My l3g3nd

Group Policy: Loopback Processing

| Comments

Group policies are applied on users or computers based on the OU they are in. Just for the heck of it I will say that policies applied on user accounts are processed when a user logs into the machine and computer based policies are applied when a computer starts/reboots. Once GPO has been applied a lot of times there is a need to create an exception for it. We can use Group policy loopback settings to apply the user policy based on the computer user logs in.

For example, consider a standard group policy of screen saver turning on every 60 min when there is no activity on the user workstation. User might also have access to a particular server or workstation where the standard policy is not required and another policy of say 120 min screensaver time out is required due to user roles or business requirement. So if a group policy is applied on user accounts then how will it be processed differently when a user logs in to a different workstation/server?

For the situations similar to the above we can use Group Policy loopback settings which can be applied in 2 modes: merge and replace. When its applied in the merge mode then the policy applied to the user accounts is processed first and then the policies applied to the computer accounts. So the policy applied to the computer accounts takes precedence. If the screen saver policy is applied with 60 min timeout for user accounts and the screensaver timeout policy of 120 min is configured for computer accounts with loopback settings then when a user logs in then 120 min will be the screensaver time out.

How to configure it? Easy. Navigate to the following path on Group Policy MMC: Computer Configuration -> Administrative Templates -> System -> Group Policy and select the merge/replace mode based on your choice and define the policy. Make sure you create another OU and add the computer(s) concerned.