1

This one doesn’t make sense to me so I’m turning to the forums for some guidance. got an Active Directory and Group Policy environment that I inherited and can’t figure this one out. I have one OU that is broken down by departments for computer objects. within each department, I have a Desktops Sub-OU and a Laptop Sub-OU. I have another OU broken down by departments for user objects. I have a simple GPO that maps a network drive. Its built as a User Config and linked to the OU where the user objects are located. I was building a new Windows 10 laptop and noticed my network drives were not mapped. After a lot of trial and error, I moved my laptop computer object from the Laptop sub-OU to the Desktop sub-OU only because the drive mappings works fine on the desktop. When I moved the laptop over, it works. I verified by doing the gpresult /r. This makes no sense that a User Config GPO applies or doesn’t apply based on where my Computer object is located. I made sure the OU’s in question were not blocking inheritance. I don’t know if this is too vague to help anyone reading this post. Any guidance on what I can check? Thank you.

6 Spice ups
2

I’d guess Loopback.off the top of my head it’s one of the only computer settings I can think of that would affect user policy.
Run a GPResult /h whilst the computer object is in the non working OU.
You should get a warning about Loopback processing.
If not post that GPResult /h for analysis.
For more on Loopback processing:

2 Spice ups
3

Echoing this. Sounds like loopback processing.

4

Justin1250 is on point, Loopback Processing with MERGE mode has been used for that GPO. Merge Mode supplements the policy that is assigned to the user instead of completely replacing it like in Replace Mode.

@jhart

5

Thank you everyone. I’ll check that out tomorrow. I have my laptop with me at home so I’ll do more testing in the office. I’ll respond back to the post on what I find.

6

Here is my gpresult /h results. I see that there are errors at the top but its not quite making sense to me. I read up on the Loopback and I’m not sure where that setting is applied IF it is the cause. I did check the settings on the GPO that maps the drive and the loopback settings is not on. Let me know if the gpresult file helps in understanding where my problem is. Thank you.

BTW I wasn’t able to attach the GPResult HTML file. I tried to rename it to .TXT and tried a .ZIP. Not sure if I can upload images? If there is a way to upload that file, let me know. Thank you.

GPresult.jpg

7

So after further digging within the gpresult.html file, I found the GPO that has the Loopback setting Enabled. Its a GPO that just sets certain Outlook defaults. But I’m still not understanding this loopback feature enough so I’m not comfortable in just Disabling loopback. I might fix my current issue of this GPO but will I break something else? Below is where this GPO is applied in my structure. within each department OU, the same results happen if the computer is in the Laptops OU vs the Desktops OU. Looking for guidance, cautions, etc on what my next steps should be. Thank you.

Loopback.jpg

8

So loopback in replace mode ignores all your user side settings for whoever logs into the machine.

I would definitely do some testing. It really depends on how long it has been on.

So if you remove that setting from that GPO all your GPOs applied to your User objects will start applying. That may be a good thing but could cause issues if there is something in there that applies that you are not expecting. However, if everything is working in the desktop OU I would guess it would be alright to disable it.

If you have a different setting applied to the desktops OU, such as loopback set to disabled or merge mode it would override the Loopback setting linked higher. Which might be why the desktop one works and the laptop one does not.

9

I’ll check the other OU’s to see if there are more settings like this. It is strange how its different in those two OU’s (Desktops vs Laptops). thanks.

10

Ok, so i think I found exactly what you were referring to. In the Desktop OU’s there’s a GPO where Loopback is Enabled and in Merge mode. I checked the other GPO in there and loopback is not enabled and the one common GPO in the Laptops OU is not enabled either. It looks like I would need to set both of these GPO’s loopback to the “Not Configured” setting. I’ll look at each setting within the GPO to make sure there’s nothing in there I don’t want applied. Again, thank you for your guidance.

Loopback-Merge.jpg
Loopback-Merge.jpg505×668 62.2 KB
1 Spice up
11

You should be able to turn that off just fine.

Also, check for User settings linked to your computer OUs. If there are such settings turning off loopback will make those no longer apply.

12

Looked at every GPO I had and found 8 GPO’s with the loopback feature enabled. Only one of them was in Replace mode and the rest were in Merge mode. 5 of them have User Configs but is currently in OU’s for Computers so I’ll have to move those GPOs to my OU where the users objects are. If I remove the Loopback on all of these and move the 5 GPO’s that have User configs over to the appropriate user OU’s, I think that should be safe. Thoughts anyone?

13

Sounds like a good plan to me!

14

I removed all the Loopback settings on the 8 GPO’s and moved the GPO’s that had Computer configs over to User OU’s. All looks good so far. GPO’s that was not running on laptop are now being applied. Thank you again to all that helped. I had not heard of this loopback feature until now.

1 Spice up
15

Glad everything is working!!