Sunday, 26 July 2009

Loopback processing of Group Policy, explained.

Hi guys,

Today I want to write a few words about Loopback processing of Group Policy. When you deal with this setting for the first time it may be a little bit confusing. You can find explanations of this policy setting on the internet, but in my case I will try to explain everything in simple words.

As we know group policy has two main configurations, user and computer. Accordingly, the computer policy is applied to the computer despite of the logged user and the user configuration is applied to the user despite of the computer he is logged on.
For example we have a Domain, this Domain has two different organizational units (OU) Green and Red, Green OU contains a Computer account and Red OU contains User account. The Green policy, which has settings “Computer Configuration 2” and “User Configuration 2” is applied to the OU with the computer account. The Red policy, which has settings “Computer Configuration 1” and “User Configuration 1”, is applied to the OU with the User account. If you have a look at the picture below it will become clearer.




















If Loopback processing of Group Policy is not enabled and our User logs on to our Computer, the following is true:


















As we can see from the picture, the User gets Computer Configuration 2 and User Configuration 1. This is absolutely standard situation, where policies are applied according to the belonging to the OU. User belongs to the Red OU, he gets the Red User configuration 1 accordingly.

Now let’s enable the Loopback processing of Group Policy for the Green OU. In this case if the User logs on to the Computer, the policies applied in the following way:


















As we can see, now the User is getting User Configuration 2 despite of the fact that he belongs to the Red OU. So, what has happened in this scenario, the User Configuration 1 was replaced with the User Configuration 2, i.e. with the configuration applied to the Computer account.

As you have probably noticed, the picture above says “Loopback in replace mode”. I have to mention that the Loopback processing of Group Policy has two different modes, Replace and Merge. It is obvious that Replace mode replaces User Configuration with the one applied to the Computer, whereas Merge mode merges two User Configurations.





















In Merge mode, if there is a conflict, for example two policies provide different values for the same configuration setting, the Computer’s policy has more privilege. For example in our scenario, in case of the conflict the User Configuration 2 would be enforced.

In the real work environment Loopback processing of Group Policy is usually used on Terminal Servers. For example you have users with enabled folder redirection settings, but you do not want these folder redirection to work when the users log on to the Terminal Server, in this case we enable Loopback processing of Group Policy in the Policy linked to the Terminal Server’s Computer account and do not enable the folder redirection settings. In this case, once the User logged on to the Terminal Server his folder redirection policy will not be applied.

To enable Loopback Processing navigate to: Computer Configuration/Administrative Templates/System/Group Policy/Configure user Group Policy loopback processing mode

If you liked the post, please feel free to click on a few Ads on this page ;-)

Thank you!

Kudrat

168 comments:

  1. First time i am understanding this! You've a great teacher!...Thanks alot.

    ReplyDelete
  2. Perfect -- i now fully understand.. thank you very much

    ReplyDelete
  3. I have an issue where I have users on a domain but also have a terminal server Icon on the desktop. I want lock down polices on the terminal server session but not on the local machines. Is loopback the answerer here?

    ReplyDelete
  4. Hi,
    Mostly Loopback Processing is used for the Terminal Services Servers, in order to set policies User Configuration policies different from the normal environment. In your situation it really depends on what exactly you want to achieve. If by "lock down polices" you mean set different folder redirections or anything else related to the user configuration, then the answer is YES, loopback processing is what you need. But if you want to do something else, then, as I said, it really depends on the task.

    If you will have more questions about Terminal Services, please feel free to post your question here:

    http://social.technet.microsoft.com/Forums/ru-RU/winserverTS/threads

    Me and other IT professionals will be happy to help.

    ReplyDelete
  5. Thanks very much, really appreciate your help

    ReplyDelete
  6. Excellent example.. at last I get it.. many thanks

    ReplyDelete
  7. Amazing explanation.......

    ReplyDelete
  8. Hi Kudrat

    Once again thank you for the simple way you have explained this.

    I am puzzled by 'if there is a conflict, for example two policies provide different values for the same configuration setting, the Computer’s policy has more privilege.'

    I have a loopback 'merge' policy on the terminal server OU, where 'Hide Internet Explorer icon on desktop' is Not configured. I also have a policy on the users OU with 'Hide Internet Explorer icon on desktop' set to enabled.

    BUT when I log on as a user from that OU, Internet explorer icon is not hidden!

    Any ideas?

    Simon

    ReplyDelete
  9. Hi Simon,

    Thanks for your comment.
    Could you please try to set "Hide Internet Explorer icon on desktop" setting in the Terminal Services GPO to Disabled and see if it will resolve the problem.

    If you will have questions, could you please post them to this forum:


    http://social.technet.microsoft.com/Forums/ru-RU/winserverTS/threads
    Thanks,

    Kudrat

    ReplyDelete
  10. Is there any way to get 'Computer Configuration 1' to apply to the Green OU?

    I have a Computer Policy that I do not want to apply to a specific group of users.

    ReplyDelete
  11. Hi,

    Computer configuration is applied to the computers. Any user logged to that computer will be subject to that policy. Maybe in your case there is different possible solution. Can you post your configuration and task to this forum?

    http://social.technet.microsoft.com/Forums/ru-RU/winserverTS/threads

    There we can try to help you with the solution.

    Thanks,

    ReplyDelete
  12. This is by far the best example I've read so far. Right now I'm preparing for my 70-294 and this topic has been haunting me. I keep getting it wrong my practice exams!

    But hopefully not anymore!

    ReplyDelete
  13. Thank you!
    And good luck with your 70-294

    ReplyDelete
  14. From Brazil.

    Excelent tutorial ! Thanks !

    ReplyDelete
  15. that is very helpful thank you

    ReplyDelete
  16. I am glad it has helped.
    Thank you.

    ReplyDelete
  17. At last. I have a AD exam coming up and GP Loopback processing was really making my head hurt - I couldn't get the concept sorted out. Your explanation clicked after one read.

    Thanks a lot - top work.

    ReplyDelete
  18. Thanks very much, and good luck with your exam!

    ReplyDelete
  19. Hi, I have question, In the above given example you explained that how loop back processing works, But I want to know the name of GPO where we should enable loop back setting. Or we can create a separate GPO on computer OU and enable Loop Back setting. and if yes then will this GPO filter out all the user settings inherited from the parent GPOs?

    ReplyDelete
  20. Hi Neeraj,

    About the place to enable the policy take a look at this article: http://support.microsoft.com/kb/231287

    I would not recommend to set Loopback Processing on the default Computers OU. If you need to enable this policy for some computers, it would be a good idea to separate them in a different OU, it does not have to be under Computers OU.

    Also keep in mind that Computers OU contains computer objects and if the GPO linked to the Computers OU has any User settings they will not take effect on the logged in user unless you have Loopback Processing enabled.

    If you will have more questions about the Group Policy, please feel free to ask them in this forum: http://social.technet.microsoft.com/Forums/en/winserverGP/threads

    ReplyDelete
  21. hey man... perfect! can i translate this post and put in my blog, giving the credits for you?

    perg@tech4it.com.br
    http://blog.tech4it.com.br

    JMB

    ReplyDelete
  22. Hi,

    Yes sure, if it helps other people I am always happy to help.

    Thanks,

    ReplyDelete
  23. I read many articles and never understood it clearly until i read this article. Thnks alot!
    Bastiaan

    ReplyDelete
  24. brilliantly explained

    ReplyDelete
  25. Great and very helpful Explanation!

    ReplyDelete
  26. dall'Italia... Grazie davvero! Esempio chiarissimo! Thanks! Michele CMV

    ReplyDelete
  27. Hi Kudrat,
    I am facing a situation where I need to disable the shutdown option for a group of people. Unfortunately I am dealing with 70 plus servers and some of these users have local admin access on the servers.
    How would I tackle this issue?? Any help is much appreciated.

    ReplyDelete
  28. Hi,

    Thanks for your question. It is a bit inconvenient to discuss it here, so if you could publish your question on this forum would be good:

    http://social.technet.microsoft.com/Forums/hu-
    HU/winserverTS/threads

    Thanks,

    ReplyDelete
  29. How nicely explained. Even a layman can understand this. Thankyou

    ReplyDelete
  30. hi, that's a clear explanation. Thanks a lot.

    ReplyDelete
  31. Thanks Kundrat to take the time to explain this without taking anything in return.

    TaD

    ReplyDelete
  32. Nice.
    Thank you.

    ReplyDelete
  33. Hi Kudrat

    This is very good explanation and easy to understand. Thanks....

    ReplyDelete
  34. If only knowledge base articles were this clear and to the point. Excellent Job Kudrat!

    The only thing you should add is where to find the loopback processing option, and the fact that it is enabled individually per GPO.

    It's found in EACH GPO under: Computer Configuration, Policies, Administrative Templates, System, Group Policy,"User Group Policy loopback processing mode"


    Bravo!

    ReplyDelete
  35. Very good explanation! Made everything clear for me! thanks!

    ReplyDelete
  36. this is the first time i have ever understood this!! thank you!! you have saved my brain :)

    ReplyDelete
  37. Thanks a lot!!!! First time I understood........

    ReplyDelete
  38. A very good explanation...Kudos !!

    ReplyDelete
  39. Even 3 years after your original post... You continue help someone to understand the loopback processing. Thank you for your help.

    ReplyDelete
  40. Wow.. Loved to read these red and green codes. After 3-4 years I got clear concept.

    ReplyDelete
  41. Thank you for making this clear :)

    ReplyDelete
  42. Nicely explained.. Great

    ReplyDelete
  43. nice one dude!! i was totolly confused with this one.!! thanks.. :))

    ReplyDelete
  44. This is like someone has just switched the light on! I knew Loopback Processing existed (and I still think the title of it sucks!) but I couldn't quite grasp what it was all about.

    Now I really think I get it! It's a Eureka moment!! And it will help achieve what I may need it to (depending on a business decision that needs to be made).

    Thank you, Kudrat.

    JJ

    ReplyDelete
  45. Thanks a lot, greate explanation.

    ReplyDelete
  46. one of the best documents I read in a long time. Thank you

    ReplyDelete
  47. I truly thank you for this article!!! You've helped us setup TS policies in our environment as everywhere else on the net, it was very confusing.

    ReplyDelete
  48. Thank you Kudrat, you are GEM!!

    ReplyDelete
  49. Atlast I understood it now. Thanks a lot brother. This page should appear first when we google "Loop Back Policy"

    Thomas C

    ReplyDelete
  50. Great Explanation

    ReplyDelete
  51. Firt time its clear to me...really excellent explanation!

    ReplyDelete
  52. Thanks a lot.
    It helps me a lot in understanding, very good!!

    ReplyDelete
  53. For years I have tried to grasp the complex explanations of this from AD manuals and online forums. They never made sense. This one is simple and perfectly explained. Thanks!

    ReplyDelete
  54. I really appreciate your help. The article helped me to understand what it is for and how it work.
    Thank you very much for that.

    ReplyDelete
  55. Thanks a lot for this explanation. All this loopback business now makes sense :)
    Keep up the good work!

    ReplyDelete
  56. great, very easy to understand

    ReplyDelete
  57. Trank you very much. Best explanation i was googling for.
    You should be a teacher bro!

    ReplyDelete
  58. Well done I like ur style of explanation...

    ReplyDelete
  59. Awsome explanation... Thanks for writing!

    ReplyDelete
  60. First time I am understanding this. Thanks

    ReplyDelete
  61. thanks ....... the first time i fully understand it ...need more for other feature ...waiting you

    ReplyDelete
  62. Great Article, well written and easy to understand what potentially is a very confusing setting.

    ReplyDelete
  63. Great and thanks for such clear explanation...

    ReplyDelete
  64. and there's the light bulb.

    ReplyDelete
  65. simply put and understandable.

    Thanks.

    ReplyDelete
  66. Great job, clear and precise.

    TY

    ReplyDelete
  67. Great explanation.

    ReplyDelete
  68. Thank you buddy, you are gonna help he get through this exam.

    ReplyDelete
  69. Great Example with description...

    ReplyDelete
  70. Good Job. Nice Explanation

    ReplyDelete
  71. I want to add my name to this long list. Thank you very much! I have struggle with this for about a month and a half.

    ReplyDelete
  72. Thanks guys,

    I am glad that four years after publishing this article is still helping people.

    ReplyDelete
  73. Very good way to explain. crystal clear .

    ReplyDelete
  74. I wish Microsoft could explain things so simply !

    ReplyDelete
  75. Superb Teaching keep it up....

    ReplyDelete
  76. I was working for several years with GPOs, but never fully understand Loopback...until reading your Article, thanks a lot!

    ReplyDelete
  77. Perfect article if you add how you turn it on as stated in a previous comment.

    Keep up the good work ;-), you have helped a lot by clarifying this subject.

    ReplyDelete
  78. Thanks again. Microsoft should hire you to write their articles!

    ReplyDelete
  79. I could not fully understand what the loopback processing is , despite of being MCITP certified . After reading your post the loopback processing idea is absolutely clear to me . thanks a lot ! You definitely have talent of explaining things ..............

    ReplyDelete
  80. Very nice. Nicely done. Easily understood.

    ReplyDelete
  81. Excellent Job. Very easy to understand.

    ReplyDelete
  82. You are the one who should be a teacher. Thats the best explanation.

    Thanks you

    ReplyDelete
  83. Pretty! This has been an incredibly wonderful article.
    Many thanks for providing this information.

    Feel free to visit my blog :: web page

    ReplyDelete
  84. Great Article....thanks a lot for explaining in simple terms....

    ReplyDelete
  85. Great explanation... Thank you very much!

    ReplyDelete
  86. Thnx a clear explanation!

    ReplyDelete
  87. Finally understood thanks!

    ReplyDelete
  88. Pretty! This has been an extremely wonderful article.
    Thanks for providing this info.

    My homepage :: pop over to these guys

    ReplyDelete
  89. Many thanks Kudrat. Fantastic explanation.

    ReplyDelete
  90. Thanks Kudrat, this really helped me to understand! I have one more question: I want to apply a user-policy to specific computers, but I don't want to put this computers in a separate OU. I prefer doing it by group membership. I don't get this work... Has anyone a suggestion?

    ReplyDelete
  91. Hi, You could try filtering the GPO: http://kudratsapaev.blogspot.co.uk/2010/02/filterin-group-policy-from-applying.html
    You can filter using Computer Objects as well.

    ReplyDelete
  92. Finally a very clear explanation....

    ReplyDelete
  93. best explanation on loopback processing

    ReplyDelete
  94. That's awesome. Thanks Kudrat

    ReplyDelete
  95. Kudrat, this is very helpful! Thanks for taking the time out to make this easy to understand.

    ReplyDelete
  96. Struggled with this before. This post save me from unnecessary troubleshooting

    ReplyDelete
  97. Really excellent article......understood completely before coming to the last point......Thanks Pro

    ReplyDelete
  98. WOW...what an explanation.....keep up the good work for others.

    ReplyDelete
  99. Fantastic explanation! Thanks a million!

    ReplyDelete
  100. very good explanation. simple and to the point!~

    ReplyDelete
  101. good ...!! I clicked on ads too .......!

    ReplyDelete
  102. Thank You Very Much Dude.................

    Arunabha

    ReplyDelete
  103. Thanks. you really explained that well.

    ReplyDelete
  104. First time i am understanding it.. Thanks Sir!

    ReplyDelete
  105. Excellent.. right in the bullseye...

    ReplyDelete
  106. Excellent. I have never ever read this concept so easily despite having read the same concept from other source so many times at the time of need. I THINK NOW THIS IS THE LAST TIME I GOOGLE FOR LOOPBACK PROCESSING. :-)
    Thanks

    ReplyDelete
  107. very gud buddy, very easy to understand, well explained, laymans' explanation, keep posting such articles , cheers

    ReplyDelete
  108. Six years later, still a gem. Thanks for the refresher.

    ReplyDelete
  109. Awesome! I have been struggling with this very same situation for two weeks now. This is EXACTLY what I was looking for and this article explained it very simply
    Thanks a million!
    by the way, I did click on the ads in this page :)

    ReplyDelete
  110. Oh my Gosh! This has been causing me many a sleepless night! PERFECT............ thanks for bringing this up!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

    ReplyDelete
  111. Its really useful for me.... Eagerly waiting for your next Tech articles......... :)
    Thanks man....!!!

    ReplyDelete
  112. Good Article....Very clear with Diagrams to help understand

    ReplyDelete
  113. thank you for the excellent explanation - i didnt understand the explanation in the microsoft course manual but i had no problem understanding your explanation.

    ReplyDelete
  114. Nice one man. Great job !!!

    ReplyDelete
  115. Thank you! that was much easier to understand. compared to other explanations...

    ReplyDelete
  116. This is excellent, Kudrat! And I tried to click on what I believe is every ad :)

    ReplyDelete
  117. Best example ever! Thank you.

    Fil.

    ReplyDelete
  118. Well explained.. Thansk

    ReplyDelete
  119. First time, a common bug clears my mind.Millions of Thanks for this article. you have to put on web from time to time as the time changes. It's a best example forever.

    ReplyDelete
  120. Awesome... Very easy to understand. :)

    ReplyDelete
  121. You are awesome.. that's all i can say.so neatly explained.
    thanks a lot.

    ReplyDelete
  122. This is brilliant. Thanks a lot!
    Ash

    ReplyDelete
  123. You are just awwweeeesome..!!!

    ReplyDelete
  124. Thanks mate, awesome explanation, much appreciated

    ReplyDelete
  125. In Merge mode, if there is a conflict, for example two policies provide different values for the same configuration setting, the Computer’s policy has more privilege. For example in our scenario, in case of the conflict the User Configuration 2 would be enforced.

    Can you pls elaborate it, (how user configuration 2 is a computer's policy)

    ReplyDelete
    Replies
    1. Hi, I can see how this could be confusing. So let me elaborate :-) What I meant is, if there is a conflict, the User Settings in the Computer's policy (i.e. the Green policy linked to the OU which contains the Computer account) will take precedence. I hope this makes it clearer.

      Delete
  126. HEllo
    Thank you for your Explanation on Loopback Policy. i am getting ready for a MCSA exam and i was struggling to understand the functioning of LooPbak.
    Thank you Thank you Thank you

    Regards

    ReplyDelete
  127. This is a very simple, concise and very effective explanation of loopback processing. thank you very much. textbooks are so confusing on this topic.
    thanks again. I will click a few ads. :)

    ReplyDelete
  128. I am a newbie....and this explains the Loopback Policy the best of all I've found on Mr. Google.

    ReplyDelete
  129. Thank you for keeping this page up. This is why we all love the internet. For being able to find kind and intelligent people that help explain stuff for others.

    ReplyDelete

3