Latest posts by Kyle Beckman (see all)
- Managing shared mailboxes in Office 365 with PowerShell - Thu, May 5 2016
- Managing shared mailboxes in Office 365 with the GUI - Wed, May 4 2016
- Installing and configuring the Enhanced Mitigation Experience Toolkit (EMET) - Wed, Mar 16 2016
In my last post, I outlined in what cases Group Policy Loopback Processing can be helpful. Let's have a look at the configuration.
Loopback processing is configured in the Group Policy Management Console in Computer Configuration / Policies / Administrative Templates / System / Group Policy / User Group Policy loopback processing mode – Set to "Enabled" and set the Mode to either Merge or Replace.
Loopback processing allows you to assign user policies to a computer and then control how those policies are applied to any user when he/she logs in to that computer. It allows you to either completely replace (Replace Mode) the user policies that have been assigned to the user or supplement them (Merge Mode) with additional policies.
Group Policy Loopback Processing – Replace Mode ^
As the name implies, Replace Mode replaces the policy that is assigned to the user. In the Computer Configuration, set the loopback processing mode to Replace. Next, assign user policies to the computer in addition to the computer polices, you would normally assign. When the computer starts, it will process the computer policies. When the user logs in, instead of processing the GPO’s assigned to the user, the computer will apply the user policies that are assigned to the computer object.
GMPC - Group Policy Loopback Processing – Replace Mode
Where can Replace Mode be useful? Personally, I use it on file, print, and other servers that non-admin users don’t typically access via the console or Remote Desktop. When someone with admin rights logs in via the console or Remote Desktop, they only have the default policy or any other policy that I assign.
This can be very handy if you’re redirecting folders, mapping printers, or assigning software with Group Policy; you don’t want unwanted drivers or software showing up on your production server that now has to be maintained or removed.
Replace Mode can also be useful if you maintain kiosks or training computers so that you have full control over all of the settings a user receives when he/she logs in. Replace mode really shines in larger Active Directory implementations where you may not have the ability to modify Group Policy assigned to users that work in departments you support.
Group Policy Loopback Processing – Merge Mode ^
Merge Mode supplements the policy that is assigned to the user instead of completely replacing it like in Replace Mode. In the Computer Configuration, set the loopback processing mode to Merge. Next, assign user policies to the computer in addition to the computer polices, you would normally assign. When the computer starts, it will process the assigned computer policies. When the user logs in, the computer will process the user policies assigned to the user as it normally would and then processes the user policies that have been assigned to the computer object.
GPMC - Group Policy Loopback Processing – Merge Mode
Merge Mode can be useful if you need to make additions to a policy or override a policy that a user receives when he/she logs in to a computer. For example, let’s say you have a group of computers that are made available to employees visiting your office. The employees need to receive their normal level of access (mapped drives, redirected folders, etc.), but also need to receive access to a network printer in your office. With Merge Mode, you can add a script or Group Policy Preference that maps the printer for anyone logging into that computer.
Merge Mode can also be useful for overriding things like screensaver settings. Let’s say, you have a reception desk that needs to have a very low screensaver timeout, but your company normally assigns a 20-30 minute timeout. With Merge mode, you can assign a different screensaver timeout to your reception desk computers while allowing employees that intermittently work at the reception desk to have the normal company screensaver timeout when working at their normal computer.
Gotchas and other things to consider ^
Group Policy loopback processing doesn’t save you from Enforced GPO’s. Enforced GPO’s are a great way for an Enterprise or Domain admin to ensure that enterprise-wide standards are maintained by admins that have been delegated access to manage Domain or OU level policies.
You can look for Site GPO’s in the GPMC: Go to Sites, right-click and choose Add Sites…, check the name of your site and click OK. This will let you see if there are any Enforced policies at the Site level. Enforced polices should have a lock in the bottom right-hand corner to signify that they are Enforced. You should also be able to see the list of GPO’s for an OU in the GPMC by clicking on an OU and clicking the Group Policy Inheritance tab. Policies that are Enforced will show “(Enforced)”.
If in doubt, Replace Mode is the better option if you need full control over the environment the user is logging in to. I’ve seen people do some pretty crazy things with Group Policy, including, but not limited to setting 1 minute screensaver timeouts, completely blocking any meaningful access to My Computer (usually when it isn’t justified), and even putting hundreds of icons on the Desktop and Start Menu to “help” employees find things on the network. If you’re maintaining a training lab, kiosks, or anything else where you need a significant amount of control over the user environment, you’re probably better off using Replace Mode.
Permissions of network resources are always a big gotcha with Group Policy. You can have a perfectly written policy; but, if the user doesn’t have permission to use the network resource that you’ve assigned with your loopback policy, you’ll end up with slow logons and errors when the user tries to use the computer. If you’re mapping a network drive, network printer, or redirecting folders for a user with a Merged or Replaced policy, make sure that the user logging in to the computer will have the ability to access the network resource in the policy.
Loopback Replace Mode can cause problems with Cross-Forest Trusts. Like many problems with Trusts, this can usually be tied to network connectivity issues. Make sure that the user’s originating Forest Domain Controllers are accessible to the computer they are trying to log in to.