The user settings from the computer’s GPOs win any conflicts since they apply last. The result- the user receives all user settings from GPOs applied to the user and all user settings from GPOs applied to the computer. Following normal user policy processing the Group Policy engine applies user settings from GPOs linked to the computer's OU. We'll start off with an explanation of Merge mode since it builds on our existing knowledge of user policy processing.ĭuring loopback processing in merge mode, user GPOs process first (exactly as they do during normal policy processing), but with an additional step. Prior to the start of user policy processing, the Group Policy engine checks to see if loopback is enabled and, if so, in which mode. There are two modes for loopback processing: Merge or Replace. When you enable loopback processing, you also have to select the desired mode.
The screenshot below is from the Windows 8 version of the GPME. User Group Policy loopback processing mode. To configure loopback in Windows 8 and Windows Server 2012Įarlier versions of Windows have the same policy setting under the name In the Group Policy Management Editor (GPME).Ĭonfigure user Group Policy loopback processing mode You will save yourself countless nights/weekends/holidays in the office because will you be able to identify configuration issues more quickly and easily.Ĭomputer Configuration/Administrative Templates/System/Group Policy As I've mentioned in other posts, whenever possible, keep your designs as simple as possible. All of these configuration options modify the default processing of policy and thus make your environment more complex to troubleshoot and maintain. Our recommendation for loopback is similar to our recommendations for WMI filters, Block Inheritance and policy Enforcement use them sparingly. Loopback processing changes the list of applicable GPOs and the order in which they apply to a user.Īdministrators use loopback processing in kiosk, lab, and Terminal Server environments to provide a consistent user experience across all computers regardless of the GPOs linked to user's OU. For this example, the user is the "E" OU and the computer is in the "G" OU of the domain.įollowing normal group policy processing rules (assuming all policies apply to Authenticated Users with no WMI filters or "Block Inheritance" or "Enforced" policies), user settings of Group Policy objects apply in the following order: Normal user group policy processing applies user settings from GPOs linked to the Site, Domain, and OU containing the user object regardless of the location of the computer object in Active Directory. (previously called No Override for you old school admins) can modify processing as well, but we will keep things simple for the purposes of this example.
As a result of LSDOU, settings from GPOs linked closest (lower in OU structure) to the user take precedence over those linked farther from the user (higher in OU structure). GPO configuration options such as You may have heard Active Directory “old timers” refer to this as