Circle Back to Loopback

Circle Back to Loopback

  • Comments 24
  • Likes

Hello again!  Kim Nichols here again.  For this post, I'm taking a break from the AD LDS discussions (hold your applause until the end) and going back to a topic near and dear to my heart - Group Policy loopback processing.

Loopback processing is not a new concept to Group Policy, but it still causes confusion for even the most experienced Group Policy administrators.

This post is the first part of a two part blog series on User Group Policy Loopback processing.

  • Part 1 provides a general Group Policy refresher and introduces Loopback processing
  • Part 2 covers Troubleshooting Group Policy loopback processing

Hopefully these posts will refresh your memory and provide some tips for troubleshooting Group Policy processing when loopback is involved.

Part 1: Group Policy and Loopback processing refresher

Normal Group Policy Processing

Before we dig in too deeply, let's quickly cover normal Group Policy processing.  Thinking back to when we first learned about Group Policy processing, we learned that Group Policy
applies in the following order: 

  1. Local Group Policy
  2. Site
  3. Domain
  4. OU

You may have heard Active Directory “old timers” refer to this as LSDOU.  As a result of LSDOU, settings from GPOs linked closest (lower in OU structure) to the user take precedence over those linked farther from the user (higher in OU structure). GPO configuration options such as Block Inheritance and Enforced (previously called No Override for you old school admins) can modify processing as well, but we will keep things simple for the purposes of this example.  Normal user group policy processing applies user settings from GPOs linked to the Site, Domain, and OU containing the user object regardless of the location of the computer object in Active Directory.

Let's use a picture to clarify this.  For this example, the user is the "E" OU and the computer is in the "G" OU of the contoso.com domain.

Following normal group policy processing rules (assuming all policies apply to Authenticated Users with no WMI filters or "Block Inheritance" or "Enforced" policies), user settings of Group Policy objects apply in the following order:

  1. Local Computer Group Policy
  2. Group Policies linked to the Site
  3. Group Policies linked to the Domain (contoso.com)
  4. Group Policies linked to OU "A"
  5. Group Policies linked to OU "B"
  6. Group Policies linked to OU "E"

That’s pretty straightforward, right?  Now, let’s move on to loopback processing!

What is loopback processing?

Group Policy loopback is a computer configuration setting that enables different Group Policy user settings to apply based upon the computer from which logon occurs. 

Breaking this down a little more:

  1. It is a computer configuration setting. (Remember this for later)
  2. When enabled, user settings from GPOs applied to the computer apply to the logged on user.
  3. Loopback processing changes the list of applicable GPOs and the order in which they apply to a user. 

Why would I use loopback processing?

Administrators use loopback processing in kiosk, lab, and Terminal Server environments to provide a consistent user experience across all computers regardless of the GPOs linked to user's OU. 

Our recommendation for loopback is similar to our recommendations for WMI filters, Block Inheritance and policy Enforcement; use them sparingly.  All of these configuration options modify the default processing of policy and thus make your environment more complex to troubleshoot and maintain. As I've mentioned in other posts, whenever possible, keep your designs as simple as possible. You will save yourself countless nights/weekends/holidays in the office because will you be able to identify configuration issues more quickly and easily.

How to configure loopback processing

The loopback setting is located under Computer Configuration/Administrative Templates/System/Group Policy in the Group Policy Management Editor (GPME). 

Use the policy setting Configure user Group Policy loopback processing mode to configure loopback in Windows 8 and Windows Server 2012Earlier versions of Windows have the same policy setting under the name User Group Policy loopback processing mode.  The screenshot below is from the Windows 8 version of the GPME.

When you enable loopback processing, you also have to select the desired mode.  There are two modes for loopback processing:  Merge or Replace.

Loopback Merge vs. Replace

Prior to the start of user policy processing, the Group Policy engine checks to see if loopback is enabled and, if so, in which mode.

We'll start off with an explanation of Merge mode since it builds on our existing knowledge of user policy processing.

Loopback Merge

During loopback processing in merge mode, user GPOs process first (exactly as they do during normal policy processing), but with an additional step.  Following normal user policy processing the Group Policy engine applies user settings from GPOs linked to the computer's OU.  The result-- the user receives all user settings from GPOs applied to the user and all user settings from GPOs applied to the computer. The user settings from the computer’s GPOs win any conflicts since they apply last.

To illustrate loopback merge processing and conflict resolution, let’s use a simple chart.  The chart shows us the “winning” configuration in each of three scenarios:

  • The same user policy setting is configured in GPOs linked to the user and the computer
  • The user policy setting is only configured in a GPO linked to the user’s OU
  • The user policy setting is only configured in a GPO linked to the computer’s OU

Now, going back to our original example, loopback processing in Merge mode applies user settings from GPOs linked to the user’s OU followed by user settings from GPOs linked to the computer’s OU.

GPOs for the user in OU ”E” apply in the following order (the first part is identical to normal user policy processing from our original example):

  1. Local Group Policy
  2. Group Policy objects linked to the Site
  3. Group Policy objects linked to the Domain
  4. Group Policy objects linked to OU "A"
  5. Group Policy objects linked to OU "B"
  6. Group Policy objects linked to OU "E"
  7. Group Policy objects linked to the Site
  8. Group Policy objects linked to the Domain
  9. Group Policy objects linked to OU "A"
  10. Group Policy objects linked to OU "C"
  11. Group Policy objects linked to OU "G"

Loopback Replace

Loopback replace is much easier. During loopback processing in replace mode, the user settings applied to the computer “replace” those applied to the user.  In actuality, the Group Policy service skips the GPOs linked to the user’s OU. Group Policy effectively processes as if user object was in the OU of the computer rather than its current OU. 

The chart for loopback processing in replace mode shows that settings “1” and “2” do not apply since all user settings linked to the user’s OU are skipped when loopback is configured in replace mode.

Returning to our example of the user in the “E” OU, loopback processing in replace mode skips normal user policy processing and only applies user settings from GPOs linked to the computer.

The resulting processing order is: 

  1. Local Group Policy
  2. Group Policy objects linked to the Site
  3. Group Policy objects linked to the Domain
  4. Group Policy objects linked to OU "A"
  5. Group Policy objects linked to OU "C"
  6. Group Policy objects linked to OU "G"

Recap

  1. User Group Policy loopback processing is a computer configuration setting.
    • Loopback processing is not specific to the GPO in which it is configured. If we think back to what an Administrative Template policy is, we know it is just configuring a registry value.  In the case of the loopback policy processing setting, once this registry setting is configured, the order and scope of user group policy processing for all users logging on to the computer is modified per the mode chosen: Merge or Replace.
  2. Merge mode applies GPOs linked to the user object first, followed by GPOs with user settings linked to the computer object. 
    • The order of processing determines the precedence. GPOs with users settings linked to the computer object apply last and therefore have a higher precedence than those linked to the user object.
    • Use merge mode in scenarios where you need users to receive the settings they normally receive, but you want to customize or make changes to those settings when they logon to specific computers.
  3. Replace mode completely skips Group Policy objects linked in the path of the user and only applies user settings in GPOs linked in the path of the computer.  Use replace mode when you need to disregard all GPOs that are linked in the path of the user object.

Those are the basics of user group policy loopback processing. In my next post, I'll cover the troubleshooting process when loopback is enabled.

Kim “Why does it say paper jam, when there is no paper jam!?” Nichols

 

  • Glad to have this as a post to refer people to as I still see a lot of people not understanding this, especially the part about loopback processing affecting all GPOs and not just the one it is enabled in.

    One thing that I think is worth clarifying (as it tripped me up when I first started working with loopback processing) is that when the computer processes user based GPOs due to loopback processing being enabled it does it in the logged on user's security context and not the computer's security context (i.e. Local System) as would normally be the case with computer policies. So you can still use security filtering and ACLs on the GPO to limit which users get a specific GPO applied even when that GPO is being applied via the computer using loopback processing.

  • @gallwapa - Loopback replace doesn't have any effect on the processing of the client side extensions.  All loopback is doing is changing the list of GPOs that are applied to the user at logon (based on the location in AD of the computer rather than the user).  Once the list is obtained, processing continues normally.  The only exception to this is when you are working with cross-forest group policy processing. When cross-forest policy processing is enabled, by default processing reverts to loopback replace mode.  This means that user policies that are applied will come from the any GPOs in the path of the computer in the computer's domain (not the users).  Things become more complicated at this point because while the GP Engine understands how to query across forests, not all client side extensions do.  One extension that we are aware of that has issues with querying across forests is GPP drive maps.  So in a cross-forest scenario, some CSEs may not process properly or completely.

  • Thanks for the refresher.  One thing I was hoping you can confirm for me is that if you have multiple policies containing user configuration settings linked to the same computer OU, only one policy linked to that OU needs to have the loopback setting configured.  In that case, all user settings from all policies linked to that OU will apply to the logged on user.

    Doug

  • Kim, thanks for the heads-up about Cross-forest GP processing.

    Just in time to avert major disruptions @ work.

    We're currently in a migration process, running a new forest with users still in the old forest. Unfortunately the admins in the old forest have a tendency to implement unannounced untested user GPO's which we then have to work around again or even negate.

  • PLEEEEEEEEEEEEEEEEEEEEEEEESE!

    Can you (and all Microsoft bloggers) never EVER use jpeg format for screenshots. The images are bad and blurry and the files are bigger. Only use PNG for screenshots (and anything other than photos), please.

  • @Fduch

    Thank you for that feedback. I'll use .PNGs for our upcoming blog post this week.

    --Jonathan

  • +1 to gotsch-it question. Can you clarify security filter processing behavior with loopback mode enable? An article (support.microsoft.com/.../EN-US) is pretty confusing.

  • FYI - Part 2 is on the way, but I wanted to let you know that the infamous Vista loopback KB has been updated and is hopefully a little less terrible that it once was :-P

    support.microsoft.com/.../en-us