Sign in
 
Home20082003LibraryForums
Windows Server TechCenter > Windows Server Forums > Group Policy > Loopback Policy Processing

Question Loopback Policy Processing

    •  
      Friday, January 08, 2010 11:17 PM
       
       
      Sign In to Vote
      0
      Sign In to Vote
      Hello!
      I have been reading up on group policy loopback processing. I understand what it does but I have yet to find anything that clearly states if this setting on one GPO, affects all the GPOs with lower precedence below it. Most articles mention GPOs which leads me to believe is does not affect only the GPO to which it is used.

      Here is one such article:

      http://support.microsoft.com/kb/231287
       

    Answers

    • Friday, January 08, 2010 11:43 PM
       
       Answer
      Sign In to Vote
      1
      Sign In to Vote
      Just read the first section of that KB article again, in summary:

      1. In the Group Policy Microsoft Management Console (MMC), click Computer Configuration.
      2. Locate Administrative Templates, click System, click Group Policy, and then enable the Loopback Policy option.
      This policy directs the system to apply the set of GPOs for the computer to any user who logs on to a computer affected by this policy. This policy is intended for special-use computers where you must modify the user policy based on the computer that is being used. For example, computers in public areas, in laboratories, and in classrooms.

      Ok, so lets explain it with an example.  Lets say you have a training lab and you really want all users in the organization that come in for training to have an identical desktop environment.  However, your users are coming in from all sorts of departments, such as sales, marketing, HR, etc..  More than likely, there are different GPOs linked to the OUs where there user objects reside.  Therefore, without Loopback processing, these users will log into the training computers and of course all of their user settings will be different from each other.  What a nightmare for a teacher/trainer. 

      If you apply a GPO to an OU that contains the trianing computers and enable loopback processing, the Computer settings configured in that specific GPO will override whatever settings the users is bringing in from their GPOs (user settings). You have two options with loopback, Merge or Replace. 
      Visit my blog: anITKB.com, an IT Knowledge Base.
       
    • Saturday, January 09, 2010 8:29 AM
       
       Answer
      Sign In to Vote
      1
      Sign In to Vote
      Howdie!

      Arkiados schrieb:
      > The italicized and underlined statement about would lead me to believe
      > that it affects all GPOs with a lower precedence than the one with
      > Loopback processing enabled.

      It is the _whole_ list of GPOs. Not only those that have lower
      precedence or are linked lower in the AD tree.

      Loopback makes the machine switch its mode and apply all "User
      Configuration" settings that are linked to it.

      Cheers,
      Florian
      Microsoft MVP - Group Policy (http://www.frickelsoft.net/blog)
      • Marked As Answer by Arkiados Sunday, January 10, 2010 4:45 PM
      •  
       
    • Sunday, January 10, 2010 10:48 AM
       
       Answer
      Sign In to Vote
      3
      Sign In to Vote

      remember that precedence of policies for users and computers is typically evaluated separately (except for loopback processing) as a user and computer may be, and likely are, in separate OU structures.  though there may be overlap, there is also a fair chance that the policy set for each object diverges somewhere.  that subtle point is likely why the statement above sounds kinda confusing.  here's the typical scenario:

      1.  computer starts up and applies the       computer portion of the policies that apply to the computer object through the layers of the OU structure where the computer resides.  let's say for the sake of this convo that there are 4 of them in reverse order of precedence:

        4.  local_user_pwd_policy
        3.  efs
        2.  restricted_groups
        1.  fdcc

      2.  user comes and logons on and applies the       user portion of policies that apply to the user object through the layers of the OU structure where the user resides.  let's say for the sake of this convo that there are 2 of them in reverse order of precedence:

        2.  env_variables
        1.  desktop

      RESULT:  Computer portion of policies linked to the computer object's parents (or site) are applied; User portion of policies linked to the user's object's parents (or site) are applied

      what the actual resulting policy settings will be depends on the user that logs on.  as jorge says, a user from hr may have a different set of policy settings than your marketing or sales team. 



      here's loopback policy with merge mode enabled on the same user and computer - you'll see that it confirms what florian says about it taking precedence over the whole list of GPOs:

      1.  computer starts up and applies the       computer portion of the policies that apply to the computer object through the layers of the OU structure where the computer resides.  let's say for the sake of this convo that there are 4 of them in reverse order of precedence:

        4.  local_user_pwd_policy
        3.  efs (pretend we added loopback setting here)
        2.  restricted_groups
        1.  fdcc

      2.  user comes and logons on and applies the       user portion of policies that apply to the user object through the layers of the OU structure where the user resides.  Let’s say for the sake of this convo that there are 2 in reverse order of precedence:

        6.  env_variables
        5.  desktop

      AND any settings in the user portion of the same policies as applied to the computer object in the same order of precedence:

        4.  local_user_pwd_policy 
        3.  efs
        2.  restricted_groups
        1.  fdcc

      RESULT:        Computer portion of policies linked to the computer object's parents (or site) are applied; User portion of policies linked to the user object's parents (or site) are applied and they are overwritten by any conflicting policy settings in the user portion of policies linked to the computer object’s parent (or site)

       

      finally, here's loopback policy with replace mode enabled on the same user and computer:

      1.  computer starts up and applies the       computer portion of the policies that apply to the computer object through the layers of the OU structure where the computer resides.  let's say for the sake of this convo that there are 4 of them in reverse order of precedence:

        4.  local_user_pwd_policy
        3.  efs (pretend we added loopback setting here)
        2.  restricted_groups
        1.  fdcc

      2.  user logons on and applies the       user portion of policies that apply to the computer object in the same order of precedence as above:

        4.  local_user_pwd_policy
        3.  efs
        2.  restricted_groups
        1.  fdcc  

      RESULT:  Computer portion of policies linked to the computer object's parents (or site) are applied; User portion of policies linked to the computer object's parents (or site) are applied.  The user object’s policies are discarded altogether.

      i know that can be a lot to take in.  msft not only cautions against loopback policy processing because it can be a performance hit but also because using it correctly really requires a solid understanding of policy structure, policy evaluation, and policy application.  for this reason it tends to cause more problems than it solves.

      well, that was a mouthful and it's late so i am sure that i transposed something in there.  ;-)


      hth

      /rich

      http://cbfive.com
      • Marked As Answer by Arkiados Sunday, January 10, 2010 4:45 PM
      •  
       

    All Replies

    • Friday, January 08, 2010 11:43 PM
       
       Answer
      Sign In to Vote
      1
      Sign In to Vote
      Just read the first section of that KB article again, in summary:

      1. In the Group Policy Microsoft Management Console (MMC), click Computer Configuration.
      2. Locate Administrative Templates, click System, click Group Policy, and then enable the Loopback Policy option.
      This policy directs the system to apply the set of GPOs for the computer to any user who logs on to a computer affected by this policy. This policy is intended for special-use computers where you must modify the user policy based on the computer that is being used. For example, computers in public areas, in laboratories, and in classrooms.

      Ok, so lets explain it with an example.  Lets say you have a training lab and you really want all users in the organization that come in for training to have an identical desktop environment.  However, your users are coming in from all sorts of departments, such as sales, marketing, HR, etc..  More than likely, there are different GPOs linked to the OUs where there user objects reside.  Therefore, without Loopback processing, these users will log into the training computers and of course all of their user settings will be different from each other.  What a nightmare for a teacher/trainer. 

      If you apply a GPO to an OU that contains the trianing computers and enable loopback processing, the Computer settings configured in that specific GPO will override whatever settings the users is bringing in from their GPOs (user settings). You have two options with loopback, Merge or Replace. 
      Visit my blog: anITKB.com, an IT Knowledge Base.
       
    • Saturday, January 09, 2010 12:10 AM
       
       
      Sign In to Vote
      0
      Sign In to Vote
      What confusing is that it says:

      ---
      "Merge Mode
      In this mode, when the user logs on, the user's list of GPOs is typically gathered by using the GetGPOList function. The GetGPOList function is then called again by using the computer's location in Active Directory. The list of GPOs for the computer is then added to the end of the GPOs for the user. This causes the computer's GPOs to have higher precedence than the user's GPOs. In this example, the list of GPOs for the computer is added to the user's list."
      ---

      The italicized and underlined statement about would lead me to believe that it affects all GPOs with a lower precedence than the one with Loopback processing enabled.

      http://msdn.microsoft.com/en-us/library/aa373520%28VS.85%29.aspx

       
    • Saturday, January 09, 2010 8:29 AM
       
       Answer
      Sign In to Vote
      1
      Sign In to Vote
      Howdie!

      Arkiados schrieb:
      > The italicized and underlined statement about would lead me to believe
      > that it affects all GPOs with a lower precedence than the one with
      > Loopback processing enabled.

      It is the _whole_ list of GPOs. Not only those that have lower
      precedence or are linked lower in the AD tree.

      Loopback makes the machine switch its mode and apply all "User
      Configuration" settings that are linked to it.

      Cheers,
      Florian
      Microsoft MVP - Group Policy (http://www.frickelsoft.net/blog)
      • Marked As Answer by Arkiados Sunday, January 10, 2010 4:45 PM
      •  
       
    • Saturday, January 09, 2010 3:43 PM
       
       
      Sign In to Vote
      0
      Sign In to Vote
      Florian,
      Thanks for the response. Could I get a few people to concur with Florian?
       
    • Sunday, January 10, 2010 10:48 AM
       
       Answer
      Sign In to Vote
      3
      Sign In to Vote

      remember that precedence of policies for users and computers is typically evaluated separately (except for loopback processing) as a user and computer may be, and likely are, in separate OU structures.  though there may be overlap, there is also a fair chance that the policy set for each object diverges somewhere.  that subtle point is likely why the statement above sounds kinda confusing.  here's the typical scenario:

      1.  computer starts up and applies the       computer portion of the policies that apply to the computer object through the layers of the OU structure where the computer resides.  let's say for the sake of this convo that there are 4 of them in reverse order of precedence:

        4.  local_user_pwd_policy
        3.  efs
        2.  restricted_groups
        1.  fdcc

      2.  user comes and logons on and applies the       user portion of policies that apply to the user object through the layers of the OU structure where the user resides.  let's say for the sake of this convo that there are 2 of them in reverse order of precedence:

        2.  env_variables
        1.  desktop

      RESULT:  Computer portion of policies linked to the computer object's parents (or site) are applied; User portion of policies linked to the user's object's parents (or site) are applied

      what the actual resulting policy settings will be depends on the user that logs on.  as jorge says, a user from hr may have a different set of policy settings than your marketing or sales team. 



      here's loopback policy with merge mode enabled on the same user and computer - you'll see that it confirms what florian says about it taking precedence over the whole list of GPOs:

      1.  computer starts up and applies the       computer portion of the policies that apply to the computer object through the layers of the OU structure where the computer resides.  let's say for the sake of this convo that there are 4 of them in reverse order of precedence:

        4.  local_user_pwd_policy
        3.  efs (pretend we added loopback setting here)
        2.  restricted_groups
        1.  fdcc

      2.  user comes and logons on and applies the       user portion of policies that apply to the user object through the layers of the OU structure where the user resides.  Let’s say for the sake of this convo that there are 2 in reverse order of precedence:

        6.  env_variables
        5.  desktop

      AND any settings in the user portion of the same policies as applied to the computer object in the same order of precedence:

        4.  local_user_pwd_policy 
        3.  efs
        2.  restricted_groups
        1.  fdcc

      RESULT:        Computer portion of policies linked to the computer object's parents (or site) are applied; User portion of policies linked to the user object's parents (or site) are applied and they are overwritten by any conflicting policy settings in the user portion of policies linked to the computer object’s parent (or site)

       

      finally, here's loopback policy with replace mode enabled on the same user and computer:

      1.  computer starts up and applies the       computer portion of the policies that apply to the computer object through the layers of the OU structure where the computer resides.  let's say for the sake of this convo that there are 4 of them in reverse order of precedence:

        4.  local_user_pwd_policy
        3.  efs (pretend we added loopback setting here)
        2.  restricted_groups
        1.  fdcc

      2.  user logons on and applies the       user portion of policies that apply to the computer object in the same order of precedence as above:

        4.  local_user_pwd_policy
        3.  efs
        2.  restricted_groups
        1.  fdcc  

      RESULT:  Computer portion of policies linked to the computer object's parents (or site) are applied; User portion of policies linked to the computer object's parents (or site) are applied.  The user object’s policies are discarded altogether.

      i know that can be a lot to take in.  msft not only cautions against loopback policy processing because it can be a performance hit but also because using it correctly really requires a solid understanding of policy structure, policy evaluation, and policy application.  for this reason it tends to cause more problems than it solves.

      well, that was a mouthful and it's late so i am sure that i transposed something in there.  ;-)


      hth

      /rich

      http://cbfive.com
      • Marked As Answer by Arkiados Sunday, January 10, 2010 4:45 PM
      •  
       
    • Sunday, January 10, 2010 4:45 PM
       
       
      Sign In to Vote
      0
      Sign In to Vote
      Rich,
      That makes sense. I appreciate the time that you spent on answering it.
       
    • Monday, January 11, 2010 4:38 PM
       
       
      Sign In to Vote
      2
      Sign In to Vote
      np.  that gets asked every so often by my customers so at some point i should make the effort to blog about it.  :-)
      http://cbfive.com