Sunday, February 26, 2012

Loopback demystified

Hello there. Often I see confusion about what Group Policy Loopback processing is, how it works and what to take care of when using it. Microsoft’s documentation on Loopback processing, although technically correct, seems somewhat “hard to understand”:
Here’s my explanation about Loopback processing. Comments and feedback are welcome!

What is Loopback intended for?

Imagine one of the following scenarios:

·       You have workstations and Terminal Servers. On both, there’s a “Shutdown” item in the start menu. That’s ok for workstations, but not for Terminal Servers. So, on the Terminal server, the “Shutdown” item shall be disabled via Group Policy. Unfortunately, all start menu related GPO settings are user settings that we now require to be different on two computers, but for the SAME user… We need “additional” user settings – that’s Loopback “Merge” Mode. Merging appends GPOs to the common  GPO set for a user.
·       You have computers accessible for public users (i.e. “Kiosk Terminals”). On these, all users should get the same locked down settings (commonly: IE as  shell, no context menu, no caching and so on). So on these computers, we need a common set of user GPOs than enforces the lockdown, regardless of who is logging on. We need “different” user settings – that’s Loopback “Replace” Mode. “Replace” in fact replaces the common  GPO set for a user with a completely different GPO set.
How does Loopback change how GPOs are applied?

You may already know that GPOs are processed according to their linkage to Active Directory Sites, Domains and OUs – down to where our account (user or computer) resides. This “tree” is called the “Scope of Management” (SOM). See http://msdn.microsoft.com/en-us/library/cc232530.aspx for a complete description of GPO application.
This is our “corp.contoso.com” domain. It has a “corp root” OU where we put servers, workstations and users in appropriate Sub-OUs where several policies are linked. All GPOs  (even those linked to “Workstations”) contain one or more user settings.


We have an “user” account residing in corp.contoso.com/Corp Root/Users/Backoffice. His “common” GPO set looks like this:


Policy Name


Policy Link (SOM)


Headquarters Site Policy

corp.contoso.com/Configuration/Sites/Headquarters-Site

Corporate Domain Policy

corp.contoso.com

 Corp Root Policy

corp.contoso.com/Corp Root

Users Policy

corp.contoso.com/Corp Root/Users

Backoffice Policy

corp.contoso.com/Corp Root/Users/Backoffice

Users Policy – enforced

corp.contoso.com/Corp Root/Users

Corp Root Policy – enforced

corp.contoso.com/Corp Root

Corporate Domain Policy – enforced

corp.contoso.com

Headquarters Site Policy – enforced

corp.contoso.com/Configuration/Sites/Headquarters-Site

As the table shows, GPO processing starts at Site level, then walks down from the Domain level to the “Backoffice” OU, applying all non-enforced GPOs. Then it walks the same way back, processing enforced GPOs. And with “last writer wins”, this ensures that enforced GPOs in fact DO win.
Now let’s have a look how processing works when Loopback “Merge” mode is enabled:

Policy Name

Policy Link (SOM)

Headquarters Site Policy
corp.contoso.com/Configuration/Sites/Headquarters-Site
Corporate Domain Policy
corp.contoso.com
Corp Root Policy
corp.contoso.com/Corp Root
Users Policy
corp.contoso.com/Corp Root/Users
Backoffice Policy
corp.contoso.com/Corp Root/Users/Backoffice
Users Policy – enforced
corp.contoso.com/Corp Root/Users
Corp Root Policy – enforced
corp.contoso.com/Corp Root
Corporate Domain Policy – enforced
corp.contoso.com
Headquarters Site Policy – enforced
corp.contoso.com/Configuration/Sites/Headquarters-Site
Headquarters Site Policy
corp.contoso.com/Configuration/Sites/Headquarters-Site
Corporate Domain Policy
corp.contoso.com
Corp Root Policy
corp.contoso.com/Corp Root
Workstations Policy
corp.contoso.com/Corp Root/Workstations
Desktops Policy
corp.contoso.com/Corp Root/Workstations/Desktops
Workstations policy – enforced
corp.contoso.com/Corp Root/Workstations
Corp Root Policy – enforced
corp.contoso.com/Corp Root
Corporate Domain Policy – enforced
corp.contoso.com
Headquarters Site Policy – enforced
corp.contoso.com/Configuration/Sites/Headquarters-Site

We now have two cycles of GPO processing. The first is exactly the same as it was without Loopback. The second cycle also starts at Site level and walks down from the Domain. But this time, although we are processing user GPOs, it walks down to “Desktops” and applies User GPOs linked at “Workstations” and “Desktops”.

Remark: User GPOs processed in the second cycle only get applied as long as the workstation account (!) has at least read access to the GPO. See http://support.microsoft.com/kb/953768.This feature enables us to link a GPO to „Desktops“ that has „Remove and prevent access to the Shut Down, Restart, Sleep and Hibernate commands” enabled and has Security filtering for “Domain Users” (so all users will apply the GPO) and for the workstations only where we need this setting enabled (i.e. Terminal Servers).
Remark: Enabling “Merge” mode almost doubles GPO processing time. And if you define Logon Scripts at Domain Level, they will execute twice…

Last, let’s enable Loopback “Replace” mode:

Policy Name

Policy Link (SOM)

Headquarters Site Policy
corp.contoso.com/Configuration/Sites/Headquarters-Site
Corporate Domain Policy
corp.contoso.com
Corp Root Policy
corp.contoso.com/Corp Root
Workstations Policy
corp.contoso.com/Corp Root/Workstations
Desktops Policy
corp.contoso.com/Corp Root/Workstations/Desktops
Workstations policy – enforced
corp.contoso.com/Corp Root/Workstations
Corp Root Policy – enforced
corp.contoso.com/Corp Root
Corporate Domain Policy – enforced
corp.contoso.com
Headquarters Site Policy – enforced
corp.contoso.com/Configuration/Sites/Headquarters-Site

Again, this is very similar to the previous Loopback “Merge” mode, but the user SOM is omitted completely. Only the second cycle from “Merge” mode takes place, applying only user GPOs linked to the computer’s SOM.

As common user GPOs are no longer applied, we now may deploy a specialized GPO set for given computers that applies to all users logging on.

That's all for now, stay tuned!

14 comments:

  1. You have done a great job of laying this out with plenty of visual aids, anybody should be able to understand now!

    Found your blog via Technet Group Policy forum
    -Garrett R

    ReplyDelete
  2. Thanks very much Garret! Has been quiet here for some time, but hopefully more posts are up to come ;-)

    ReplyDelete
  3. Thank you for explaining how enforcement relates to loopback! I would love to see some more posts as well! :)

    ReplyDelete
    Replies
    1. I'm full of thoughts about what might be worth posting - but at the moment,I'm quite busy... Sorry, and stay tuned anyway ;-)

      Delete
  4. You are GREAT !!!! well done, keep sharing.

    ReplyDelete
  5. This comment has been removed by a blog administrator.

    ReplyDelete
  6. When you have a Computer OU with 4 different OU's on it...(GPO1-GPO2-GPO3-GPO4) and you enable LoopBack on GPO1...dose the Loopback hit GPO2-GPO3-GPO4 as well ? or dose i need to apply Loopback on GPO2-3-4 as well ?

    ReplyDelete
    Replies
    1. Loopback isn't enabled "per GPO", but "per computer". So it doesn't matter which GPO enables loopback - if it's enabled, it hits all GPOs.

      Delete
  7. sorry, maybe i had a very long day. But how do you create a loopback?

    ReplyDelete
    Replies
    1. You don't "create" it, you simply "enable" it: Computer config - Policies - ADM Templates - System - Group Policy.

      Delete
  8. I'm sorry.. I must have a mental block. Let me ask, I have a user GPO that I created to enforce screen saver passwords on all users' workstations EXCEPT for 3 workstations. My GPO is linked to the users OU and the Dispatch Computers OU that has the 3 workstations that I don't want the screen saver enabled. My Loopback is set to Replace. I thought that it would not enable the screen saver on the 3 workstations in the Dispatch Computers OU? It is applying the screen saver to all users even if they are logged into the 3 dispatch workstations. What am I missing?

    ReplyDelete
    Replies
    1. You need a second GPO that disables the screen saver. Link this GPO to the OU with your 3 computers and move it to the top of linked GPOs. Or have a look at my post about "How to save my screen" :-)

      Delete