none
Loopback Processing

    Question

  • Hello,

    I am currently trying to implement loopback processing on two of our computers. When I apply loopback processing through the replace method, I can see the appropriate user configurations being applied. However, when I apply loopback processing with a merge, the computer specific user configurations do not get applied at all. I need to do the loopback as a merge because there are other settings that these two machines need to get. I only need a couple policies to be different than the ones for the rest of the domain. 

    Any idea why the computer specific policy only pulls down under the replace setting?

    Thanks!

    Sean

    Friday, April 25, 2014 7:31 PM

Answers

  • > Any idea why the computer specific policy only pulls down under the
    > replace setting?
     
    If you "merge", the computer account (!) needs read access to  all user
    GPOs. That was implemented in Vista (in XP, it worked without...)
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Saturday, April 26, 2014 11:37 AM
  • Hi Sean,

    Accirding to your description, the replace mode of loopback policy worked fine, however, the merge mode didn't work. Right?

    Firstly, I would like to briefly introduce the two modes of loopback policy:

    Replace Mode  In this mode, the user's list of GPOs is not gathered. Only the list of GPOs based on the computer object is used.

    Merge Mode  In this mode, when the user logs on, the user's list of GPOs is typically gathered  by using the GetGPOList function. The GetGPOList function is then called again by using the computer's location in Active Directory. The list of GPOs for the computer is then added to the end of the GPOs for the user. This causes the computer's GPOs to have higher precedence than the user's GPOs. In this example, the list of GPOs for the computer is added to the user's list.

    Before going further, it would be helpful if you could help to collect the following information:

    1. How did you configure the settings?
    2. Where did you link the GPO to?
    3. Did this GPO has security filter configuration?

    Regards,

    Lany Zhang

    Monday, April 28, 2014 7:37 AM
    Moderator

All replies

  • > Any idea why the computer specific policy only pulls down under the
    > replace setting?
     
    If you "merge", the computer account (!) needs read access to  all user
    GPOs. That was implemented in Vista (in XP, it worked without...)
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Saturday, April 26, 2014 11:37 AM
  • Hi Sean,

    Accirding to your description, the replace mode of loopback policy worked fine, however, the merge mode didn't work. Right?

    Firstly, I would like to briefly introduce the two modes of loopback policy:

    Replace Mode  In this mode, the user's list of GPOs is not gathered. Only the list of GPOs based on the computer object is used.

    Merge Mode  In this mode, when the user logs on, the user's list of GPOs is typically gathered  by using the GetGPOList function. The GetGPOList function is then called again by using the computer's location in Active Directory. The list of GPOs for the computer is then added to the end of the GPOs for the user. This causes the computer's GPOs to have higher precedence than the user's GPOs. In this example, the list of GPOs for the computer is added to the user's list.

    Before going further, it would be helpful if you could help to collect the following information:

    1. How did you configure the settings?
    2. Where did you link the GPO to?
    3. Did this GPO has security filter configuration?

    Regards,

    Lany Zhang

    Monday, April 28, 2014 7:37 AM
    Moderator