MCITP 70-640: Group Policy Loopback Processing

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
Welcome to the ITFreeTraining video on Group Policy Loopback Processing. Loopback processing allows the administrator to apply Group Policy based on the computer rather than the user that logs into that computer. Group Policy Loopback processing is invaluable when configuring kiosks, training computers and Remote Desktop Services. Loopback processing allows you to achieve results that would normally not be possible. Group Policy loopback processing is a difficult concept to understand and often a miss taught topic. By the end of this video I feel confident that you will understand how Group Policy loopback processing works and how to use it in your organization effectively. Before looking at Group Policy Loopback processing, it is important understand that Group Policy is divided into two halves. If I open a Group Policy Object, you can see the two halves. The two halves are computer configuration at the top and user configuration at the bottom. Loopback processing changes the way these two parts of Group Policy are applied so it is important to understand there are two parts to each Group Policy Object. First of all, let us look at a typical Group Policy deployment to understand why you would need loopback processing. In this example, the computer account is located under the OU Training Lab, which is found under the computers OU located under New York. The user account is located under the Users OU also found under New York. When the computer starts up, the New York Group Policy, Computers and Training Lab OU’s computer side group policy is processed. Which computer side Group Polices are processed will depend on where the computer account is located in Active Directory. When a user logs in, the user side group polices are processed based on where the user account is located in Active Directory. As shown, the New York and User OU user side Group Policy are applied. The problem occurs when you want to deploy a computer with particular settings. For example, you want to deploy a computer as a kiosk or a training computer. In either case, it is unlikely that you want the Group Policy settings for that user applied to the computer. For example, on a training computer it is unlikely that settings configured in Group Policy like map drives or desktop customizations would be required. So how would you go about configuring computers like training computers using Group Policy? To allow Group Policy to be configured in a way that will work for training and kiosks computers, Group Policy Loopback Processing can be used. There are two different modes that Group Policy loopback processing can be used in. The first one that I will look at is replace mode. When the computer starts up, the computer side of Group Policy, based on where the computer account is located, is applied. In any one of these Group Polices could be a setting which changes the processing of Group Policy from the standard way to Group Policy Loopback. In this case, Group Policy loopback processing using replace mode will be applied to the Training Lab OU. This way, loopback processing will only be used with the computers in the Training Lab OU. Once the computer side of Group Policy has been applied, the next step is to apply the user side of Group Policy. Normally this would be done based on where the user account is located in Active Directory, when loopback replace mode is configured, the user side of group Policy is obtained from the location of where the computer account is located. As you can see here, essentially loopback processing in replace mode would give you the same result as having the user and computer account in the same location in Active Directory. The advantage of this is that the user side of Group Policy for that user is ignored and the administrator is free to start again with their own user settings. This is perfect for a training environment where the trainer will often want complete control of the training environment. Before I look at the other loopback processing mode, I will first change to my Windows 7 computer to have a look at how to configure loopback processing for replace mode. In this domain I have Group Policy configured to set the wallpaper according to the Group Policy that was applied. You can see that this computer currently has Group Policy applied from the New York Users Group Policy. To configure group Policy, I will open Group Policy Management, and expand down to the Training Lab OU, found under the New York and computers OU. In the Training Lab OU is the computer account for this computer. The user account that I will use to login is called trainer found under the users OU. Configuring Group Policy loopback processing is done in the computer side of Group Policy. To do this I need to configure a Group Policy that is applied to the computer account, in this case the Group Policy I will modify is the one being applied to the Training Lab OU. Expanding down through user configuration to the desktop settings, notice that the setting Desktop Wallpaper has been configured. This user setting will configure the desktop wallpaper when it is applied. Since no user account exists in the Training Lab OU, without loopback processing being enabled this setting will never be applied. As soon as loopback processing is enabled however, this setting will be applied to the computer. This setting gets the desktop wallpaper from a file share. If I were to open the file server from the start menu and then open the wallpaper share, notice all the different wallpapers that I created for each Group Policy. If I open the Training Lab wallpaper, you will see that this is the wallpaper that should be configured once loopback processing has been configured. To configure loopback Group Policy processing, I need to go back to the Group Policy and expand into Computer Configuration, Polices, Administrative Templates, System and then Group Policy. The setting that needs to be configured is User Group Policy loopback processing mode. Once I open this setting, all I need to do is configure it and ensure that the mode is set as replace. Now that Group Policy loopback processing is configured, I will reboot the computer so that the changes will take effect. When the computer starts up, the computer side of Group Policy will be applied as normal. The change occurs when the user logs in. Instead of the user Group Policy being applied to the user that logs in, user group policy will be applied based on the computer account. On the desktop, the result can be seen as the wallpaper has been set to the wallpaper in group policy configured for the Training Lab. To illustrate this better, I will open Active Directory Users and Computers from the start menu. If I expand down to New York, computers, and then Training Lab, on the right hand side you can see the computer account for this computer. When the computer starts up, the computer side of Group Policy is applied based on the location of this computer account in Active Directory. Without loopback Group Policy replace mode configured, the user side of Group Policy will be applied from where the user account is located. In this case, the trainer account located here. Since Group Policy loopback processing with replace mode is enabled, what has happened is this. The user side of Group Policy is instead applied based on the location of the computer account rather than the user account. In this case, the OU Training Lab. You can see that by using replace mode, the administrator is able to apply any Group Policy user setting any way they like without having to worry about what settings may be applied to the user account already. The other Group Policy loopback processing mode that can be configured is merge mode. This mode is often used with Remote Desktop Services. Merge mode is used when you want the regular user settings to be applied but want the option to override these settings if required. In a Remote Desktop Session, you may want the user to have access to settings like their map drives and printers that are configured in Group Policy, but you may want to override other settings. In a Remote Desktop Session, it is not uncommon for the desktop to be locked down, for example the control panel and other unneeded shortcuts removed. So what you want to do is allow the user to have their regular settings applied, but have the option to overwrite these settings or apply additional settings to ensure the computer is still secure. To understand how merge mode works, it helps to look at replace mode first. You can see that the computer side is applied and the user side is applied based on the location of the computer account in Active Directory. What is different with merge mode is that the user side is applied in between these two steps. Another way to think about merge mode is to compare it to normal Group Policy Processing. For both normal and merge mode, the first two steps are the same. Group Policy computer settings are configured based on the computer account location. User side settings are applied based on the location of the user account in Active Directory. Merge mode adds another step to the process by applying the user side of Group Policy based on the location of the computer account in Active Directory. This allows the administrator to add to or replace any existing user side Group Policy settings. Well that covers it for Group Policy Loopback processing. For more free videos for this course and others please see our YouTube channel or web site. Thanks for watching another video from ITFreeTraining and see you next time.
Info
Channel: itfreetraining
Views: 99,335
Rating: 4.9130435 out of 5
Keywords: Loopback Processing, Group Policy, Active Directory, 70-640, MCITP, MCTS, ITFreeTraining
Id: 2bZGMtOCXN0
Channel Id: undefined
Length: 11min 11sec (671 seconds)
Published: Mon Jan 07 2013
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.