Group Policy Objects (GPO) is a set of rules for Users and Computers, thus the policies for computers will be applied to computers and the policies for users will be applied to users. This article applies to Windows Server scenarios.

Let’s assume that you have two organizational units in your domain:

  • OU-TSSERVERS
  • OU-SUPPORT

In OU-TSSERVERS units, there are computer accounts, and in the OU-SUPPORT units there are users accounts.

In OU-TSSERVER, you created and configured a new GPO. So, there are policies for:

  • Computer Configuration
  • User Configuration

In OU-SUPPORT, you created and configured a new GPO. So, there are policies for:

  • Computer Configuration
  • User Configuration

When a user belonging to OU-SUPPORT logs on a server that belongs to the OU-TSSERVER, what happens?

Applies:

  • Computer Configuration -> The configuration created in GPO linked to OU-TSSERVER.
  • User Configuration -> The configuration created in GPO linked to OU-SUPPORT.

This is the default setting.

Now we are finally going to learn about User Group Policy Loopback Processing Mode.

When configuring the policy Loopback Processing Mode, you can choose two different options, Replace and Merge.


Replace Mode

When you define the "User Group Loopback processing Mode", to "Replace" on the GPO linked to the OU-TSSERVER.

Applies:

  • Computer Configuration -> The configuration created in GPO linked to OU-TSSERVER.
  • User Configuration -> The configuration created in GPO linked to OU-TSSERVER. (This is the difference in Replace Mode.)

 

Merge Mode

When you define the "User Group Loopback processing Mode", to "Merge" on the GPO linked to the OU-TSSERVER.

Applies:

  • Computer Configuration -> The configuration created in GPO linked to OU-TSSERVER.
  • User Configuration -> The configuration created in GPO linked to OU-TSSERVER.

And

  • User Configuration -> The configuration created in GPO linked to OU-SUPPORT. (This is the difference in Merge Mode.)

NOTE: In case of conflict, the users policies from OU-TSSERVERS have precedence. Because the computer's GPOs are processed after the user's GPOs, they have precedence if any of the settings conflict.


Why is this configuration important to me?

Use this configuration if you have users in your domain whose folders are redirected through policy, but you don’t want that redirect to occur when users log on through Terminal Services.

You need to enable this policy setting using the Replace mode on GPO linked to OU, where the Terminal Server's computer accounts are (without folder redirection enabled). When users log on to Terminal Servers, the policy folder redirection is not applied.


To enable “Loopback processing Mode”

Using Group Policy Management Console, edit the GPO you desire, expand Computer Configuration\Policies\Administrative Templates\System\Group Policy,
and then double-click User Group Policy Loopback Processing Mode.

Then select the appropriate option (Replace or Merge).





This article was originally written by:

Daniel Donda
Leader UGSS Mcsesolution (GITCA)
MCLC Microsoft Certified Learning Consultant
MCITP Enterprise, MCP, MCSA, MCSE, MCT, MCSE Messaging / Security
Colaborador do www.mcpbrasil.com 

--------
Donda's site:
http://www.mcsesolution.com  
Twitter: http://twitter.com/danieldonda


See Also