizational units in your domain:

     OU-TSSERVERS
     OU-SUPPORT

    In OU-TSSERVERS units, there are computer accounts, and in the OU-SUPPORT units there are users accounts.

    In OU-TSSERVER, you created and configured a new GPO. So, there are policies for:

     Computer Configuration
     User Configuration

    In OU-SUPPORT, you created and configured a new GPO. So, there are policies for:

     Computer Configuration
     User Configuration

    When a user belonging to OU-SUPPORT logs on a server that belongs to the OU-TSSERVER, what happens?

    Applies:

     Computer Configuration -> The configuration created in GPO linked to OU-TSSERVER.


     User Configuration -> The configuration created in GPO linked to OU-SUPPORT.

    This is the default setting.

    Now we are finally going to learn about User Group Policy Loopback Processing Mode.

    When configuring the policy Loopback Processing Mode, you can choose two different options, Replace and Merge.

    Replace Mode

    When you define the "User Group Loopback processing Mode", to "Replace" on the GPO linked to the OU-
    TSSERVER.

    Applies:

     Computer Configuration -> The configuration created in GPO linked to OU-TSSERVER.


     User Configuration -> The configuration created in GPO linked to OU-TSSERVER. (This is the difference in
    Replace Mode.)
    Merge Mode

    When you define the "User Group Loopback processing Mode", to "Merge" on the GPO linked to the OU-
    TSSERVER.

    Applies:

     Computer Configuration -> The configuration created in GPO linked to OU-TSSERVER.


     User Configuration -> The configuration created in GPO linked to OU-TSSERVER.

    And

     User Configuration -> The configuration created in GPO linked to OU-SUPPORT. (This is the difference in
    Merge Mode.)

    NOTE: In case of conflict, the users policies from OU-TSSERVERS have precedence. Because the computer's GPOs are
    processed after the user's GPOs, they have precedence if any of the settings conflict.

    Why is this configuration important to me?

    Use this configuration if you have users in your domain whose folders are redirected through policy, but you don’t want
    that redirect to occur when users log on through Terminal Services.

    You need to enable this policy setting using the Replace mode on GPO linked to OU, where the Terminal Server's
    computer accounts are (without folder redirection enabled). When users log on to Terminal Servers, the policy folder
    redirection is not applied.

    To enable “Loopback processing Mode”

    Using Group Policy Management Console, edit the GPO you desire, expand Computer
    Configuration\Policies\Administrative Templates\System\Group Policy,
    and then double-click User Group Policy Loopback Processing Mode.

    Then select the appropriate option (Replace or Merge).


    Today I want to write a few words about Loopback processing of Group Policy. When you deal with this
    setting for the first time it may be a little bit confusing. You can find explanations of this policy setting on
    the internet, but in my case I will try to explain everything in simple words.

    As we know group policy has two main configurations, user and computer. Accordingly, the computer policy
    is applied to the computer despite of the logged user and the user configuration is applied to the user
    despite of the computer he is logged on.
    For example we have a Domain, this Domain has two different organizational units (OU) Green and Red,
    Green OU contains a Computer
    account and Red OU contains User account. The Green policy, which has settings “Computer Configuration
    2” and “User Configuration 2” is applied to the OU with the computer account. The Red policy, which has
    settings “Computer Configuration 1” and “User Configuration 1”, is applied to the OU with the User account.
    If you have a look at the picture below it will become clearer.
    If Loopback processing of Group Policy is not enabled and our User logs on to our Computer, the following is
    true:

    As we can see from the picture, the User gets Computer Configuration 2 and User Configuration 1. This is
    absolutely standard situation, where policies are applied according to the belonging to the OU. User belongs
    to the Red OU, he gets the Red User configuration 1 accordingly.

    Now let’s enable the Loopback processing of Group Policy for the Green OU. In this case if the User logs on
    to the Computer, the policies applied in the following way:
    As we can see, now the User is getting User Configuration 2 despite of the fact that he belongs to the Red
    OU. So, what has happened in this scenario, the User Configuration 1 was replaced with the User
    Configuration 2, i.e. with the configuration applied to the Computer account.

    As you have probably noticed, the picture above says “Loopback in replace mode”. I have to mention that
    the Loopback processing of Group Policy has two different modes, Replace and Merge. It is obvious that
    Replace mode replaces User Configuration with the one applied to the Computer, whereas Merge mode
    merges two User Configurations.
    In Merge mode, if there is a conflict, for example two policies provide different values for the same
    configuration setting, the Computer’s policy has more privilege. For example in our scenario, in case of the
    conflict the User Configuration 2 would be enforced.

    In the real work environment Loopback processing of Group Policy is usually used on Terminal Servers. For
    example you have users with enabled folder redirection settings, but you do not want these folder
    redirection to work when the users log on to the Terminal Server, in this case we enable Loopback
    processing of Group Policy in the Policy linked to the Terminal Server’s Computer account and do not enable
    the folder redirection settings. In this case, once the User logged on to the Terminal Server his folder
    redirection policy will not be applied.

    To enable Loopback Processing navigate to: Computer Configuration/Administrative


    Templates/System/Group Policy/Configure user Group Policy loopback processing mode

    You might also like