Loopback processing does not work

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

This topic explains how loopback processing alters the way GPOs are normally applied and provides tips for troubleshooting.

Loopback Processing

Loopback is an advanced Group Policy setting that is useful in scenarios where you are managing computers in closely managed environments, such as servers, kiosks, laboratories, classrooms, and reception areas. Loopback only works when both the user account and the computer account are in a Windows 2000 or later domain. Loopback does not work for computers joined to a workgroup. Setting loopback causes the User Configuration settings in GPOs that apply to the computer to be applied to every user logging on to that computer, instead of (in replace mode) or in addition to (in merge mode) the User Configuration settings of the user. This allows you to ensure that a consistent set of policies is applied to any user logging on to a particular computer, regardless of their location in Active Directory. Loopback is controlled by the User Group Policy loopback processing mode setting, which is located under Computer Configuration\Administrative Templates\System\Group Policy in Group Policy Object Editor (GPMC).

By default, a user's policy settings come from the set of GPOs that are applied to the user object in Active Directory. During Group Policy processing on the client, the Group Policy engine assembles an ordered list of GPOs from the site, domain, and all organizational units for that user object.

Loopback can be set to Not Configured, Enabled, or Disabled. In the Enabled state, loopback can be set to Merge or Replace. In either case the user only receives user-related policy settings.

  • Loopback with Replace—In the case of Loopback with Replace, the GPO list for the user is replaced in its entirety by the GPO list that is already obtained for the computer at computer startup. The User Configuration settings from this list are applied to the user.

  • Loopback with Merge—In the case of Loopback with Merge, the Group Policy object list is a concatenation. The default list of GPOs for the user object is obtained, as normal, but then the list of GPOs for the computer (obtained during computer startup) is appended to this list. Because the computer's GPOs are processed after the user's GPOs, they have precedence if any of the settings conflict.

To find out whether loopback processing was applied when Group Policy was evaluated on the client, look in the Group Policy Results report under Computer Configuration\Administrative templates\System\Group Policy on the Settings tab.

Troubleshooting Loopback Processing

  • If the loopback processing is appropriate for this client you might need to educate the users so they know what to expect.

  • If loopback is desired and it appears that it is not being applied, first verify the loopback policy setting (which is a computer configuration policy) has been applied to the computer through an appropriate GPO.

  • For specific information about troubleshooting loopback replace in a cross-forest environment, see Loopback Replace does not work in cross forest environment.