GPO loopback policy for user configuration question

knowledge-heavy006 · 2025-02-12T14:02:49.174Z

I am part of an IT team who was recently assigned to GPO related tasks. I am pretty new to GPO and still getting a grasp about it.

I recently received a request related to certain GPO user configuration that needs to be enabled however the catch is , it is related to an existing GPO loopback policy which i am still unfamiliar of. Can someone help me understand what needs to be done in order fulfill this task. Badly need some insights.

Here is the situation:

The customer wants this particular configuration to be enabled on his end alone . I found out that there is currently an existing GPO where the user’s workstation is linked into. This GPO is currently setup in loopback policy and that specific user configuration is disabled and linked to Laptop OU where the user’s workstation is located into (basically from what i understand, this GPO is currently being applied to all Laptop OUs and this specific user configuration is disabled).

Domain > Windows 10 > Laptop (this is the OU where the GPO is currently applied into)

The customer now wants to create a specific security group created and have all users who wants to have that user configuration enabled there, the problem is it is located in different OU.

Domain > Users > Location User (this is the OU where the customer wants that specific group to be created)

My question is how will i configure the GPO (user configuration set to enabled) and link it to the “Users OU” when there is an existing GPO in the Workstation OU (user configuration set to disabled and loopback policy - merge is enabled) without having any conflicting issue.

titusovermyer · 2025-02-12T16:12:17.913Z

Would it be easier to create a new GPO with security targeting. Make those users a part of the group and they will get the GPO settings

knowledge-heavy006 · 2025-02-12T16:32:45.750Z

there is an existing GPO (configured as loopback enable - merge) that is applied in laptop OU - from what i can understand the organization originally wants that specific user config to be disabled in all laptops but this time, the request is to have an exemption for specific users and have that user configuration enabled however they want us to create a specific security group created in the users OU instead.

the problem that i am struggling right now is that, when i created a new GPO that enables that user config and link it to the USERS OU, what will take effect?

Is it the new GPO that ENABLES the user config and currently linked to users OU?

OR

Is it the old GPO (configured as loopback - merge) that DISABLES the user config and linked to Laptops OU?

Sorry i am getting confused as well in what will take effect…

Farva06 · 2025-02-12T23:11:24.870Z

User Configuration settings only effect users, and computer configuration settings only effect computers. If you make a GPO that only has user settings in it, and link it to an OU that only has computers in it, nothing will happen.

Also, you cannot apply GPOs to the “Users” container.

If the Workstation GPO has loopback - merge, then whenever a user logs in to a computer that is in that OU it will merge whatever user settings you may have applied in that OU with the settings of the OU the user is in as well.

Create the new GPO, edit it to your liking, in the security filtering section, remove authenticated users, and add your created group. Link it to all OUs that contain the users you want the policy applied to, and that should do it.

knowledge-heavy006 · 2025-02-13T12:41:44.376Z

“If the Workstation GPO has loopback - merge, then whenever a user logs in to a computer that is in that OU it will merge whatever user settings you may have applied in that OU with the settings of the OU the user is in as well”

this is the problem i am thinking of, there is an existing GPO (configured as loopback enable - merge) that is applied in laptop OU which disables that user config (the requestor confirmed that the features is disabled).

If a created a GPO that links to the OU of the user and enables that user config, what will take effect, is it the GPO link in the workstation OU or GPO link to the user OU?

microsoftfanboy · 2025-02-14T14:20:26.252Z

Have you tried creating a security group and filtering based on that security group?

GPO’s run based on being attached to OU’s. But you can filter what accounts in that OU are included using security groups.

I might add a few security groups to include or deny.

To deny a security group you’d want to go to the final tab, and click on the button on the bottom right and add the security group you want to deny and assign it that property. Then it will be like that policy doesn’t exist for those groups.

GPO’s apply best when you focus on either users or devices when setting them up.

matt7863 · 2025-02-14T16:44:41.220Z

It might be the explanation of what is required but loopback does not sound the correct method.

knowledge-heavy006:

Domain > Users > Location User (this is the OU where the customer wants that specific group to be created)

In this scenario just create a GPO and link it to the Locaiton User OU.

Note it does not matter where in AD the security group is if used for filtering. GPOs are linked to only User or COmputer locaitons - the security foltering is just a setting.

Loopback 101 - loopback is used to apply a user setting based on Computer, or computer setting based on User.
Example I want the user setting of mapped drive X: to only apply when user logs on to computers at CRAZY TOWN. to do this i put all computers at CRAZY TOWN in a OU - computers-CRAZY-TOWN-PCs. I enable loopback processing. I link the user map drive GPO for X: to computers-CRAZY-TOWN-PCs.

If I want a GPO that only applies to a group of users - i just create the GPO and link it to the main Users OU and security filter to an AD group - or better use Item level targeting if the setting supports it.

knowledge-heavy006 · 2025-02-15T14:24:34.499Z

this is what i am planning initially, i will create GPO to “enable” that user configuration and assign it to the User OU, i am just unsure what will take effect since there is an existing GPO that “disables” that user config linked in the workstation OU (loop back - merge is enabled).

erkind39 · 2025-02-16T10:12:15.433Z

If you create a user settings GPO (userGPO) and link it to an OU (userOU) that contains users, that will have effect on users.

When does your user settings may not apply as expected to a user that is in the userOU?
The answer is if that user (user1 in UserOU) logs on to a computer that is being applied a loopback policy.

In that case normally the user settings in the UserGPO would apply and additionally computer settings in CompOU in which the computer is in would apply to the computer. If in computer settings (CompGPO) loopback is enabled then loopback processing changes the way the GPO is applied.
If ‘Merge’ mode of loopback policy is set, then user will get user settings in userGPO + computer settings. You can say that even a loopback policy was not set, the resultant policy would be like this. Yes this is similar to normal group policy processing but compGPO settings will always have higher precedence than the userGPO settings. when loopback merge mode is set
If the ‘Replace’ mode of loopback policy is set, then the user will get only settings in Computer policy applied to the computer and not any setting from userGPO user portion. For example it may be required that students in library should only see a library application when they logon to the PCs in the library with their domain user credentials, not any other class notes, other school applications etc. In this case you may apply a loopback policy in replace mode in a computer GPO that is applied to the library OU and in that computer GPO you should specify the library application that will be run in computer portion of computer GPO. When the students come back to their classes and logon with their domain users , they will continue as usual.