none
question on using loopback processing

    Question

  • When you click on the "user group policy loop back processing mode"  it says the following:   It is intended for special-use computers, such as those in public places, laboratories and classrooms.  

    Question 1 is why?  Does it drastically slow down machines at login?  

    Question 2:  We have 10 machines in our environment that we can't reboot.  Not without fair warning.   We also have 6 user accounts that are generic.    When anyone of these users is logged into a system we also can't reboot.   Sometimes these special users may even be logged into one of our 10 machines that can't reboot.

    So I created a new GPO.    

    Computer Settings:    Turn on Loopback processing

    User Settings:  Create a new Scheduled Task.   Then invoke Item-Level-Targeting and Exclude the 10 computers and 6 users from above.

    It all seems to work in a small test environment.   So Question 1 becomes a big deal.    Or, if this forum has a better solution I'd love to learn it.

    Thank you.  


    mqh7

    Wednesday, January 11, 2017 9:13 PM

All replies

  • Hi,
    In my experience, loopback may not cause the slow login problem, but the Item Level Targeting might do, costly ILT evaluations include all of the ILT types that must work over the network against AD to be evaluated: OU, LDAP Query, Domain, Site and Computer Security Group filters. Please see:
    Group Policy and Logon Impact
    https://blogs.technet.microsoft.com/grouppolicy/2013/05/23/group-policy-and-logon-impact/
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, January 12, 2017 7:01 AM
    Moderator
  • When you click on the "user group policy loop back processing mode"  it says the following:   It is intended for special-use computers, such as those in public places, laboratories and classrooms.  

    Question 1 is why?  Does it drastically slow down machines at login?  

    The note/warning/information, is trying to warn against the use of loopback-processing, unless you properly understand the purpose and function of loopback-processing.

    Loopback-processing causes significant logic-change in GP processing, and can easily lead to incorrect settings (or wrong settings, or insufficient/zero settings) being the applied outcome. This can lead to complex troubleshooting, if it's incorrectly used.

    Incidentally, there is an additional burden, because loopback-processing, if enabled in merge-mode, causes GPO to be processed twice, which can extend the GP processing time significantly if your GP ecosystem is overloaded or you have slow-links and poor-placement of DC's or site-links.

    We use loopback-replace quite a lot in our environment, which is very well connected via fast WANs and also our GP ecosystem is not overloaded (we only have about 8 GPOs on workstations) so our GP processing is not a big problem for us.


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Thursday, January 12, 2017 7:40 AM
  • > Question 1 is why?  Does it drastically slow down machines at login?
     
    I fully agree with Don's answer - Loopback changes logic in a way you need to fully understand, and merge mode can double user gpo processing time.
     
    If you are familiar with both, it is perfectly ok to use loopback.
     
    On the other hand - with GPP there's no need for loopback anymore, because GPP executes in system context anyway. So you could use only ILT without loopback to exclude these users/machines.
     
    Some reading :-) The second post is about leveraging the possibilities of GPP and ILT in favor of loopback.
     
     
     
    Friday, January 13, 2017 9:59 AM