Group Policy Objects (GPO) is a set of rules for Users and Computers, thus the policies for computers will be applied to computers and the policies for users will be applied to users. This article applies to Windows Server scenarios.
Let’s assume that you have two organizational units in your domain:
In OU-TSSERVERS units, there are computer accounts, and in the OU-SUPPORT units there are users accounts. In OU-TSSERVER, you created and configured a new GPO. So, there are policies for:
In OU-SUPPORT, you created and configured a new GPO. So, there are policies for:
When a user belonging to OU-SUPPORT logs on a server that belongs to the OU-TSSERVER, what happens?
Applies:
This is the default setting. Now we are finally going to learn about User Group Policy Loopback Processing Mode. When configuring the policy Loopback Processing Mode, you can choose two different options, Replace and Merge.
When you define the "User Group Loopback processing Mode", to "Replace" on the GPO linked to the OU-TSSERVER.
When you define the "User Group Loopback processing Mode", to "Merge" on the GPO linked to the OU-TSSERVER.
And
NOTE: In case of conflict, the users policies from OU-TSSERVERS have precedence. Because the computer's GPOs are processed after the user's GPOs, they have precedence if any of the settings conflict.
Use this configuration if you have users in your domain whose folders are redirected through policy, but you don’t want that redirect to occur when users log on through Terminal Services. You need to enable this policy setting using the Replace mode on GPO linked to OU, where the Terminal Server's computer accounts are (without folder redirection enabled). When users log on to Terminal Servers, the policy folder redirection is not applied.
Using Group Policy Management Console, edit the GPO you desire, expand Computer Configuration\Policies\Administrative Templates\System\Group Policy, and then double-click User Group Policy Loopback Processing Mode. Then select the appropriate option (Replace or Merge). This article was originally written by: Daniel Donda Leader UGSS Mcsesolution (GITCA) MCLC Microsoft Certified Learning Consultant MCITP Enterprise, MCP, MCSA, MCSE, MCT, MCSE Messaging / Security Colaborador do www.mcpbrasil.com -------- Donda's site: http://www.mcsesolution.com Twitter: http://twitter.com/danieldonda
Carsten Siemens edited Revision 11. Comment: Added tag: has comment
Ed Price MSFT edited Revision 7. Comment: Adding Windows Server tag and adding to the title. Feel free to change this if you don't think it works.
Ed Price MSFT edited Revision 3. Comment: Finishing the editing pass.
Ed Price MSFT edited Revision 1. Comment: Defined GPO at the beginning. Beginning grammar edits.
Ed Price MSFT edited Original. Comment: Adding tags.
Nice and simple Artical Thanks Daniel
What I have found is that in Windows XP and 2000, the user context is used to read the users settings from the loopback GPO linked at the computer OU so it's sufficient to only include user security filtering. However, it seems that things have chnaged in Windows 7/2008 R2. It appears the machine context is used to read the GPO even for the user settings so it's neccessary to include the computers and users you wish the PO to apply to in the security filtering.
I understood this setting now. Thanks Daniel.
"In case of conflict, the users policies from OU-TSSERVERS have precedence. Because the computer's GPOs are processed after the user's GPOs, they have precedence if any of the settings conflict"
Sorry? Who takes precendence then? In my view, computer configuration is applied first when computer SID authenticates in AD. The user part is applied only when the user logs into that computer and authenticates with the AD, isn't it?
Same problem here. I don't like "My Documents" on local TS folders so I have a folder redirection in place on the TS farm thanks to a loopback group policy. Anyway I would like that user with an already folder redirection in place on their PC (through GP), be correctly redirected to their folder also when they logon to the TS. This doesn't work because I'm using different root folders for TS users and PC users and on the TS always apply the TS policy.
You're absolutely correct shocko