Group Policy Loopback Processing – Part 1: Usage scenarios

• Author
• Recent Posts

Kyle Beckman

Kyle Beckman works as a systems administrator in Atlanta, GA supporting Office 365 in higher education. He has 17+ years of systems administration experience.

Latest posts by Kyle Beckman (see all)

• Managing shared mailboxes in Office 365 with PowerShell - Thu, May 5 2016
• Managing shared mailboxes in Office 365 with the GUI - Wed, May 4 2016
• Installing and configuring the Enhanced Mitigation Experience Toolkit (EMET) - Wed, Mar 16 2016

Group Policy Loopback Processing is one of the hidden gems that can make your life as a systems administrator much easier. This article explains for what you can use this feature and in the next post you will learn how to configure Group Policy Loopback Processing.

Group Policy Loopback Processing

How user and computer Group Policy Objects are applied

Before I can explain Loopback Processing, let’s start with quick a refresher on how a Windows computer processes Group Policy.  There are two types of policies: computer policies and user policies.

When the computer starts, it processes all of the computer policies that are assigned to the computer object from AD in this order: local (you can see these on a client by running gpedit.msc), site, domain, OU, and child OU. Last, the computer runs all of the startup scripts that were assigned to it in Group Policy.

When a user logs in to the computer, the computer pulls all of the policies assigned to that user object. The user policies are processed in this order: local, site, domain, OU, and child OU. Last, the user logon scripts are run.

There are some exceptions to the order that GPO’s are processed, but this should give you a basic overview of how a computer processes the policies assigned to it and any user that logs in to the computer.

When you need Group Policy Loopback Processing

Group Policy Loopback Processing comes into play if you want to assign user policies to computer objects. This feature is especially useful in large organizations.

If you have a single Site and a small Domain, you probably have full control over all Group Policy settings in the Domain including the ability to create and make changes to computer and user policies. However, if you have a large Active Directory with multiple Domains and multiple Sites, you may have only have the ability to manage the GPO’s for a single Domain or even individual Organizational Units (OU’s).

Group Policy Loopback Processing is helpful if you don’t have control over the Group Policy that is assigned to user accounts, but do have control over the policy that is assigned to the computers in your facility.

You can also use it to make sure that all employees in a specific physical location have access to a specific printer that is only available in that location. Another typical usage scenario are kiosks. Group Policy Processing allows you to work with different user policies depending on if they log on to the kiosk computer or a common workstation.

These are all everyday situations where Loopback Processing can help you regardless if you have a few hundred objects or tens of thousands in your Active Directory. In my next post, I will explain how to configure Group Policy Loopback Processing.