Windows Server: Understand “User Group Policy Loopback Processing Mode”

Windows Server: Understand “User Group Policy Loopback Processing Mode”

Group Policy Objects (GPO) is a set of rules for Users and Computers, thus the policies for computers will be applied to computers and the policies for users will be applied to users. This article applies to Windows Server scenarios.

Let’s assume that you have two organizational units in your domain:

  • OU-TSSERVERS
  • OU-SUPPORT

In OU-TSSERVERS units, there are computer accounts, and in the OU-SUPPORT units there are users accounts.

In OU-TSSERVER, you created and configured a new GPO. So, there are policies for:

  • Computer Configuration
  • User Configuration

In OU-SUPPORT, you created and configured a new GPO. So, there are policies for:

  • Computer Configuration
  • User Configuration

When a user belonging to OU-SUPPORT logs on a server that belongs to the OU-TSSERVER, what happens?

Applies:

  • Computer Configuration -> The configuration created in GPO linked to OU-TSSERVER.
  • User Configuration -> The configuration created in GPO linked to OU-SUPPORT.

This is the default setting.

Now we are finally going to learn about User Group Policy Loopback Processing Mode.

When configuring the policy Loopback Processing Mode, you can choose two different options, Replace and Merge.


Replace Mode

When you define the "User Group Loopback processing Mode", to "Replace" on the GPO linked to the OU-TSSERVER.

Applies:

  • Computer Configuration -> The configuration created in GPO linked to OU-TSSERVER.
  • User Configuration -> The configuration created in GPO linked to OU-TSSERVER. (This is the difference in Replace Mode.)

 

Merge Mode

When you define the "User Group Loopback processing Mode", to "Merge" on the GPO linked to the OU-TSSERVER.

Applies:

  • Computer Configuration -> The configuration created in GPO linked to OU-TSSERVER.
  • User Configuration -> The configuration created in GPO linked to OU-TSSERVER.

And

  • User Configuration -> The configuration created in GPO linked to OU-SUPPORT. (This is the difference in Merge Mode.)

NOTE: In case of conflict, the users policies from OU-TSSERVERS have precedence. Because the computer's GPOs are processed after the user's GPOs, they have precedence if any of the settings conflict.


Why is this configuration important to me?

Use this configuration if you have users in your domain whose folders are redirected through policy, but you don’t want that redirect to occur when users log on through Terminal Services.

You need to enable this policy setting using the Replace mode on GPO linked to OU, where the Terminal Server's computer accounts are (without folder redirection enabled). When users log on to Terminal Servers, the policy folder redirection is not applied.


To enable “Loopback processing Mode”

Using Group Policy Management Console, edit the GPO you desire, expand Computer Configuration\Policies\Administrative Templates\System\Group Policy,
and then double-click User Group Policy Loopback Processing Mode.

Then select the appropriate option (Replace or Merge).





This article was originally written by:

Daniel Donda
Leader UGSS Mcsesolution (GITCA)
MCLC Microsoft Certified Learning Consultant
MCITP Enterprise, MCP, MCSA, MCSE, MCT, MCSE Messaging / Security
Colaborador do www.mcpbrasil.com 

--------
Donda's site:
http://www.mcsesolution.com  
Twitter: http://twitter.com/danieldonda


See Also

 

Sort by: Published Date | Most Recent | Most Useful
Comments
  • Nice and simple Artical Thanks Daniel

  • What I have found is that in Windows XP and 2000, the user context is used to read the users settings from the loopback GPO linked at the computer OU so it's sufficient to only include user security filtering. However, it seems that things have chnaged in Windows 7/2008 R2. It appears the machine context is used to read the GPO even for the user settings so it's neccessary to include the computers and users you wish the PO to apply to in the security filtering.

  • I understood this setting now. Thanks Daniel.

  • "In case of conflict, the users policies from OU-TSSERVERS have precedence. Because the computer's GPOs are processed after the user's GPOs, they have precedence if any of the settings conflict"

    Sorry? Who takes precendence then? In my view, computer configuration is applied first when computer SID authenticates in AD. The user part is applied only when the user logs into that computer and authenticates with the AD, isn't it?

  • Same problem here. I don't like "My Documents" on local TS folders so I have a folder redirection in place on the TS farm thanks to a loopback group policy. Anyway I would like that user with an already folder redirection in place on their PC (through GP), be correctly redirected to their folder also when they logon to the TS. This doesn't work because I'm using different root folders for TS users and PC users and on the TS always apply the TS policy.

  • You're absolutely correct shocko

  • Here is an alternative explanation which is, in my opinion, is easier to understand:

    kudratsapaev.blogspot.co.uk/.../loopback-processing-of-group-policy.html

  • Great explanation of Loop Back Group Processing Mode, short and easy to understand , thank you!

Page 1 of 1 (8 items)