locked
Loopback GPOs tattooed to roaming profile RRS feed

  • Question

  • Dear all

    There was once a Microsoft KB about an issue with loopback mode in combination with roaming profiles. The KB said it's possible that loopback GPOs are wrongfully applied to computers where loopback is disabled.

    The problem was: If a user with a roaming profile logs off from a terminalserver where loopback mode = merge the loopback-GPOs are not removed from the roaming profile and therefore applied to his personal computer. This happens especially when the user does not use "Logoff" but "Disconnect".

    Normally I was able to solve this by deleting the profile cache on his personal computer, logging the user in to the terminalserver and logging off correctly.

    Now this does not work: As long as the loopback processing is activated on the terminalserver I have the loopback-GPOs on every computer using the same roaming profile. I can not find the mentioned KB and therefore I am wondering if something changed in that department.

    Anyone know anything about this?

    Wednesday, July 8, 2020 9:56 AM

All replies

  • Hello,
    Thank you for posting in our TechNet forum.

    1.How do we configure user roaming profile?
    Set user roaming profile on AD user Properties or through domain GPO (Computer Configuration\ Policies\Administrative Templates\ System\ User Profiles\Set roaming profile path for all users logging onto this computer)?

    2.How do we configure loopback mode(merge) for terminal server (domain group policy in AD or local group policy on terminal server)?

    Computer Configuration > Policies > Administrative Templates > System > Group Policy> User Group Policy loopback processing mode

    3.How do we see "the loopback-GPOs are not removed from the roaming profile"?


    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, July 9, 2020 3:27 AM
  • Hi,
    I am just writing to see if this question has any update. If anything is unclear, please feel free to let us know.
    Thanks for your time and have a nice day!
    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, July 13, 2020 1:31 AM
  • Dear Daisy

    Thank you for reply and please excuse my late answer.

    1. Roaming profile is configured directly in AD in user properties.

    2. Loopback is configured in merge-mode. There is a special OU where I placed all terminalservers and the loopback-GPO as well as the TS-specific user-GPOs are linked to this OU.

    3. I have several user-GPOs that are only applied using loopback to this terminalserver - example: Hide drive C:. These user-GPOs are wrongfully applied to the local workstation of the user.

    I did create a picture to better understand this problem but I can not post the picture here because I am not verified.

    EDIT: I can insert the picture with my secondary account - see the picture in the next post.

    Wednesday, July 15, 2020 1:08 PM
  • Wednesday, July 15, 2020 1:09 PM
  • Hello,
    I am sorry for the late reply.

    1.How do you see "The GPO "GPO_TS2016_User_T" gets applied when a user logs in to a computer in OU "Win10\Clients""?

    2.Would you please tell us if we also link "GPO_TS2016_User_T" to other OUs or domain except OU "Servers-TS 2016" under OU "Site1"?

    3.We can check all the user group policy settings that a user applied.
    Logon one computer in “Win0\Clients” with domain user account with roaming profile configured in OU "Users" .
    Open CMD (do not need to run as Administrator) and type gpresult /h C:\temp\report.html and click Enter.
    Open report.html to check the group policy settings under "User Details".



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, July 22, 2020 6:42 AM
  • Dear Daisy

    Thank you for your reply. Please find my answers below:

    1. "GPO_TS2016_User_T" has some very restrictive and specific GPOs, like "Hide Drive C". These are wrongfully applied to the computers in "Win10\Clients" whereas drive C: is hidden for example.

    2. No. "GPO_TS2016_User_T" is only applied to this OU.

    3. I am aware of this and it correctly states that "GPO_TS2016_User_T" is not applied but the settings are still there.

    If I recall correctly loopback GPOs work as follow:
    When a user logs on to the terminalserver his roamingprofile gets loaded from the server an the loopback GPOs take place and get merged with the user GPOs. After he logs off from the server the loopback settings get stripped from his roamingprofile before the profile gets uploaded to the server again. I think the problem is that the settings don't get stripped correctly from the profile and that's why I see the settings on normal computers as well.

    Wednesday, July 22, 2020 8:50 AM
  • Hi,

    So it is not GPO applied incorrectly, is that right?

    We can try to disconnect this mapped drive after on all the computers that the user logged on.

    Then check if it helps.

    This "Group Policy" Forum will be migrating to a new home on Microsoft Q&A, please refer to this sticky post for more details. 


    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    "Group Policy" forum will be migrating to a new home on Microsoft Q&A!

    We invite you to post new questions in the "Group Policy"  forum's new home on Microsoft Q&A!

    For more information, please refer to the sticky post.
    Friday, July 24, 2020 6:02 AM
  • Hi
    How are things going on your end? Please keep me posted on this issue. 
    If you have any further questions or concerns about this question, please let us know.
    I appreciate your time and efforts.

    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    "Group Policy" forum will be migrating to a new home on Microsoft Q&A!

    We invite you to post new questions in the "Group Policy"  forum's new home on Microsoft Q&A!

    For more information, please refer to the sticky post.
    Monday, July 27, 2020 7:29 AM
  • Dear Daisy

    I don't think you understand my problem:
    There are a couple (~100) settings in this terminal server specific GPO that is wrongfully applied to the user if he logs on his local workstation.

    It is not feasable to change all these settings everytime the user logs in - furthermore a lot of these settings would need registry tweaking to be removed.

    The issue is in the server operating system and how it handles roaming profiles with loopback GPOs. It's not a user error.

    Best regards,
    Steve

    Monday, July 27, 2020 7:41 AM