GPO loopback processing
-
I am still trying to wrap my head around loopback processing and Mike mentioned in a GPO lesson that he likes to draw it out on a white board. Could you draw out a diagram and post it?
Scott -
Scott,
I'm definitely not the best artist on the show, but I'll take a stab at this one. The key concept to remember is that Loopback Processing is simply a trick to get User Settings in a GPO to apply to a computer as if they were Machine Settings. I couldn't think of a single diagram that would demonstrate the topic, so here is more of a comic strip:
1. Let's say we have a user named Tom. Tom wants the wallpaper on his desktop "Computer 1" to be set to Captain Kirk from Star Trek. However, it is important to him that this wallpaper be set automatically even if he gets a new computer. So, as an admin, we create a GPO that assigns his Star Trek wallpaper. It is part of the User Settings in the GPO. We then assign it to an OU that Tom is in (or a parent OU, Site, Domain, etc). Everything works great.
2. Applying it this way, the Star Trek wallpaper is applied regardless of which computer Tom logs in on. Tom is happy.
3. Computer #2 is a computer that Tom's customers can see. One day a customer makes fun of Tom for being unprofessional. Tom is not so happy. He asks that his wallpaper be applied to all computers except Computer #2.
4. So, we create a custom GPO just for Computer #2 that assigns a different wallpaper. Maybe it's a Vulcan this time which is far more professional. We assign this GPO to the OU that Computer #2 is in, and we use a WMI filter to ensure it only applies to Computer #2. However, when Tom tests it out, the GPO doesn't work. He still has James T. Kirk staring at him. The reason it failed is because setting the wallpaper is a User Setting and not a Machine Setting. As a result, applying the GPO to a computer has no effect. Tom is definitely not happy.
5. We can't edit the original GPO, or Tim will lose his favorite wallpaper. So, what do we do? We enable Loopback Processing on GPO #2. That allows User Settings to be applied to a computer as if they were part of the Machine Settings. Now, GPO #2 will override GPO #1 and we end up with our Vulcan wallpaper on Computer #2, while retaining James Kirk on all of the other PCs. Tom is happy.
That's a pretty basic explanation of how Loopback GPOs are used. I did leave some of the details out to make it easier to understand. The main one to be aware of is that the GPO applying to Computer #2 does exactly that: applies to the computer. As a result, any user logging in to Computer #2 would now get the Spock wallpaper just like Tom since it is not applying to the user account. That is usually desirable in the scenario of a Kiosk machine or something similar.
I hope that helps, but if it doesn't let me know and I'll get Ronnie or Mike to workup an alternate explanation.
Thanks for watching,
Don Pezet
Host, ITProTV -
That was extremely helpful. Thank you much.
Scott