Group Policy Loopback Processing


Post to Twitter Post to Facebook Post to StumbleUpon

Subtitled – “Wow, I learned something new today!”

So in the Third Tier support queue today, Jon posed an interesting question:

How do I exclude Folder Redirection from applying to one domain-joined laptop that is out of the office & disconnected from the domain most of the time?

To revisit Group Policy basics for everyone – GPOs can apply to either computer accounts or user accounts.  GPOs that apply to computer accounts are processed when computers boot up (we’ve all seen the “Applying Computer Settings” message during startup), and GPOs that apply to user accounts are processed during login.  Obviously, Folder Redirection is a user setting in Group Policies, and GPOs don’t have the same targeting options that Group Policy Preferences do.  So how do we have different GP user settings implemented when users log in to specific machines?   Via User Group Policy loopback processing, of course . . .

So what is User Group Policy loopback processing?  It is a Group Policy setting that applies to Computer accounts.  When enabled, it effectively tells a computer to process User Settings in GPOs that apply to the computer account whenever a user logs on to that computer.  As a result, we are able to define user GP settings in a GPO applied to computer accounts instead of user accounts.

User Group Policy loopback processing can be enabled in one of two modes:  merge or replace.  In merge mode, both GPOs applying to the user account and GPOs applying to the computer account are processed when a user logs in.  GPOs that apply to the computer account are processed second and therefore take precedence – if a setting is defined in both the GPO(s) applying to the user account, and the GPO(s) applying to the computer account, the setting in the GPO(s) applying to the computer account will be enforced.  With the replace mode, GPOs applying to the user account are not processed – only the GPOs applying to the computer account are applied.

In Jon’s specific case, he wanted to exclude Folder Redirection for one remote laptop.  The folder redirection settings in Group Policies do not have a “disable” option – only “Not Configured” or enabled via the “Basic” or “Advanced” modes.  Since there isn’t an option to explicitly disable Folder Redirection, the merge option would not meet Jon’s needs, since the user GPOs would be applied and Folder Redirection would remain enabled on the laptop.  By using the “Replace” mode and not defining Folder Redirection in the GPO that applies to the computer account, Jon is able to achieve his desired result.

Take-aways on User Group Policy Loopback Processing:

  • This is a COMPUTER setting, which is found under Computer Configuration | Administrative Templates | System | Group Policy | User Group Policy Loopback Processing Mode
  • You want to create a new OU in AD that is dedicated to computer accounts that will have loopback processing enabled.
  • Create a new GPO in your new OU to enable User Group Policy Loopback Processing and set the appropriate mode (merge / replace).
  • You will define the user settings you want to apply to the loopback-enabled PCs via GPOs in this same new OU.  You can define these settings either in the same GPO where you enabled the User Group Policy Loopback Processing setting, or you create another new GPO in the same OU for your user settings.
  • Remember that when using the REPLACE mode, none of your other user GPOs will be applied when a user logs in to a machine that has loopback processing enabled.  ONLY the user settings that are defined in the GPOs that apply to that machine will be applied.

Leave a comment

Your email address will not be published. Required fields are marked *

This blog is kept spam free by WP-SpamFree.