Group Policy Loopback processing is a mechanism that allows user policy to takes effect only on certain computers. Normally, user policy is linked to the user OU and will be applied regardless of which computer the user is signed in. However in this case, user policy is linked to the computer OU and will not takes effect to the user when signed in to computers outside this OU. The user policies applied this way can replace the normal policy or be merged with it. Administrator must know how to enable GPO loopback processing and understand which mode that suits the condition.
How to Enable GPO Loopback Processing
In this scenario, we have a domain running on Windows Server 2012 R2 Domain Controller, with the OU structure configured as in below picture. Users are contained in any one of the region OU under the Global Users. Computers are contained either in Dev or Prod under Workstations OU. There is a requirement for users to receive “Global User Policy” and their respective “Branding Policy” per region when they sign in to any computer except to those in the Dev OU. When user signed in to computer under Dev OU, they should receive the “Dev User Policy” instead.
The step by step to enable Group Policy loopback processing and analysis for this requirement are as follows:
1. Link the required user policy to computer OU
Make sure that the required user policy has been linked to the computer OU. This way, user policy can be applied to the user only when it is signed in to computer that is the member of this OU. In this scenario, the “Dev User Policy” has been applied to Dev, which is a computer OU.
2. Decide the computer policy object to use
GPO loopback processing is a computer setting so it can be configured in a computer policy. The computer policy itself should be linked to the computer OU. In this scenario, GPO loopback processing will be enabled on “Dev Computer Policy”, and it has been linked to the Dev computer OU.
3. Configure GPO loopback processing
The setting is located on Computer Configuration > Policies > Administrative Templates > System > Group Policy > Configure user Group Policy loopback processing mode.
Double click the setting. Set it as Enabled then select the mode from the dropdown menu.
As mentioned in the opening, there are two modes for loopback processing:
- Replace: When selected, user policies linked to computer OU will override the other user policies that linked to the user OU.
- Merge: When selected, user policies linked to computer OU will be applied along with the other user policies that linked to the user OU. If any conflicting setting between policies, GPO will process them normally based on the link order.
Based on the requirement in this scenario, the best suitable mode is Replace because “Dev User Policy” must be applied instead of the other policies that applied normally via the user OU.
Before loopback processing was enabled, user receives all the policies that applied to its OU. Use command gpresult /r and gpresult /r /SCOPE COMPUTER to prove it, the result as show in picture below:
When loopback processing has been enabled, those user policies should be replaced by the “Dev User Policy” that is linked to the computer OU. Like a normal GPO, loopback processing should be applied once the policy refreshed, or we can force it by using command gpupdate /force. The picture below is showing the result after that:
Based on the result, GPO loopback processing has work successfully. For final verification, the user should still receive its normal user policies when signed to a different computer outside the Dev OU.
GPO Loopback Best Practices
The following is what I consider my “best practices” for configuring loopback processing in my experience:
- Create two purpose-built GPOs to enable it loopback processing (one for each mode). These GPOs should only contain this one setting. Lock down who can edit these GPOs (I’d go as far limiting permissions to Domain Admins).
- Link your loopback processing GPOs as necessary, and enforce these links, to ensure any loopback processing setting change in any other GPO does not cause any unexpected issues.
- Create user setting GPOs as needed, and link them to the necessary OUs containing computer objects that you want to control the user experience on.
- Don’t enable loopback processing if you don’t need to. If your computers and users are in distinct OU structures, apply policies to them as needed.
- In the situation of not being able to apply any policy to user objects, enforce replace mode from the top down across all OUs containing computer objects.