MCITP 70-640: Group Policy Loopback Processing
Welcome to the ITFreeTraining video on Group
Policy Loopback Processing. Loopback processing allows the administrator to apply Group Policy
based on the computer rather than the user that logs into that computer. Group Policy
Loopback processing is invaluable when configuring kiosks, training computers and Remote Desktop
Services. Loopback processing allows you to achieve results that would normally not be
possible. Group Policy loopback processing is a difficult
concept to understand and often a miss taught topic. By the end of this video I feel confident
that you will understand how Group Policy loopback processing works and how to use it
in your organization effectively. Before looking at Group Policy Loopback processing,
it is important understand that Group Policy is divided into two halves. If I open a Group
Policy Object, you can see the two halves. The two halves are computer configuration
at the top and user configuration at the bottom. Loopback processing changes the way these
two parts of Group Policy are applied so it is important to understand there are two parts
to each Group Policy Object. First of all, let us look at a typical Group
Policy deployment to understand why you would need loopback processing. In this example,
the computer account is located under the OU Training Lab, which is found under the
computers OU located under New York. The user account is located under the Users OU also
found under New York. When the computer starts up, the New York
Group Policy, Computers and Training Lab OU’s computer side group policy is processed. Which
computer side Group Polices are processed will depend on where the computer account
is located in Active Directory. When a user logs in, the user side group polices
are processed based on where the user account is located in Active Directory. As shown,
the New York and User OU user side Group Policy are applied.
The problem occurs when you want to deploy a computer with particular settings. For example,
you want to deploy a computer as a kiosk or a training computer. In either case, it is
unlikely that you want the Group Policy settings for that user applied to the computer. For
example, on a training computer it is unlikely that settings configured in Group Policy like
map drives or desktop customizations would be required. So how would you go about configuring
computers like training computers using Group Policy?
To allow Group Policy to be configured in a way that will work for training and kiosks
computers, Group Policy Loopback Processing can be used. There are two different modes
that Group Policy loopback processing can be used in. The first one that I will look
at is replace mode. When the computer starts up, the computer
side of Group Policy, based on where the computer account is located, is applied. In any one
of these Group Polices could be a setting which changes the processing of Group Policy
from the standard way to Group Policy Loopback. In this case, Group Policy loopback processing
using replace mode will be applied to the Training Lab OU. This way, loopback processing
will only be used with the computers in the Training Lab OU.
Once the computer side of Group Policy has been applied, the next step is to apply the
user side of Group Policy. Normally this would be done based on where the user account is
located in Active Directory, when loopback replace mode is configured, the user side
of group Policy is obtained from the location of where the computer account is located.
As you can see here, essentially loopback processing in replace mode would give you
the same result as having the user and computer account in the same location in Active Directory.
The advantage of this is that the user side of Group Policy for that user is ignored and
the administrator is free to start again with their own user settings. This is perfect for
a training environment where the trainer will often want complete control of the training
environment. Before I look at the other loopback processing
mode, I will first change to my Windows 7 computer to have a look at how to configure
loopback processing for replace mode. In this domain I have Group Policy configured
to set the wallpaper according to the Group Policy that was applied. You can see that
this computer currently has Group Policy applied from the New York Users Group Policy.
To configure group Policy, I will open Group Policy Management, and expand down to the
Training Lab OU, found under the New York and computers OU. In the Training Lab OU is
the computer account for this computer. The user account that I will use to login is called
trainer found under the users OU. Configuring Group Policy loopback processing
is done in the computer side of Group Policy. To do this I need to configure a Group Policy
that is applied to the computer account, in this case the Group Policy I will modify is
the one being applied to the Training Lab OU.
Expanding down through user configuration to the desktop settings, notice that the setting
Desktop Wallpaper has been configured. This user setting will configure the desktop wallpaper
when it is applied. Since no user account exists in the Training Lab OU, without loopback
processing being enabled this setting will never be applied. As soon as loopback processing
is enabled however, this setting will be applied to the computer.
This setting gets the desktop wallpaper from a file share. If I were to open the file server
from the start menu and then open the wallpaper share, notice all the different wallpapers
that I created for each Group Policy. If I open the Training Lab wallpaper, you
will see that this is the wallpaper that should be configured once loopback processing has
been configured. To configure loopback Group Policy processing,
I need to go back to the Group Policy and expand into Computer Configuration, Polices,
Administrative Templates, System and then Group Policy.
The setting that needs to be configured is User Group Policy loopback processing mode.
Once I open this setting, all I need to do is configure it and ensure that the mode is
set as replace. Now that Group Policy loopback processing
is configured, I will reboot the computer so that the changes will take effect. When
the computer starts up, the computer side of Group Policy will be applied as normal.
The change occurs when the user logs in. Instead of the user Group Policy being applied to
the user that logs in, user group policy will be applied based on the computer account.
On the desktop, the result can be seen as the wallpaper has been set to the wallpaper
in group policy configured for the Training Lab.
To illustrate this better, I will open Active Directory Users and Computers from the start
menu. If I expand down to New York, computers, and then Training Lab, on the right hand side
you can see the computer account for this computer.
When the computer starts up, the computer side of Group Policy is applied based on the
location of this computer account in Active Directory. Without loopback Group Policy replace
mode configured, the user side of Group Policy will be applied from where the user account
is located. In this case, the trainer account located here.
Since Group Policy loopback processing with replace mode is enabled, what has happened
is this. The user side of Group Policy is instead applied based on the location of the
computer account rather than the user account. In this case, the OU Training Lab. You can
see that by using replace mode, the administrator is able to apply any Group Policy user setting
any way they like without having to worry about what settings may be applied to the
user account already. The other Group Policy loopback processing
mode that can be configured is merge mode. This mode is often used with Remote Desktop
Services. Merge mode is used when you want the regular user settings to be applied but
want the option to override these settings if required. In a Remote Desktop Session,
you may want the user to have access to settings like their map drives and printers that are
configured in Group Policy, but you may want to override other settings. In a Remote Desktop
Session, it is not uncommon for the desktop to be locked down, for example the control
panel and other unneeded shortcuts removed. So what you want to do is allow the user to
have their regular settings applied, but have the option to overwrite these settings or
apply additional settings to ensure the computer is still secure.
To understand how merge mode works, it helps to look at replace mode first. You can see
that the computer side is applied and the user side is applied based on the location
of the computer account in Active Directory. What is different with merge mode is that
the user side is applied in between these two steps.
Another way to think about merge mode is to compare it to normal Group Policy Processing.
For both normal and merge mode, the first two steps are the same. Group Policy computer
settings are configured based on the computer account location. User side settings are applied
based on the location of the user account in Active Directory.
Merge mode adds another step to the process by applying the user side of Group Policy
based on the location of the computer account in Active Directory. This allows the administrator
to add to or replace any existing user side Group Policy settings.
Well that covers it for Group Policy Loopback processing. For more free videos for this
course and others please see our YouTube channel or web site. Thanks for watching another video
from ITFreeTraining and see you next time.