Loopback Technology Review
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Understanding Group Policy loopback technology is essential for configuring a consistent desktop for all Terminal Services users. This section introduces the Group Policy loopback feature with application to terminal servers.
Group Policy loopback feature
Group Policy is applied to the user or computer, based upon where the user or computer object is located in Active Directory® directory service. However, when applying a consistent logon experience to all users logging on to a terminal server, users will need policy applied to them, based on the location of the terminal server, not the location of the user object. The Group Policy loopback feature gives the administrator the ability to apply user Group Policy, based upon the terminal server Active Directory location.
To illustrate the loopback feature, we will use an example. In this example, you have full control over the computers and users in this domain because you have been granted domain administrator privileges.
The following illustration shows the Contoso.com domain, which is used for the purposes of this example. The gold lines connecting the Active Directory objects (domain and OU containers) are shown as solid lines. The GPO links between Active Directory objects (site, domain, and OU containers) and individual GPOs are shown as arrows.
Figure 1 The Contoso.com domain
The Terminal servers OU in the Contoso domain contains only the terminal servers. Users from the Marketing OU have GPOs A3, A1, A2, and A5 applied (in that order), regardless of the desktop computer to which they log on. The terminal servers located in the Terminal servers OU will have the computer settings from GPOs A3, A1, A2, A4, A6, and A7 applied (in that order) during computer Group Policy processing.
Loopback can be configured into two modes: replace and merge. For Terminal Services configuration purposes, the replace mode of the loopback policy setting is relevant. In this mode, the user's list of GPOs is not gathered. Only the list of GPOs based on the computer object location in the Active Directory is used. The loopback policy setting will be configured to replace mode in GPO A6. GPO A7 will be configured with the desired user-based policy settings for the Terminal Services desktop. Both GPO A6 and A7 are linked to the Terminal servers OU. This illustrates a best practice to separate the computer-based policy settings from the user-based policy settings to make troubleshooting Group Policy application problems easier.
For the Contoso.com domain example, users from the Marketing OU, when logging on to their normal desktops, will apply user policy settings from GPOs A3, A1, A2, and A5 (in that order). When logging on to any terminal server, the users from the Marketing OU will evaluate a different set of user policy settings from GPOs A3, A1, A2, A4, A6, and A7 (in that order). You can easily see the difference in the set of user's policy settings based on the computer's location when seen in a table.
|Computer||GPOs evaluated to user when logging on|
Normal desktop computer
A3, A1, A2, A5
A3, A1, A2, A4, A6, A7
|The list of GPOs evaluated for a user logging on to a terminal server will include A3, A1, A2, A4, A6, and A7 (in that order). However, A6 will be found to only include computer settings and will not apply to a user.|
In summary, administrators can use the loopback feature in replace mode to override the normal processing of user Group Policy settings. The user portion of the GPOs linked to the Terminal servers OU will be used for all terminal server logons, instead of evaluating the user GPOs in Group Policy processing normally applied when logging on to their desktop computer.
Loopback processing and security filtering
With security filtering, you can apply a GPO with user-based policy settings to a specific domain group with only user members. The computer policy will not apply, but the user policy settings will apply to any user belonging to the security group used in filtering.
Using the Contoso domain example, you would want to use security filtering to limit application of the user policy settings of GPO A7 to the Remote Desktop Users group. In this case, the Remote Desktop Users group will have the user policy settings of GPOs A3, A1, A2, A4, A6, and A7 applied to them and in that order. All other users will have only the user policy settings of GPOs A3, A1, A2, A4, and A6 applied to them and in that order. This method of limiting application of GPOs through security filtering will come in handy for Scenario 2.
Loopback processing best practices
When using loopback processing in replace mode to control the user policy processing settings, it is best to create separate GPOs for the user and computer configuration settings. Doing so will decrease the amount of confusion involved with using security filtering on a GPO—whether to filter for the user or computer side. Creating separate GPOs also will help in troubleshooting any issues surrounding the processing of Group Policy settings with loopback processing enabled.