Knowledge - Details


Group Policy & Loopback Processing 101
Date Added: 06/17/2016

These are just some tips I've learned about Group Policy. There are many pages online that try to explain these things but none of them did it very well so I had to learn some of this through trial and error:


When you create a GPO, you link that to an OU (or the root of the domain). You also assign it User & Computer permissions (security filtering).

The settings you changed in the Computer section of the GPO only apply to the target computer if that target computer's computer account is included in the security filtering for that GPO.
The settings you changed in the User section of the GPO only apply to the target user if that target user's user account is included in the security filtering for that GPO.

If you create a GPO with both Computer and User settings, and you change the Security Filtering to only include John Doe, then only the User settings will be applied and the Computer settings will be ignored because you forgot to add any Computer Accounts to the Security Filter.

If you want certain GPO settings to be applied to certain/all users, but only for certain computers, then you have to enable Loopback Processing for those computers and link the GPO to the OU that contains the computer (or one of its parent OUs). Note that LP does not have to be enabled on every GPO that you want LP to be enabled on because it behaves like every other Computer Setting; once it's enabled by any GPO for a computer (such as higher in the OU tree), the computer remembers to use the LP behavior. When you enable LP, you can assign a GPO to an OU that only has computer accounts in it (it doesn't have to have any user accounts). Then, the Computer settings will apply to the computers in the OU (if the Computer Accounts are included in the GPO's Security Filtering) and to the users who log into those computers (if the User Accounts are included in the GPO's Security Filtering).

By default, the Security Filter of every GPO is Authenticated Users. This special group includes ALL normal User Accounts and ALL Computer Accounts. If you want to restrict a GPO to only apply to certain users/computers, you can remove Authenticated Users from the Security Filter but be sure to add BOTH the Computer Accounts and the User Accounts that you want the settings to apply to. Don't forget the Computer Accounts!

The Group Policy Results feature does not show what settings are SET to be applied to the Computer & User you selected. Instead, it shows the settings that are CURRENTLY applied to the Computer & User you selected. In other words, it shows the settings that are CURRENTLY stored and applied in the computer's registry for that user. That means if you change a GPO setting in the GPMC, you have to actually reboot the target computer and log in as the target user so that the new Group Policy settings will be downloaded and applied to the computer before you can see the changes in the Group Policy Results report.



Back to List