Loopback Group Policy Processing Order

Loopback processing allows us to take advantage of User Configuration settings from GPOs linked to the OU that contains the computer that is being accessed. As Figure 4.12 shows, there are two modes of loopback processing: Replace and Merge. Merge mode instructs the system to first apply the User Configuration from the Users OU Policy (the standard processing order), then apply the User Configuration from the Computers OU Policy. Replace mode instructs the system to ignore GPOs from the Users OU altogether and only apply User Configuration settings from the Computers OU policy.

Terminal Server Policy
Figure 4.12: Loopback mode selection.

The Computer Configuration is applied as usual, but if we place TS01 into loopback merge mode, Greg's User Configuration processing looks like this:

1. Local—The User Configuration from computer1's Local Policy is applied.

2. Site—The User Configuration from the USA Site Policy is applied.

3. Domain—The User Configuration from the Domain Policy is applied.

4. OU—The User Configuration from the Users OU's Users OU Policy is applied.

5. OU Loopback—The User Configuration from the Terminal Servers OU policy is applied.

In this mode, Greg could receive his Internet Explorer (IE) Proxy Server settings from the Users OU Policy, but have the Shut Down command removed from his Start menu by the Terminal Servers OU Policy. Merge mode has the advantage of being able to place global settings in the Users OU Policy and only apply lockdowns in the Terminal Servers OU Policy. The disadvantage is that in this mode, you need to keep track of user settings in two GPOs.

In loopback replace mode, the User Configuration from the Users OU is ignored:

1. Local—The User Configuration from computerl's Local Policy is applied.

2. Site—The User Configuration from the USA Site Policy is applied.

3. Domain—The User Configuration from the Domain Policy is applied.

4. OU Loopback—The User Configuration from the Terminal Servers OU Policy is applied.

This mode simplifies GPO processing by placing all settings into the Terminal Servers OU Policy, but it will force you to keep some settings in this policy in sync with changes made to the Users OU Policy. For example, if you are using My Documents folder redirection to centrally store user files, you will want the setting to be the same when Greg logs on to either a workstation or a terminal server. If the domain administrator migrates Greg to a new file server, the setting will have to be changed on both policies.

Was this article helpful?

0 0

Post a comment