Group Policy Loopback processing is a mechanism that allows user policy to takes effect only on certain computers. Normally, user policy is linked to the user OU and will be applied regardless of which computer the user is signed in. However in this case, user policy is linked to the computer OU and will not takes effect to the user when signed in to computers outside this OU. The user policies applied this way can replace the normal policy or be merged with it. Administrator must know how to enable GPO loopback processing and understand which mode that suits the condition.
In this scenario, we have a domain running on Windows Server 2012 R2 Domain Controller, with the OU structure configured as in below picture. Users are contained in any one of the region OU under the Global Users. Computers are contained either in Dev or Prod under Workstations OU. There is a requirement for users to receive “Global User Policy” and their respective “Branding Policy” per region when they sign in to any computer except to those in the Dev OU. When user signed in to computer under Dev OU, they should receive the “Dev User Policy” instead.
The step by step to enable Group Policy loopback processing and analysis for this requirement are as follows:
1. Link the required user policy to computer OU
Make sure that the required user policy has been linked to the computer OU. This way, user policy can be applied to the user only when it is signed in to computer that is the member of this OU. In this scenario, the “Dev User Policy” has been applied to Dev, which is a computer OU.
2. Decide the computer policy object to use
GPO loopback processing is a computer setting so it can be configured in a computer policy. The computer policy itself should be linked to the computer OU. In this scenario, GPO loopback processing will be enabled on “Dev Computer Policy”, and it has been linked to the Dev computer OU.
3. Configure GPO loopback processing
The setting is located on Computer Configuration > Policies > Administrative Templates > System > Group Policy > Configure user Group Policy loopback processing mode.
Double click the setting. Set it as Enabled then select the mode from the dropdown menu.
As mentioned in the opening, there are two modes for loopback processing:
Based on the requirement in this scenario, the best suitable mode is Replace because “Dev User Policy” must be applied instead of the other policies that applied normally via the user OU.
Before loopback processing was enabled, user receives all the policies that applied to its OU. Use command gpresult /r and gpresult /r /SCOPE COMPUTER to prove it, the result as show in picture below:
When loopback processing has been enabled, those user policies should be replaced by the “Dev User Policy” that is linked to the computer OU. Like a normal GPO, loopback processing should be applied once the policy refreshed, or we can force it by using command gpupdate /force. The picture below is showing the result after that:
Based on the result, GPO loopback processing has work successfully. For final verification, the user should still receive its normal user policies when signed to a different computer outside the Dev OU.
The following is what I consider my “best practices” for configuring loopback processing in my experience: