INTRODUCTION
Group policy objects (GPO) are basically a collection of settings that we can use to control the appearance and/or behavior of a computer. It consists of Computer configuration and User Configuration.
LoopBack processing was one of the concepts I had a hard time grasping when I was a beginner. I had learned that Computer configurations are applied to Computers and User configurations are applied to users, which is true. But my (mis)understanding was that when you apply a GPO to a computer, the Computer configurations get applied. And the User configurations in the GPO get applied when users log on to that computer. This misconception was why I couldn’t understand loopback processing. This post is my attempt to explain GPO and loopback processing in a simple manner.
THE EXPERIMENT
I made a test GPO “TEST – LoopBackProcessing” and setup certain Computer config and User config as shown below
Here, I am setting a certain Background image for the logon and lock screen in Comp config and preventing users from accessing Control Panel and changing the desktop background.
I made 2 OU’s in my Lab AD – Workstations (only computers) and People (only users). I linked the test GPO to the workstations OU first and did a gpupdate on the client computer. If my understanding was correct, both the settings should be applied when a user logged in.
The lock screen on the computer changed but no user settings were applied. I could access the control panel and could change the desktop background. Logged out and logged back in, no change.
RSOP confirmed this. N0 Administrative Templates folder (which contains the user settings I set) can be seen under User config as shown below. But it’s present under Computer configuration.
So only the computer configuration was getting applied!. That proved my theory wrong.
What happens if I link the GPO to the Users only OU?. I unlinked the GPO under Workstations and linked it to the People OU.
Did gpupdate and logged in on the client. I was not able to change my desktop background or access the Control panel after that. And also I could see that the lock screen had gone back to the default black cave Windows 10 image.
RSOP showed no computer configs applied (No Administrative Templates under it) as shown below. So the computer configuration is not getting applied, but the user configuration is.
Well, that makes things a lot clearer!.
CONCLUSION
- Only the settings in Computer configurations get applied when the GPO is deployed to computers
- Only the settings in User configurations get applied when the GPO is deployed to users.
But what if we want both the settings to be applied on the computer?. Just like how I thought I knew GPO worked?. This is where Group Policy Loopback processing comes into play. I will get into it in the next post, I have to go sleep now :D. Good night!.