Group Policy Loopback Support

  • Article

Group Policy applies to the user or computer in a manner that depends on where both the user and the computer objects are located in Active Directory. However, in some cases, users might need policy applied to them based on the location of the computer object alone. The Group Policy loopback feature gives you the ability to apply Group Policy objects that depend only on which computer the user logs on to.

note-iconNote

Loopback is supported only in a purely Windows 2000–based environment. Both the computer account and the user account must be in Active Directory. If either account is managed by a Windows NT 4.0–based domain controller, loopback does not function. The client computer must be a Windows 2000–based computer.

The following scenario describes the loopback feature. In this scenario, you have full control over the computers and users in this domain because you have been granted domain administrator rights. Figure 22.7 shows the Reskit domain.

Cc978257.DSEC09(en-us,TechNet.10).gif

Figure 22.7 The Reskit Domain

When users work in their own workstations, they should have Group Policy applied to them according to the policy settings defined, based on the location of the user object. However, when users log on to a computer whose computer object is in the server's organizational unit, they should receive user policy settings based on the computer object location, rather than the user object location.

In Figure 22.8, normal user Group Policy processing specifies that computers located in the server's organizational unit have the Group Policy objects A3, A1, A2, A4, and A6 applied in that order during computer startup. Users of the Marketing organizational unit have Group Policy objects A3, A1, A2, and A5 applied in that order, regardless of which computer they log on to.

In some cases this processing order might not be appropriate; for example, when you do not want applications that have been assigned or published to the users of the Marketing organizational unit to be installed while they are logged on to the computers in the Servers organizational unit. With the Group Policy loopback support feature, you can specify two other ways to retrieve the list of Group Policy objects for any user of the computers in the Servers organizational unit. You can use either the Merge Mode or the Replacement Mode.

Merge Mode.    In this mode, when the user logs on, the user's list of Group Policy objects is gathered normally by using the GetGPOList function, and then GetGPOList is called again using the computer's location in Active Directory. Next, the list of Group Policy objects for the computer is added to the end of the Group Policy objects for the user. This causes the computer's Group Policy objects to have higher precedence than the user's Group Policy objects. In this example, the list of Group Policy objects for the computer is A3, A1, A2, A4, and A6, which is added to the user's list of A3, A1, A2, and A5, and thus results in A3, A1, A2, A5, A3, A1, A2, A4, and A6 (listed in lowest to highest priority).

Replace Mode.    In this mode, the user's list of Group Policy objects is not gathered. Only the list of Group Policy objects based upon the computer object is used. In Figure 22.7, the list is A3, A1, A2, A4, and A6.

The loopback feature was implemented in the Group Policy engine, not in the GetGPOList function. When the Group Policy engine is about to apply user policy, it searches in the registry for a computer policy, which specifies which mode user policy should be applied in. Then, based upon this policy, it calls GetGPOList , as appropriate.