Microsoft's official enterprise support blog for AD DS and more
Hello again! Kim Nichols here again. For this post, I'm taking a break from the AD LDS discussions (hold your applause until the end) and going back to a topic near and dear to my heart - Group Policy loopback processing.
Loopback processing is not a new concept to Group Policy, but it still causes confusion for even the most experienced Group Policy administrators.
This post is the first part of a two part blog series on User Group Policy Loopback processing.
Hopefully these posts will refresh your memory and provide some tips for troubleshooting Group Policy processing when loopback is involved.
Before we dig in too deeply, let's quickly cover normal Group Policy processing. Thinking back to when we first learned about Group Policy processing, we learned that Group Policyapplies in the following order:
You may have heard Active Directory “old timers” refer to this as LSDOU. As a result of LSDOU, settings from GPOs linked closest (lower in OU structure) to the user take precedence over those linked farther from the user (higher in OU structure). GPO configuration options such as Block Inheritance and Enforced (previously called No Override for you old school admins) can modify processing as well, but we will keep things simple for the purposes of this example. Normal user group policy processing applies user settings from GPOs linked to the Site, Domain, and OU containing the user object regardless of the location of the computer object in Active Directory.
Let's use a picture to clarify this. For this example, the user is the "E" OU and the computer is in the "G" OU of the contoso.com domain.
Following normal group policy processing rules (assuming all policies apply to Authenticated Users with no WMI filters or "Block Inheritance" or "Enforced" policies), user settings of Group Policy objects apply in the following order:
That’s pretty straightforward, right? Now, let’s move on to loopback processing!
Group Policy loopback is a computer configuration setting that enables different Group Policy user settings to apply based upon the computer from which logon occurs.
Breaking this down a little more:
Administrators use loopback processing in kiosk, lab, and Terminal Server environments to provide a consistent user experience across all computers regardless of the GPOs linked to user's OU.
Our recommendation for loopback is similar to our recommendations for WMI filters, Block Inheritance and policy Enforcement; use them sparingly. All of these configuration options modify the default processing of policy and thus make your environment more complex to troubleshoot and maintain. As I've mentioned in other posts, whenever possible, keep your designs as simple as possible. You will save yourself countless nights/weekends/holidays in the office because will you be able to identify configuration issues more quickly and easily.
The loopback setting is located under Computer Configuration/Administrative Templates/System/Group Policy in the Group Policy Management Editor (GPME).
Use the policy setting Configure user Group Policy loopback processing mode to configure loopback in Windows 8 and Windows Server 2012. Earlier versions of Windows have the same policy setting under the name User Group Policy loopback processing mode. The screenshot below is from the Windows 8 version of the GPME.
When you enable loopback processing, you also have to select the desired mode. There are two modes for loopback processing: Merge or Replace.
Prior to the start of user policy processing, the Group Policy engine checks to see if loopback is enabled and, if so, in which mode.
We'll start off with an explanation of Merge mode since it builds on our existing knowledge of user policy processing.
During loopback processing in merge mode, user GPOs process first (exactly as they do during normal policy processing), but with an additional step. Following normal user policy processing the Group Policy engine applies user settings from GPOs linked to the computer's OU. The result-- the user receives all user settings from GPOs applied to the user and all user settings from GPOs applied to the computer. The user settings from the computer’s GPOs win any conflicts since they apply last.
To illustrate loopback merge processing and conflict resolution, let’s use a simple chart. The chart shows us the “winning” configuration in each of three scenarios:
Now, going back to our original example, loopback processing in Merge mode applies user settings from GPOs linked to the user’s OU followed by user settings from GPOs linked to the computer’s OU.
GPOs for the user in OU ”E” apply in the following order (the first part is identical to normal user policy processing from our original example):
Loopback replace is much easier. During loopback processing in replace mode, the user settings applied to the computer “replace” those applied to the user. In actuality, the Group Policy service skips the GPOs linked to the user’s OU. Group Policy effectively processes as if user object was in the OU of the computer rather than its current OU.
The chart for loopback processing in replace mode shows that settings “1” and “2” do not apply since all user settings linked to the user’s OU are skipped when loopback is configured in replace mode.
Returning to our example of the user in the “E” OU, loopback processing in replace mode skips normal user policy processing and only applies user settings from GPOs linked to the computer.
The resulting processing order is:
Those are the basics of user group policy loopback processing. In my next post, I'll cover the troubleshooting process when loopback is enabled.
Kim “Why does it say paper jam, when there is no paper jam!?” Nichols
Glad to have this as a post to refer people to as I still see a lot of people not understanding this, especially the part about loopback processing affecting all GPOs and not just the one it is enabled in.
One thing that I think is worth clarifying (as it tripped me up when I first started working with loopback processing) is that when the computer processes user based GPOs due to loopback processing being enabled it does it in the logged on user's security context and not the computer's security context (i.e. Local System) as would normally be the case with computer policies. So you can still use security filtering and ACLs on the GPO to limit which users get a specific GPO applied even when that GPO is being applied via the computer using loopback processing.
@gallwapa - Loopback replace doesn't have any effect on the processing of the client side extensions. All loopback is doing is changing the list of GPOs that are applied to the user at logon (based on the location in AD of the computer rather than the user). Once the list is obtained, processing continues normally. The only exception to this is when you are working with cross-forest group policy processing. When cross-forest policy processing is enabled, by default processing reverts to loopback replace mode. This means that user policies that are applied will come from the any GPOs in the path of the computer in the computer's domain (not the users). Things become more complicated at this point because while the GP Engine understands how to query across forests, not all client side extensions do. One extension that we are aware of that has issues with querying across forests is GPP drive maps. So in a cross-forest scenario, some CSEs may not process properly or completely.
Thanks for the refresher. One thing I was hoping you can confirm for me is that if you have multiple policies containing user configuration settings linked to the same computer OU, only one policy linked to that OU needs to have the loopback setting configured. In that case, all user settings from all policies linked to that OU will apply to the logged on user.
Kim, thanks for the heads-up about Cross-forest GP processing.
Just in time to avert major disruptions @ work.
We're currently in a migration process, running a new forest with users still in the old forest. Unfortunately the admins in the old forest have a tendency to implement unannounced untested user GPO's which we then have to work around again or even negate.
Can you (and all Microsoft bloggers) never EVER use jpeg format for screenshots. The images are bad and blurry and the files are bigger. Only use PNG for screenshots (and anything other than photos), please.
Thank you for that feedback. I'll use .PNGs for our upcoming blog post this week.
+1 to gotsch-it question. Can you clarify security filter processing behavior with loopback mode enable? An article (support.microsoft.com/.../EN-US) is pretty confusing.
FYI - Part 2 is on the way, but I wanted to let you know that the infamous Vista loopback KB has been updated and is hopefully a little less terrible that it once was :-P