Group Policy Loopback Support

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Group Policy is applied to the user or computer, based upon where the user or computer object is located in Active Directory. However, in some cases, users may need policy applied to them, based upon the location of the computer object, not the location of the user object. The Group Policy loopback feature gives the administrator the ability to apply user Group Policy, based upon the computer that the user is logging onto.

To describe the loopback feature, we'll use an example. In this scenario, you have full control over the computers and users in this domain because you have been granted Domain Admin privileges.

The following illustration shows the Reskit domain, which is used to work through this example.

Figure 3. The Reskit domain

Normal user Group Policy processing specifies that computers located in the Servers organizational unit have the GPOs A3, A1, A2, A4, and A6 applied (in that order) during computer startup. Users of the Marketing organizational unit have GPOs A3, A1, A2, and A5 applied (in that order), regardless of which computer they log on to.

In some cases this processing order may not be what you want to do, for example, when you do not want applications that have been assigned or published to the users of the Marketing organizational unit to be installed while they are logged on to the computers in the Servers organizational unit. With the Group Policy loopback feature, you can specify two other ways to retrieve the list of GPOs for any user of the computers in the Servers organizational unit:

• Merge mode. In this mode, the computer's GPOs have higher precedence than the user's GPOs. In this example, the list of GPOs for the computer is A3, A1, A2, A4, and A6, which is added to the user's list of A3, A1, A2, A5, resulting in A3, A1, A2, A5, A3, A1, A2, A4, and A6 (listed in lowest to highest priority).

• Replace mode. In this mode, the user's list of GPOs is not gathered. Only the list of GPOs based upon the computer object is used. In this example, the list is A3, A1, A2, A4, and A6.

You can set the loopback feature by using the User Group Policy loopback processing mode policy under Computer Settings\Administrative settings\System\Group Policy.

The processing of the loopback feature is implemented in the Group Policy engine, which is the part of Group Policy that runs in the Winlogon process. When the Group Policy engine is about to apply user policy, it looks in the registry for a computer policy, which specifies which mode user policy should be applied in.

Using Loopback for Terminal Services

You can apply GPOs to Terminal Servers exclusively with the use of a GPO Loopback policy. This policy directs the system to apply the set of GPOs for the computer to any user who logs on to the computer affected by this policy. This policy is intended for special-use computers, such as those in public places, laboratories, and classrooms, where you must modify the user policy based on the computer that is being used. Without Loopback, the user's GPOs determine which user policies apply. If this policy is enabled, the location of a user's computer object is the main factor in determining which set of GPOs are to be applied.

Loopback Processing and Security Filtering

In security filtering, if you have used the Deny ACL to explicitly prevent a policy setting from applying to a computer, the setting could still apply in loopback replace mode because the user's security principal remains unaffected by the Deny ACL computer settings.