Group Policy Loopback Processing is one of the hidden gems that can make your life as a systems administrator much easier. This article explains for what you can use this feature and in the next post you will learn how to configure Group Policy Loopback Processing.
When the computer starts, it processes all of the computer policies that are assigned to the computer object from AD in this order: local (you can see these on a client by running gpedit.msc), site, domain, OU, and child OU. Last, the computer runs all of the startup scripts that were assigned to it in Group Policy.
When a user logs in to the computer, the computer pulls all of the policies assigned to that user object. The user policies are processed in this order: local, site, domain, OU, and child OU. Last, the user logon scripts are run.
There are some exceptions to the order that GPO’s are processed, but this should give you a basic overview of how a computer processes the policies assigned to it and any user that logs in to the computer.
If you have a single Site and a small Domain, you probably have full control over all Group Policy settings in the Domain including the ability to create and make changes to computer and user policies. However, if you have a large Active Directory with multiple Domains and multiple Sites, you may have only have the ability to manage the GPO’s for a single Domain or even individual Organizational Units (OU’s).
Group Policy Loopback Processing is helpful if you don’t have control over the Group Policy that is assigned to user accounts, but do have control over the policy that is assigned to the computers in your facility.
You can also use it to make sure that all employees in a specific physical location have access to a specific printer that is only available in that location. Another typical usage scenario are kiosks. Group Policy Processing allows you to work with different user policies depending on if they log on to the kiosk computer or a common workstation.
These are all everyday situations where Loopback Processing can help you regardless if you have a few hundred objects or tens of thousands in your Active Directory. In my next post, I will explain In Active Directory, Group Policy Object (GPO) loopback processing enables you to use a different set of user type group policies based on the computer that the user is logging into. This policy is useful when you need to have user type policies applied to users of specific computers, even if the user object is not in the same container as the computer.
 |
| Group Policy Loopback Processing |
How user and computer Group Policy Objects are applied
Before I can explain Loopback Processing, let’s start with quick a refresher on how a Windows computer processes Group Policy. There are two types of policies: computer policies and user policies.When the computer starts, it processes all of the computer policies that are assigned to the computer object from AD in this order: local (you can see these on a client by running gpedit.msc), site, domain, OU, and child OU. Last, the computer runs all of the startup scripts that were assigned to it in Group Policy.
When a user logs in to the computer, the computer pulls all of the policies assigned to that user object. The user policies are processed in this order: local, site, domain, OU, and child OU. Last, the user logon scripts are run.
There are some exceptions to the order that GPO’s are processed, but this should give you a basic overview of how a computer processes the policies assigned to it and any user that logs in to the computer.
When you need Group Policy Loopback Processing
Group Policy Loopback Processing comes into play if you want to assign user policies to computer objects. This feature is especially useful in large organizations.If you have a single Site and a small Domain, you probably have full control over all Group Policy settings in the Domain including the ability to create and make changes to computer and user policies. However, if you have a large Active Directory with multiple Domains and multiple Sites, you may have only have the ability to manage the GPO’s for a single Domain or even individual Organizational Units (OU’s).
Group Policy Loopback Processing is helpful if you don’t have control over the Group Policy that is assigned to user accounts, but do have control over the policy that is assigned to the computers in your facility.
You can also use it to make sure that all employees in a specific physical location have access to a specific printer that is only available in that location. Another typical usage scenario are kiosks. Group Policy Processing allows you to work with different user policies depending on if they log on to the kiosk computer or a common workstation.
These are all everyday situations where Loopback Processing can help you regardless if you have a few hundred objects or tens of thousands in your Active Directory. In my next post, I will explain In Active Directory, Group Policy Object (GPO) loopback processing enables you to use a different set of user type group policies based on the computer that the user is logging into. This policy is useful when you need to have user type policies applied to users of specific computers, even if the user object is not in the same container as the computer.
To configure use loopback processing, follow these steps:
- If it is not already installed, install the Group Policy Management Console with Service Pack 1 from this page:
http://www.microsoft.com/downloads/details.aspx?FamilyId=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en - Click , then or , then , and then .
- Navigate to the organizational unit (OU) to which you wish to apply the group policy.
- Right-click the OU and select to create a new GPO, or navigate to an already existing GPO.
- Right-click the GPO and select .
- In the Group Policy snap-in, under "Computer Configuration", click , click , and then click .
- In the "Details" pane, double-click the policy.
- In the
Configure user Group Policy loopback processing modedialog box, click . - In the drop-down box next to "Mode", select , and click to exit the property page.
Tags
Group Policy
Good concept
ReplyDelete