Gayblack Canadian Man

Foreign Policy Analysis
MCITP 70-640: Group Policy Loopback Processing

MCITP 70-640: Group Policy Loopback Processing


Welcome to the ITFreeTraining video on Group
Policy Loopback Processing. Loopback processing allows the administrator to apply Group Policy
based on the computer rather than the user that logs into that computer. Group Policy
Loopback processing is invaluable when configuring kiosks, training computers and Remote Desktop
Services. Loopback processing allows you to achieve results that would normally not be
possible. Group Policy loopback processing is a difficult
concept to understand and often a miss taught topic. By the end of this video I feel confident
that you will understand how Group Policy loopback processing works and how to use it
in your organization effectively. Before looking at Group Policy Loopback processing,
it is important understand that Group Policy is divided into two halves. If I open a Group
Policy Object, you can see the two halves. The two halves are computer configuration
at the top and user configuration at the bottom. Loopback processing changes the way these
two parts of Group Policy are applied so it is important to understand there are two parts
to each Group Policy Object. First of all, let us look at a typical Group
Policy deployment to understand why you would need loopback processing. In this example,
the computer account is located under the OU Training Lab, which is found under the
computers OU located under New York. The user account is located under the Users OU also
found under New York. When the computer starts up, the New York
Group Policy, Computers and Training Lab OU’s computer side group policy is processed. Which
computer side Group Polices are processed will depend on where the computer account
is located in Active Directory. When a user logs in, the user side group polices
are processed based on where the user account is located in Active Directory. As shown,
the New York and User OU user side Group Policy are applied.
The problem occurs when you want to deploy a computer with particular settings. For example,
you want to deploy a computer as a kiosk or a training computer. In either case, it is
unlikely that you want the Group Policy settings for that user applied to the computer. For
example, on a training computer it is unlikely that settings configured in Group Policy like
map drives or desktop customizations would be required. So how would you go about configuring
computers like training computers using Group Policy?
To allow Group Policy to be configured in a way that will work for training and kiosks
computers, Group Policy Loopback Processing can be used. There are two different modes
that Group Policy loopback processing can be used in. The first one that I will look
at is replace mode. When the computer starts up, the computer
side of Group Policy, based on where the computer account is located, is applied. In any one
of these Group Polices could be a setting which changes the processing of Group Policy
from the standard way to Group Policy Loopback. In this case, Group Policy loopback processing
using replace mode will be applied to the Training Lab OU. This way, loopback processing
will only be used with the computers in the Training Lab OU.
Once the computer side of Group Policy has been applied, the next step is to apply the
user side of Group Policy. Normally this would be done based on where the user account is
located in Active Directory, when loopback replace mode is configured, the user side
of group Policy is obtained from the location of where the computer account is located.
As you can see here, essentially loopback processing in replace mode would give you
the same result as having the user and computer account in the same location in Active Directory.
The advantage of this is that the user side of Group Policy for that user is ignored and
the administrator is free to start again with their own user settings. This is perfect for
a training environment where the trainer will often want complete control of the training
environment. Before I look at the other loopback processing
mode, I will first change to my Windows 7 computer to have a look at how to configure
loopback processing for replace mode. In this domain I have Group Policy configured
to set the wallpaper according to the Group Policy that was applied. You can see that
this computer currently has Group Policy applied from the New York Users Group Policy.
To configure group Policy, I will open Group Policy Management, and expand down to the
Training Lab OU, found under the New York and computers OU. In the Training Lab OU is
the computer account for this computer. The user account that I will use to login is called
trainer found under the users OU. Configuring Group Policy loopback processing
is done in the computer side of Group Policy. To do this I need to configure a Group Policy
that is applied to the computer account, in this case the Group Policy I will modify is
the one being applied to the Training Lab OU.
Expanding down through user configuration to the desktop settings, notice that the setting
Desktop Wallpaper has been configured. This user setting will configure the desktop wallpaper
when it is applied. Since no user account exists in the Training Lab OU, without loopback
processing being enabled this setting will never be applied. As soon as loopback processing
is enabled however, this setting will be applied to the computer.
This setting gets the desktop wallpaper from a file share. If I were to open the file server
from the start menu and then open the wallpaper share, notice all the different wallpapers
that I created for each Group Policy. If I open the Training Lab wallpaper, you
will see that this is the wallpaper that should be configured once loopback processing has
been configured. To configure loopback Group Policy processing,
I need to go back to the Group Policy and expand into Computer Configuration, Polices,
Administrative Templates, System and then Group Policy.
The setting that needs to be configured is User Group Policy loopback processing mode.
Once I open this setting, all I need to do is configure it and ensure that the mode is
set as replace. Now that Group Policy loopback processing
is configured, I will reboot the computer so that the changes will take effect. When
the computer starts up, the computer side of Group Policy will be applied as normal.
The change occurs when the user logs in. Instead of the user Group Policy being applied to
the user that logs in, user group policy will be applied based on the computer account.
On the desktop, the result can be seen as the wallpaper has been set to the wallpaper
in group policy configured for the Training Lab.
To illustrate this better, I will open Active Directory Users and Computers from the start
menu. If I expand down to New York, computers, and then Training Lab, on the right hand side
you can see the computer account for this computer.
When the computer starts up, the computer side of Group Policy is applied based on the
location of this computer account in Active Directory. Without loopback Group Policy replace
mode configured, the user side of Group Policy will be applied from where the user account
is located. In this case, the trainer account located here.
Since Group Policy loopback processing with replace mode is enabled, what has happened
is this. The user side of Group Policy is instead applied based on the location of the
computer account rather than the user account. In this case, the OU Training Lab. You can
see that by using replace mode, the administrator is able to apply any Group Policy user setting
any way they like without having to worry about what settings may be applied to the
user account already. The other Group Policy loopback processing
mode that can be configured is merge mode. This mode is often used with Remote Desktop
Services. Merge mode is used when you want the regular user settings to be applied but
want the option to override these settings if required. In a Remote Desktop Session,
you may want the user to have access to settings like their map drives and printers that are
configured in Group Policy, but you may want to override other settings. In a Remote Desktop
Session, it is not uncommon for the desktop to be locked down, for example the control
panel and other unneeded shortcuts removed. So what you want to do is allow the user to
have their regular settings applied, but have the option to overwrite these settings or
apply additional settings to ensure the computer is still secure.
To understand how merge mode works, it helps to look at replace mode first. You can see
that the computer side is applied and the user side is applied based on the location
of the computer account in Active Directory. What is different with merge mode is that
the user side is applied in between these two steps.
Another way to think about merge mode is to compare it to normal Group Policy Processing.
For both normal and merge mode, the first two steps are the same. Group Policy computer
settings are configured based on the computer account location. User side settings are applied
based on the location of the user account in Active Directory.
Merge mode adds another step to the process by applying the user side of Group Policy
based on the location of the computer account in Active Directory. This allows the administrator
to add to or replace any existing user side Group Policy settings.
Well that covers it for Group Policy Loopback processing. For more free videos for this
course and others please see our YouTube channel or web site. Thanks for watching another video
from ITFreeTraining and see you next time.

55 comments on “MCITP 70-640: Group Policy Loopback Processing

  1. Helps to enforce restrictions on computers instead of users sometimes.

    A computer kiosk at my hospital, for example. You can set strict policies that affect any user on that PC.

    Non security-related, you could use it to customize desktop/OS for all Payroll computers, regardless of the user, as long as you had the child computer OUs setup.
    (or lack of enforcement for IT computers) Since you may be using test accounts on an IT computer, where user specific policies would be applied.

  2. Granted, if you have Role-based permissions setup in your enterprise, and properly use Builtin groups, security filtering can do most of your needs (and of course then you are mostly managing AD directly, instead of the potential of micro-managenemt headaches)

  3. I did chuckle a few times when you stated that no enterprise admin will know the entire AD environment. I was stuck managing NTFS,share and service account for 400 servers, 11 000 users with many attached exch accounts, distribution lists (some security enabled), and ~ 1500 permission groups/roles

    Somehow was supposed to have time for audits and maintenance too :p

    On sabbatical for 10 months doing my Sec+ and MCITP Server/Enterprise Admin.

    Hoping to come back to 3-4 roles hired lol

  4. Could not say why Microsoft did this. The only reason that I can think of is that they did not want conflicting settings between the computer side and computer side. However, with Group Policy Preferences a lot of the settings are double up so in theory it should be possible.

  5. If your luck to work for such a company you will never forget the feeling when you first walk into one of these massive server rooms for the first time. Thanks for sharing you experience. I am sure the people who are just starting out appreciate it who have not looked after such big networks.

  6. Thanks for your comments on this video. They are excellent and very accurate. I am sure those that read them will benefit.

  7. Indeed. Most places you will never 'touch' as many technologies as working for an entire Health Region. (2 data centers, 3 primary sites and 25 or so long term care facilities/clinics and rural hospitals, 5000~ computers and a Hyper V cluster)

    As hard as it it, you are very accurate in saying its a rare experience. Most large private companies will have you only administrate one small piece 🙂

  8. This is an interesting question. I am not sure why Microsoft did it this way. I can assume that they did it this way because they did not want there to be conflicts with user and computer settings.

  9. I'm watching through the playlist and is really enjoying the quality of the teaching. However this was the first video where I didn't understand it first time, but had to watch it over and over. It seems the illustration was not so logical to me. I went wrong cause I though you had to view it horisontal. It now makes sense when I see the order procesed vertical. Just some feedback – thanks again for the great work!

  10. Thanks for you feedback. We will redo the video for Server 2012. I believe adding some additional animations will make it easier to understand.

  11. Thanks a lot for making this easy to understand, Great job as ever. I've looked through the 70-640 list of videos but there doesn't seem to be any on Certificates, have i missed it or Certificates isn't going to be covered? thanks.

  12. The course is not quite finished as yet, are working on certificates at the moment and that will be released next. Good to hear that you like the videos.

  13. This is just great. This topic was very hard to comprehend, but now i fully understand how it works. All in just 11 minutes. Thank you very much 🙂

  14. there are too much video on this topic about 30 minutes but i'm not able to understand
    Thank to you finally i understand that hard topic in just 10 minutes cheers!!!!!!

  15. a standing ovation i just subscribed .. I like the way you do your teaching.. Better than cbt nuggets .. 🙂 very appreciated.. you help me solve a issue at work … 😀

  16. You have the best videos for networking!!!!!!!!!! But plzzzz increase the volume as your voice is not much audible. Otherwise great videos.

  17. Again, I have to extend my thanks to you for relieving me of my frustration and confusion with this, admittedly, perplexing concept. You are doing a terrific job at presenting difficult concepts in an understandable format. Keep up the good work!

  18. So glad I discovered this video and channel. Got my 70-685 exam coming up, and these videos are extremely helpful.

  19. thanks it free training i was confused a lot in this concept glad you were the only one who solved this issue. thanks once again

  20. Hi, I would like to thank you for such a great explanation on GP loop back processing. This is the first time I really got it. Thank you very much for such hardworking.

  21. If opposite policies are being applied to computer and user which will win?Ex. user level control panel is disabled and computer level control panel is enabled.. What will happen in this case is user logs in?

  22. Hi Thanks for the great share . are you guys not making videos for 2016 and 2019 server / AD infrastructure

  23. Thank you so much Sir ! Can you please make a video on server 2016 and 2019 pleade thank you so much !

  24. Great video with clear and easy explanation. Every time it comes to Loopback processing I had to refresh my memory on Replace and Merge modes. THANK YOU!

Leave a Reply

Your email address will not be published. Required fields are marked *