none
Loopback Replace applies but not Merge

    Question

  • I have a GPO that has loopback processing mode set to enabled with mode as "Merge".  The user portion of this policy is not applying to users..it even shows up as denied.  When I change the setting to "Replace" it works as expected and get's applied.

    Under the Merge mode, the processing should follow:

    1.  Computer starts and get the computer node policy settings (via S-D-OU)

    2.  User logs in and gets their appropriate settings based upon the policies applied to the OU where the user is contained.

    3.  The computer then processes the user portion of the loopback GPO.

    Replace simply skips step 2.

    What are some possible cause of this scenario?

    Wednesday, April 19, 2017 4:50 PM

All replies

  • Hi,
    Loopback processing is a computer configuration setting, the computer account must have READ and APPLY permissions to the GPO that contains the loopback configuration setting.
    If you configure user settings and computer settings in the same GPO, then the user and computer accounts will both need READ and APPLY permissions to the GPO.
    If the user settings are in a separate GPO from the loopback configuration setting and any other computer settings, then the GPO containing the user settings requires the following permissions when you configure loopback merge mode:  
    User account: READ and APPLY permission
    Computer account: Minimum of READ permission
    Therefore, please check if the computer account is delegated proper permission in the GPO which is set up with user policy settings.
    You could see more details from: 
    Back to the Loopback: Troubleshooting Group Policy loopback processing, Part 2
    https://blogs.technet.microsoft.com/askds/2013/05/21/back-to-the-loopback-troubleshooting-group-policy-loopback-processing-part-2/
    Best regards, 
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, April 20, 2017 3:19 AM
    Moderator
  • Let me first make a distinction on GPOs.  The one with the loopback is tied to an OU, for the sake of argument, called Kiosk.  The computer is granted Read and Apply policies based upon a group defined in the Security Filter on the Kiosk GPO.  Authenticated Users have Read permission on this GPO.

    The User's normal GPO is linked to an OU called 'Employees' and the user accounts which come to the Kiosk machine all come from there.  This GPO, call it Employee's GPO, is working without issue while the user logs onto non-Kiosk machines.

    Please let me re-iterate, there is no problem with the Kiosk GPO when the mode is set to replace.  It is only when the mode is set to merge that the user portion from Employee's GPO does not get applied. 

    Thursday, April 20, 2017 11:51 AM
  • > I have a GPO that has loopback processing mode set to enabled with mode as "Merge".  The user portion of this policy is not applying to users..it even shows up as denied.
     
    There was a minor but significant change in Merge mode starting with Vista. The computer needs read access. And since MS16-072, the computer needs read access to _all_ user gpos. Double check the delegation tab of your GPO :-)
     
    Thursday, April 20, 2017 1:49 PM
  • Authenticated users have read permissions on the KIOSK GPO. I believe that should cover the issues recording in MS16-072.

    Let me make a correction to an earlier comment.  When the employee logs in, it is the user portion of the KIOSK GPO that is denied when the mode is set to 'merge'.  All is good when the mode is set to 'replace'.  Since it is the computer that processes the user portion of the Kiosk GPO in both instances, why under 'replace' it executes the user portion but under 'merge' it does not.

    Thursday, April 20, 2017 2:12 PM
  • Hi,
    Have you checked if the Authenticated users have permission on both 'Employees' GPO and KIOSK GPO?
    Best regards, 
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, April 21, 2017 4:12 AM
    Moderator
  • > Under the Merge mode, the processing should follow:
    > 1.  Computer starts and get the computer node policy settings (via S-D-OU)
    > 2.  User logs in and gets their appropriate settings based upon the policies applied to the OU where the user is contained.
    > 3.  The computer then processes the user portion of the loopback GPO.
    > Replace simply skips step 2.
     
    Now I get the picture :-)
     
     
    Double check the GPOs applied in all scenarios and you will know what's going on. Loopback Merge applies all user GPOs that are linked to the user OU _and_ to the computer OU. Loopback replace only applies user GPOs that are linked to the computer OU.
     
    Friday, April 21, 2017 10:04 AM
  • Yes, Authenticated users have read and apply on the Employees GPO and read on the KIOSK GPO.
    Friday, April 21, 2017 12:02 PM
  • Hi,
    Please have a try to add apply permission for authenticated users on the KIOSK GPO, and then see if it works.
    Best regards, 
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, April 24, 2017 1:27 AM
    Moderator