http://technet.microsoft.com/en-us/library/cc978513.aspx
http://technet.microsoft.com/en-us/library/cc779327.aspx
http://technet.microsoft.com/en-us/library/cc785074.aspx
Here’s my
explanation about Loopback processing. Comments and feedback are welcome!http://technet.microsoft.com/en-us/library/cc779327.aspx
http://technet.microsoft.com/en-us/library/cc785074.aspx
What is Loopback intended for?
Imagine one of the following scenarios:
· You
have workstations and Terminal Servers. On both, there’s a “Shutdown” item in
the start menu. That’s ok for workstations, but not for Terminal Servers. So,
on the Terminal server, the “Shutdown” item shall be disabled via Group Policy.
Unfortunately, all start menu related GPO settings are user settings that we
now require to be different on two computers, but for the SAME user… We need
“additional” user settings – that’s Loopback “Merge” Mode. Merging appends GPOs to the common GPO set for a user.
· You
have computers accessible for public users (i.e. “Kiosk Terminals”). On these,
all users should get the same locked down settings (commonly: IE as shell, no context menu, no caching and so
on). So on these computers, we need a common set of user GPOs than enforces the
lockdown, regardless of who is logging on. We need “different” user settings –
that’s Loopback “Replace” Mode. “Replace” in fact replaces the common GPO set for a user with a completely different
GPO set.
How does Loopback change
how GPOs are applied?
You may
already know that GPOs are processed according to their linkage to Active
Directory Sites, Domains and OUs – down to where our account (user or computer)
resides. This “tree” is called the “Scope of Management” (SOM). See http://msdn.microsoft.com/en-us/library/cc232530.aspx
for a complete description of GPO application.
This is our
“corp.contoso.com” domain. It has a “corp root” OU where we put servers,
workstations and users in appropriate Sub-OUs where several policies are
linked. All GPOs (even those linked to
“Workstations”) contain one or more user settings.
We have an “user” account residing in corp.contoso.com/Corp Root/Users/Backoffice. His “common” GPO set looks like this:
Policy Name
|
Policy Link (SOM)
|
|
Headquarters Site
Policy
|
corp.contoso.com/Configuration/Sites/Headquarters-Site
|
|
Corporate Domain
Policy
|
corp.contoso.com
|
|
Corp Root Policy
|
corp.contoso.com/Corp
Root
|
|
Users Policy
|
corp.contoso.com/Corp
Root/Users
|
|
Backoffice Policy
|
corp.contoso.com/Corp
Root/Users/Backoffice
|
|
Users Policy –
enforced
|
corp.contoso.com/Corp
Root/Users
|
|
Corp Root Policy –
enforced
|
corp.contoso.com/Corp
Root
|
|
Corporate Domain
Policy – enforced
|
corp.contoso.com
|
|
Headquarters Site
Policy – enforced
|
corp.contoso.com/Configuration/Sites/Headquarters-Site
|
As the table shows, GPO processing starts at Site level, then walks down from the Domain level to the “Backoffice” OU, applying all non-enforced GPOs. Then it walks the same way back, processing enforced GPOs. And with “last writer wins”, this ensures that enforced GPOs in fact DO win.Now let’s have a look how processing works when Loopback “Merge” mode is enabled:
Policy Name
|
Policy Link (SOM)
|
Headquarters Site
Policy
|
corp.contoso.com/Configuration/Sites/Headquarters-Site
|
Corporate Domain
Policy
|
corp.contoso.com
|
Corp Root Policy
|
corp.contoso.com/Corp
Root
|
Users Policy
|
corp.contoso.com/Corp
Root/Users
|
Backoffice Policy
|
corp.contoso.com/Corp
Root/Users/Backoffice
|
Users Policy –
enforced
|
corp.contoso.com/Corp
Root/Users
|
Corp Root Policy –
enforced
|
corp.contoso.com/Corp
Root
|
Corporate Domain
Policy – enforced
|
corp.contoso.com
|
Headquarters Site
Policy – enforced
|
corp.contoso.com/Configuration/Sites/Headquarters-Site
|
Headquarters Site
Policy
|
corp.contoso.com/Configuration/Sites/Headquarters-Site
|
Corporate Domain
Policy
|
corp.contoso.com
|
Corp Root Policy
|
corp.contoso.com/Corp
Root
|
Workstations Policy
|
corp.contoso.com/Corp
Root/Workstations
|
Desktops Policy
|
corp.contoso.com/Corp
Root/Workstations/Desktops
|
Workstations policy
– enforced
|
corp.contoso.com/Corp
Root/Workstations
|
Corp Root Policy –
enforced
|
corp.contoso.com/Corp
Root
|
Corporate Domain
Policy – enforced
|
corp.contoso.com
|
Headquarters Site
Policy – enforced
|
corp.contoso.com/Configuration/Sites/Headquarters-Site
|
We now have two cycles of GPO processing. The first is exactly the same as it was without Loopback. The second cycle also starts at Site level and walks down from the Domain. But this time, although we are processing user GPOs, it walks down to “Desktops” and applies User GPOs linked at “Workstations” and “Desktops”.
Remark:
User GPOs processed in the second cycle only get applied as long as the
workstation account (!) has at least read access to the GPO. See http://support.microsoft.com/kb/953768.This
feature enables us to link a GPO to „Desktops“ that has „Remove and prevent
access to the Shut Down, Restart, Sleep and Hibernate commands” enabled and has
Security filtering for “Domain Users” (so all users will apply the GPO) and for
the workstations only where we need this setting enabled (i.e. Terminal
Servers).
Remark:
Enabling “Merge” mode almost doubles GPO processing time. And if you define
Logon Scripts at Domain Level, they will execute twice…
Last, let’s
enable Loopback “Replace” mode:
Policy Name
|
Policy Link (SOM)
|
Headquarters Site
Policy
|
corp.contoso.com/Configuration/Sites/Headquarters-Site
|
Corporate Domain
Policy
|
corp.contoso.com
|
Corp Root Policy
|
corp.contoso.com/Corp
Root
|
Workstations Policy
|
corp.contoso.com/Corp
Root/Workstations
|
Desktops Policy
|
corp.contoso.com/Corp
Root/Workstations/Desktops
|
Workstations policy
– enforced
|
corp.contoso.com/Corp
Root/Workstations
|
Corp Root Policy –
enforced
|
corp.contoso.com/Corp
Root
|
Corporate Domain
Policy – enforced
|
corp.contoso.com
|
Headquarters Site
Policy – enforced
|
corp.contoso.com/Configuration/Sites/Headquarters-Site
|
Again, this is very similar to the previous Loopback “Merge” mode, but the user SOM is omitted completely. Only the second cycle from “Merge” mode takes place, applying only user GPOs linked to the computer’s SOM.
As common user GPOs are no longer applied, we now may deploy a specialized GPO set for given computers that applies to all users logging on.
That's all for now, stay tuned!
You have done a great job of laying this out with plenty of visual aids, anybody should be able to understand now!
ReplyDeleteFound your blog via Technet Group Policy forum
-Garrett R
Thanks very much Garret! Has been quiet here for some time, but hopefully more posts are up to come ;-)
ReplyDeleteThank you for explaining how enforcement relates to loopback! I would love to see some more posts as well! :)
ReplyDeleteI'm full of thoughts about what might be worth posting - but at the moment,I'm quite busy... Sorry, and stay tuned anyway ;-)
DeleteYou are GREAT !!!! well done, keep sharing.
ReplyDeleteVery informative and well written post! Quite interesting and nice topic chosen for the post.
ReplyDeleteToshiba - 13.3" Portege Notebook - 4 GB Memory - 320 GB Hard Drive - Black
Toshiba - 15.6" Satellite Laptop - 6GB Memory - 640GB Hard Drive - Slate
This comment has been removed by a blog administrator.
ReplyDeleteWhen you have a Computer OU with 4 different OU's on it...(GPO1-GPO2-GPO3-GPO4) and you enable LoopBack on GPO1...dose the Loopback hit GPO2-GPO3-GPO4 as well ? or dose i need to apply Loopback on GPO2-3-4 as well ?
ReplyDeleteLoopback isn't enabled "per GPO", but "per computer". So it doesn't matter which GPO enables loopback - if it's enabled, it hits all GPOs.
Deletesorry, maybe i had a very long day. But how do you create a loopback?
ReplyDeleteYou don't "create" it, you simply "enable" it: Computer config - Policies - ADM Templates - System - Group Policy.
DeleteVery nice!
ReplyDeleteI'm sorry.. I must have a mental block. Let me ask, I have a user GPO that I created to enforce screen saver passwords on all users' workstations EXCEPT for 3 workstations. My GPO is linked to the users OU and the Dispatch Computers OU that has the 3 workstations that I don't want the screen saver enabled. My Loopback is set to Replace. I thought that it would not enable the screen saver on the 3 workstations in the Dispatch Computers OU? It is applying the screen saver to all users even if they are logged into the 3 dispatch workstations. What am I missing?
ReplyDeleteYou need a second GPO that disables the screen saver. Link this GPO to the OU with your 3 computers and move it to the top of linked GPOs. Or have a look at my post about "How to save my screen" :-)
DeleteHello Martin, It is very nice article.
ReplyDeleteI have a question. What if you have to apply multiple GPOs to the Terminal Server OU for the users, the GPOs are mixed with user and computer policies. Are all of the GPOs linked to the OU supposed to have "lookback processing" setup ? or just one of them in the higher precedence will win over?
for example:
order 1: user configuration - loopback processing "merge" enabled
order 2: user configuration - no loopback processing enabled
order 3: computer configuration - no loopback processing enabled
if the case above example since the order 1 GPO has loopback processing enabled win over, are the order 2 and order 3 GPOs applied as "loopback processing - merge" enabled? or we still have to each GPO to set loopback processing enabled ?
Loopback is not a "per GPO setting", but a "per computer setting". It is either enabled or disabled for _all_ user GPOs applied on this computer. So, the usual precedence of GPO settings applies and the last applied GPO containing loopback settings wins.
DeleteAnd it is a computer setting only. This makes your sample somewhat senseless :-)