Group Policy Loopback Processing

ClaymooreClaymoore Member Posts: 1,637
I like to think I know a lot about Group Policy, but every now and then I come across something cool that I never knew existed. If you haven't heard about it, I'll introduce you to Group Policy Loopback processing.

First, some history. We set our screen saver timeout in a GPO applied to an OU above all our user accounts and, for the most part, everyone is happy with the setting. The trouble is, we have PCs in our conference rooms that are used for demonstrations and it would be nice to have a longer timeout value on those PCs. A request was made to increase the timeout value, and another admin changed the value - a USER setting - on the GPO linked to the conference room PC OU. Unfortunately that didn't change anything and the users complained again. The other admin came to me for an explanation and I said that since the user accounts are not in the Conference Room OU, they won't get that setting (which is mostly true). I implemented a workaround - using Server 2008 Group Policy Preferences - where I edited the registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon and added the value ScreenSaverGracePeriod which I set to 15 (which I picked up from the Windows Registry Guide). This gives the users 15 seconds to move the mouse before the screen saver locks and they have to put in a password. The users accepted this compromise and we moved on.

This weekend I was reading a few chapters out of the Server 2008 Terminal Services Resource Kit while reviewing for my upcoming 70-649 exam and there is an in-depth explanation on Group Policy Loopback processing mode. It turns out that you can apply User settings even if the user is not in the linked OU by enabling User Group Policy loopback processing mode in Computer\admin templates\system\Group Policy. I just finished reading the Server 2008 Group Policy Resource Kit and I didn't remember loopback processing being mentioned at all. I checked, and it's only mentioned in the troubleshooting section as an event log entry, but there is never a mention as to what it actually does.

I came in this morning, changed a test GPO to enable loopback processing in merge mode (so that it will only change the screensaver entry and not delete all the other user settings) and adjusted the screensaver timeout. I logged in with a regular account to a test PC and the screensaver timeout reflected the computer OU GPO setting instead of the user's normal setting, and there was much rejoicing.

Why haven't I heard about this setting before? The GP Management Editor says it requires at least Windows 2000, so it has been around since the dawn of GPOs. Why isn't it mentioned in the Group Policy Resource Kit? I can understand why it is in the Terminal Services Resource Kit becasue this setting can be really handy in a TS environment. Is anyone else using different loopback processing modes?

Comments

  • aordalaordal Member Posts: 372
    Claymoore wrote:
    Why haven't I heard about this setting before? The GP Management Editor says it requires at least Windows 2000, so it has been around since the dawn of GPOs. Why isn't it mentioned in the Group Policy Resource Kit? I can understand why it is in the Terminal Services Resource Kit becasue this setting can be really handy in a TS environment. Is anyone else using different loopback processing modes?

    Are you sure you read the material required for passing 70-294? I got my face smashed in about it reading the Sybex book. It was also on the Transcender practice test.
  • blargoeblargoe Self-Described Huguenot NC, USAMember Posts: 4,174 ■■■■■■■■■□
    I've never needed to use it but I think I had like one question about it on an exam. I'm sure I'd have to review how to use it if I needed to deploy it.
    IT guy since 12/00

    Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
    Working on: RHCE/Ansible
    Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands...
  • dynamikdynamik Banned Posts: 12,314 ■■■■■■■■□□
    It was covered thoroughly in my study materials and 294 exam as well. Claymore, did you take this exam, or did you take an upgrade route? I know you know your stuff, so it's surprising you haven't come across this before.
  • ClaymooreClaymoore Member Posts: 1,637
    aordal wrote:
    Are you sure you read the material required for passing 70-294? I got my face smashed in about it reading the Sybex book. It was also on the Transcender practice test.

    I read all the material that I required to pass the exam, but I spent maybe 2 evenings studying for 294. I don't recall any questions about group policy loopback processing on the actual exam, but I probably missed them if there were any...

    http://www.techexams.net/forums/viewtopic.php?t=29503

    I am just disappointed that loopback processing isn't mentioned in the Group Policy Resource Kit. If you weren't studying for the exam and were just trying to learn about group policy would you even pick up a Sybex study guide? I certainly wouldn't buy Trancenders. I guess this shows the value of getting your real-world information and your certification material from multiple sources. You never know where you might pick up some useful information.
  • aordalaordal Member Posts: 372
    The 2 most common situations you'll see this used is for Terminal Servers and for Public computers that are part of the domain. Fun stuff.
  • ClaymooreClaymoore Member Posts: 1,637
    dynamik wrote:
    It was covered thoroughly in my study materials and 294 exam as well. Claymore, did you take this exam, or did you take an upgrade route? I know you know your stuff, so it's surprising you haven't come across this before.

    I was surprised too. But now everyone knows about loopback processing so there is no excuse for missing those questions on the exam! icon_lol.gif

    Now I'm wondering what else I missed out on by blowing off the 294 exam...
  • undomielundomiel Member Posts: 2,818
    Back when I was doing my MCSE I had read about loopback processing and had a vague idea that it had something to do with reapplying group policy or some such but didn't understand it at all. When I took the exam I would pick loopback whenever everything else didn't make sense. Still didn't click about how it really works though. Then I had this one phone interview where I was doing great until the guy asked about something related to loopback processing. My mind completely blanked and it showed and he pretty much grilled me over and over until he was sure that I didn't know what it was. My was that embarrassing! But immediately after that interview I jumped into technet, read through the documentation, and it clicked that time. Then at the last job I got to use it for pretty much almost the exact situation as claymoore described. Interestingly enough no one else at that job understood how it worked either and as far as I know they still don't understand. Probably because it isn't commonly used.
    Jumping on the IT blogging band wagon -- http://www.jefferyland.com/
  • MishraMishra Member Posts: 2,468 ■■■■□□□□□□
    I still think my thread makes sense.

    http://www.techexams.net/forums/viewtopic.php?t=27743
    My blog http://www.calegp.com

    You may learn something!
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    We have had several discussions on Loopback Processing here on TE in the past. icon_cool.gif

    http://www.techexams.net/forums/viewtopic.php?t=22116

    http://www.techexams.net/forums/viewtopic.php?t=21873

    There's more but most basically have the same questions/answers.
    All things are possible, only believe.
Sign In or Register to comment.