All of my life, I have been told that a computer is a computer and a user is a user. Want to apply a default printer to a computer? Want to set the homepage in an entire lab? By using Loopback Policy Processing, we can give our computers some real identity issues – we can make them believe they’re users! How’s that for a Jedi mind trick?
A Note about Nodes
Group Policy has two nodes: Computer Configuration and User Configuration. If you’ve read this post, you know that users are the only objects that can process user configuration settings. You also know that computers are the only objects that can process settings under computer configuration. Let’s look at an example using the picture below.
The horribly named Domain Computers GPO has settings configured under both the Computer and User configuration nodes. As expected, any computer under the Domain Computers OU will ignore the user side “Remove Task Manager” setting. The only setting applied would be the “Do not process the run once list” policy.
Create a GPO similar to this. Be sure that you have at least one setting in each node configured. Ensure that the computer configuration setting is being applied.
Before we introduce Loopback Policy Processing, let’s look at the two processing phases with Group Policy:
- Computer Starts/Contacts DC
- Gets all GPOs linked to it
- Processes Computer Node (ignores user node)
- Presents Login Screen
- User Authenticates
- Gets all GPOs linked to it
- Processes User Node (ignores computer node)
- User is logged in
Things Are About to Get Crazy
Now that we know exactly what our computers and user will do, let’s enable Loopback Policy Processing. Create a new GPO named “Enable: Loopback Policy Processing”. Edit it and navigate to:
- Computer Starts/Contacts DC
- Gets all GPOs linked to it
- Processes Computer Node (ignores user node)
- Presents Login Screen
- User Authenticates
- Gets all GPOs linked to it
- Processes User Node (ignores computer node)
- Computer says “Shoot, I can be a user too.”
- Gets all GPOs linked to it (the computer)
- Processes User Node (ignores computer node)
- User is Logged in
You articles are a life saver! I’m in a position of helping jr admins and helpdesk techs who are allowed to work on some GPO projects – specifically for kiosks. I used your article a few years ago and shared it with the Tech who is doing this project – you explain things a whole lot better than I can!
Thank you for the nice comment, Bob!
It isn’t perfectly clear, but this “loopback” mode of GPO appears to be only for systems using ActiveDirectory or centralized Domain Controller, not stanalone systems.
Good note Jake.
You really make it easy. very good explanation
I try, Juan. 🙂
how do i get to see your articles – clicking on the link takes me to the commments page.
Hi Vikram!
Are you running an AdBlocker? If so, disable it – for some reason, my articles might flag as an ad (due to the popup at the bottom).