How to handle loopback Group Policy

Group Policy is applied to a user or computer in some way, depending on where the user and computer object is located in Active Directory. However, in some cases, the user may need to apply the policy only based on the location of the computer object. To apply a Group Policy object (GPO) only based on which computer the user is logged on to, you can use the Group Policy loopback feature.

More information

To set the user configuration for each computer:

In the Group Policy Microsoft Management Console (MMC), click Computer Configuration.

Locate the Administrative template, click System, click Group Policy, and then enable the Loopback policy option.

This policy will instruct the system to apply the GPO collection for this computer to all users who are logged on to the computer affected by the policy. This strategy is especially useful for special-purpose computers where user policies must be modified based on the computers used, such as computers in public, laboratories, and classrooms.

Note: Loopback functionality is supported only in Windows 2000-based environments. Both the computer account and the user account must be in Active Directory. If one of the accounts is managed by a Microsoft Windows NT 4.0 domain controller, loopback will not work. The client computer must be a Windows 2000 computer.

When a user works on his or her workstation, you may want to apply Group Policy settings based on the location of the user object. Therefore, it is recommended that you configure policy settings in the organizational unit (OU) where the user account resides. However, it is possible that computer objects reside in the specified OU and that user settings in the policy are applied based on the computer object rather than the user object.

Depending on the normal Group Policy processing, the computers in the OU are applied sequentially to the GPO during the computer startup process. Users in the OU are applying GPOs sequentially during logon, regardless of which computer they are logged on to.

URL Address: http://www.bianceng.cn/Servers/zs/201602/49612.htm

In some cases, this order of processing may not be appropriate, for example, some applications have been assigned or published to users in certain OUs, but you do not want to have those applications installed on the computer when they log on to a computer in a particular OU. Using the Group Policy loopback support feature, you can specify other ways to retrieve a list of GPOs for users of computers in this particular OU, including:

Merge mode

In this mode, when a user logs on, the user's GPO list is collected normally by using the GetGPOList function. Then, call the GetGPOList function again, using the location of the computer in Active Directory in this call. The list of GPOs for the computer is then added to the end of the user GPO. This will cause the computer's GPO to have a higher priority than the user's GPO. In this example, the list of GPOs for the computer is added to the user's list.

Alternative mode

In this mode, the user's GPO list is not collected. Use only a list of GPOs based on computer objects.

Loop back Group Policy instance

The experimental environment has a domain ess.com, set up two OUs, respectively, for the branch force far and marketing, each OU have set up a corresponding Group Policy, the Branch force far below there are users User1 User2 and computer EDUPC, in the market under the computer server08-2.

GPO: The user policy below the Branch force specifies that the user's home page is www.baidu.com and the user is prohibited from running Calc.exe

The user policy below the marketing department specifies that the user's home page is www.corun.com and prevents the user from running Notepad.exe

By default, using User1 to log on to Server08-2, you apply the GPO that User1 is located in, that is, the home page is www.baidu.com and cannot be run calc.exe

However, if you specify loopback Group Policy for the GPO in the Marketing department, and replace it, the user settings defined in the Marketing computer Group Policy object are applied to replace the settings of the logged-on user, regardless of which OU's users log on to the marketing computer.

Results: Using User2 to log into the marketing department server08-2, the user policy in the GPO of the marketing department will be applied, and the user policy under the Branch force is not applied, that is, the homepage is www.corun.com and cannot be run notepad.exe