GPO: Loopback processing and Group Policy Preferences
In this post we talk about loopback processing of group policy and what interesting new feature is available when combining with Group Policy Preferences.
If you need a detailed explanation on how loopback processing of group policy works I suggest you read this 4sysops two part blog post (part 1, part 2).
When using loopback processing of group policy on a TS/Citrix server I generally choose the replace mode, in order to discard any specific user settings and get the same environment for each user. The below GPO is applied to the TS/Citrix computer objects located in the same Organizational Unit:
All the servers of our Citrix/TS farm are located in the same OU, there are just two web applications published in our farm, each server hosts only one application. Each application needs a different user configuration, in our case study the IE title bar:
- IE title bar set to “Web Application 1” for the users member of the “Qualif-Xen-Usr-Param1” group and logging on the TS/Citrix servers located in the “460-XenApp6” Organizational Unit and member of the “Qualif-Xen-srv-Param1” group.
- IE title bar set to “Web Application 2” for the users member of the “Qualif-Xen-Usr-Param2” group and logging on the TS/Citrix servers located in the “460-XenApp6” Organizational Unit and member of the “Qualif-Xen-srv-Param2” group.
Without using GPP (Group Policy Preferences) you cannot target a specific computer group in order to apply user settings, security filtering will be set up for the “Qualif-Xen-Usr-Param1” and “Qualif-Xen-Usr-Param2” user groups. User configuration GPOs linked to the “460-XenApp6” OU will be as follows:
When a user is member of the “Qualif-Xen-Usr-Param1” group the IE title bar will be “Web Application 1”, the “Web Application 2” IE title bar will be displayed if the user is member of the “Qualif-Xen-Usr-Param2” group. But if the same user is a member of both groups “Quali-Xen-Usr-Param2” and “Qualif-Xen-Usr-Param1”, the IE title bar “Web Application 1” will be displayed even if the user logs on a server hosting “Web Application 2”, because of the GPO processing order:
The only way to get the expected behaviour without using GPP is to move the servers hosting “Web Application 1” and the ones hosting “Web Application 2” in separate OUs and link each user configuration GPO on each OU. This might not be convenient in terms of administration, because you might end up with as many OUs as applications in your TS/Citrix farm.
When using GPP you have the Item level Targeting feature, which will allow you to leave all you servers in the same OU. The GPO parameter “IE title bar” is just a registry setting, you need to edit the “Window Title” value located under HKEY_CURRENT_USER\Software\Microsft\Internet Explorer\Main. We will use registry GPP and edit that value with “Web Application 1” if the user belongs to the “Qualif-Xen-Usr-Param1” and logs on a server member of the “Qualif-Xen-srv-Param1” group thanks to the item level targeting:
The user configuration GPPs linked to the “460-XenApp6” OU will look like this:
For a user belonging to both groups “Qualif-Xen-Usr-Param1” and “Qualif-Xen-Usr-Param2” the IE title bar will be different if he logs on a server hosting “Web application 1” or “Web application 2”, that is the expected behaviour 🙂
By the way, do not forget to use the GPMC to get the resultant set of policy settings when working with GPP (see my previous post).
As long as the user parameter you want to apply is a registry setting or a common GPP object (shortcut, network drive…) you can use this method to keep your TS/Citrix servers in the same OU when using loopback processing of group policy.
This post is also available in: French
2 Comments
Other Links to this Post
RSS feed for comments on this post. TrackBack URI
By Lewis, October 12, 2017 @ 1:25 am
If I do loopback replace, does that only replace the user settings if there are other ones defined in the policy of the computer with loopback applied, or does it flat out not apply any of the other user settings because they don’t apply to the computer object?
Thanks,
By ldap389, October 22, 2017 @ 6:42 pm
Hi,
Sorry for the late reply. Loopback in replace mode does flat out, it only applies the settings defined on the computer object.