By default, a user’s settings come from GPOs scoped to the user object in Active Directory. Regardless of which computer the user logs on to, the resultant set of policies that determine the user’s environment is the same. There are situations, however, in which you might want to configure a user differently, depending on the computer in use. For example, you might want to lock down and standardize user desktops when users log on to computers in closely managed environments such as conference rooms, reception areas, laboratories, classrooms, and kiosks. It is also important for virtual desktop infrastructure (VDI) scenarios, including remote virtual machines and Remote Desktop Services (Terminal Services).
Imagine a scenario in which you want to enforce a standard corporate appearance for the Windows desktop on all computers in conference rooms and other public areas of your office. How could you centrally manage this configuration, using Group Policy? Policy settings that configure desktop appearance are located in the User Configuration node of a GPO.
Therefore, by default, the settings apply to users regardless of which computer they log on to. The default policy processing does not give you a way to scope user settings to apply to computers, regardless of which user logs on. That’s where loopback policy processing comes in.
Loopback policy processing alters the default algorithm used by the Group Policy client to obtain the ordered list of GPOs that should be applied to a user’s configuration. Instead of user configuration being determined by the User Configuration node of GPOs that are scoped to the user object, user configuration can be determined by the User Configuration node policies of GPOs that are scoped to the computer object.
The User Group Policy Loopback Processing Mode policy, located in the Computer ConfigurationPoliciesAdministrative TemplatesSystemGroup Policy folder in GPME, can be, like all policy settings, set to Not Configured, Enabled, or Disabled.
When enabled, the policy can specify Replace or Merge mode:
– Replace In this case, the GPO list for the user (obtained in step 5 in the “Group Policy Processing” #section) is replaced in its entirety by the GPO list already obtained for the computer at computer startup (during step 2). The settings in the User Configuration policies of the computer’s GPOs are applied to the user. Replace mode is useful in a situation such as a classroom, where users should receive a standard configuration rather than the configuration applied to those users in a less managed environment.
– Merge In this case, the GPO list obtained for the computer at computer startup (step 2 in the “Group Policy Processing” section) is appended to the GPO list obtained for the user when logging on (step 5). Because the GPO list obtained for the computer is applied later, settings in GPOs on the computer’s list have precedence if they conflict with settings in the user’s list. This mode would be useful for applying additional settings to users’ typical configurations. For example, you might allow a user to receive his or her typical configuration when logging on to a computer in a conference room or reception area but replace the wallpaper with a standard bitmap and disable the use of certain applications or devices.
The 70-640 #exam is likely to include several questions that #test your knowledge of Group Policy scope. Sometimes, questions that seem to be addressing the technical details of a policy setting are, in fact, testing your ability to scope the setting to appropriate systems. When you encounter Group Policy questions, ask yourself, “Is this really about a specific policy setting, or is it about the scope of that setting?”
Note: Loopback and filtering
It is an underdocumented fact that when you combine loopback processing with security group filtering, the application of user settings during policy refresh uses the credentials of the computer to determine which GPOs to apply as part of the loopback processing, but the logged-on user must also have the Apply Group Policy permission for the GPO to be successfully applied.