Logo

Group Policy Loopback Processing

Loopback processing allows the administrator to apply user Group Policy settings based on where the computer accounts are located rather than basing it on the user account. This is an invaluable setting to use when deploying kiosk computers where you do not want the user settings to be applied.

<a class="wp-block-button__link"Download PDF handout
Show lesson content
Loopback Processing
Loopback processing changes the algorithm used to apply Group Policy to a computer. This allows the administrator to effectively ignore or merge the user configuration that would be normally applied to the computer.

Group Policy Normal Processing
Group Policy is divided into two halves, Computer Configuration and User Configuration. Group Policy loopback processing changes the way these two halves are applied and where the settings are obtained from.

Without Loopback Processing enabled, when the computer starts up, Computer Configuration from Group Policy is applied. This is applied based on where the computer account is located in Active Directory. User configuration is applied when a user logs in based on where the user account is located in Active Directory.

Group Policy Loopback Processing (Replace)
When Computer Configuration is applied to the computer, there is a setting in computer configuration that will enable Group Policy Loopback Processing for replace mode. When enabled, this will change how user configuration is applied. Instead of user configuration being applied based on where the user account is in Active Directory, user settings are applied based on where the computer account is located in Active Directory.

Demonstration
Loopback processing is configured via the following setting.

Computer Configuration\Polices\Administrative Templates\System\Group Policy\User Group Policy loopback processing mode

This setting can be configured for merge or replace mode. Merge mode is explained below.

Group Policy Loopback Merge
When Merge mode is enabled, Group Policy is first applied like it would be normally. That is, the computer configuration based on where the computer account is located in Active Directory and user configuration based on where the user account is located in Active Directory is applied. The difference is that an extra step is added. The extra step applies user configuration based on where the computer account is located in Active Directory. This is often used for Remote Desktop Services where you want the user to have their user settings applied, but want the option to override or add additional settings as required.

References
“MCTS 70-640 Configuring Windows Server 2008 Active Directory Second edition” pg 294 – 295
“Loopback processing of Group Policy” http://support.microsoft.com/kb/231287
“Group Policy Loopback Processing” http://timstechnoblog.blogspot.com.au/2012/01/group-policy-loopback-processing.htm

Credits

Lesson tags: 70-640-active-directory
Back to: 70-640 Introduction to Active Directory > Group Policy

Active Directory is a system which offers centralized control of your computers.

Modules

Active Directory Infrastructure

Lessons

Group Policy

Lessons