- Managing shared mailboxes in Office 365 with PowerShell - Thu, May 5 2016
- Managing shared mailboxes in Office 365 with the GUI - Wed, May 4 2016
- Installing and configuring the Enhanced Mitigation Experience Toolkit (EMET) - Wed, Mar 16 2016
Group Policy Loopback Processing is one of the hidden gems that can make your life as a systems administrator much easier. This article explains for what you can use this feature and in the next post you will learn how to configure Group Policy Loopback Processing.
Group Policy Loopback Processing
How user and computer Group Policy Objects are applied
Before I can explain Loopback Processing, let’s start with quick a refresher on how a Windows computer processes Group Policy. There are two types of policies: computer policies and user policies.
When the computer starts, it processes all of the computer policies that are assigned to the computer object from AD in this order: local (you can see these on a client by running gpedit.msc), site, domain, OU, and child OU. Last, the computer runs all of the startup scripts that were assigned to it in Group Policy.
When a user logs in to the computer, the computer pulls all of the policies assigned to that user object. The user policies are processed in this order: local, site, domain, OU, and child OU. Last, the user logon scripts are run.
There are some exceptions to the order that GPO’s are processed, but this should give you a basic overview of how a computer processes the policies assigned to it and any user that logs in to the computer.
When you need Group Policy Loopback Processing
Group Policy Loopback Processing comes into play if you want to assign user policies to computer objects. This feature is especially useful in large organizations.
If you have a single Site and a small Domain, you probably have full control over all Group Policy settings in the Domain including the ability to create and make changes to computer and user policies. However, if you have a large Active Directory with multiple Domains and multiple Sites, you may have only have the ability to manage the GPO’s for a single Domain or even individual Organizational Units (OU’s).
Group Policy Loopback Processing is helpful if you don’t have control over the Group Policy that is assigned to user accounts, but do have control over the policy that is assigned to the computers in your facility.
You can also use it to make sure that all employees in a specific physical location have access to a specific printer that is only available in that location. Another typical usage scenario are kiosks. Group Policy Processing allows you to work with different user policies depending on if they log on to the kiosk computer or a common workstation.
These are all everyday situations where Loopback Processing can help you regardless if you have a few hundred objects or tens of thousands in your Active Directory. In my next post, I will explain how to configure Group Policy Loopback Processing.
Want to write for 4sysops? We are looking for new authors.
hi thank you for this valuable information. I have a query if you can help me providing that info.
A– We have a OU named “Server” that contain 4 servers (server1, server2, server3 & server4) and we want this policy to apply on server1 and server2.
B– On the other side, we do have, for example 4 User groups which are QA-Group, DEV-Group, IT-Group & Implementation-Group. We want this policy should apply on 3 user’s groups (QA-Group, DEV-Group, Implementation-Group) and IT-Group should be excluded.
Using Requirement, A,
Solution: we will create a Computer based policy and will link it to “Server” OU. Under the Security Filter tab, we will add server1 & server2.
In this case, policy will be applying only on server1 and server2 while other two servers in the OU will remain policy free.
Observation: Till here, it is good and working.
Using Requirement, B,
We want this policy should apply on 3 user’s groups (QA-Group, DEV-Group, Implementation-Group) and IT-Group should be excluded.
Solution we tried: – On the policy template, under the delegation tab, we added IT-Group and Denied “Read” and “Apply Group Policy” setting.
But this is failed. For the server1 and server2, No User can copy paste.
Observation: Copy & paste restricted for all 4 user groups.
So, the question is can we filter User Groups on a Computer Based Policy?
Can we filter Computer Groups on a User Based Policy?