Friday, 6 July 2007

Using Loopback GPOs

This is one subject I never did quite get the hang of when I studied GPOs in MOC 2274/2279. The MS documentation for loopback policy is a little confusing.

The normal way that GPOs are applied is that the computer configuration part of the GPO is applied to computer accounts, and the user configuration part of the GPO is applied to user accounts. Say the computer is called ABC and the user is called xyz. At first startup, the computer configuration GPO is applied to ABC. When user xyz logs on to ABC, the user configuration GPO is applied for that user account.

Loopback is different in that it permits a user GPO to be applied to a specific computer depending on the OU in which that computer appears. Normally, the only GPO you can specify for a computer account is the computer configuration. The user config GPO is determined by the OU that the user account is stored in. When loopback is enabled, the user config GPO is determined by the computer account OU instead. This enables the normal user settings that would apply for that particular computer or group of computers to be overridden.

An example in our network is that for pupil users, we have their user GPO set up to redirect their Start Menu to the All Users Desktop. This gives them a great big start menu with all the shortcuts in one long list, no subfolders. First thing I tried to make a nicer start menu was to put the start menu into the mandatory profile. The problem was that on a couple of PCs this didn't work out for some reason. Maybe I missed something. Anyhow, the next idea for this group of PCs is to redirect the user's start menu to the All Users start menu. This worked. However this is a different configuration from other pupils machines. So, I created a new OU, linked a new GPO to it, set Loopback Policy to Enabled (Merge) and set just one setting: redirect the Start menu to C:\Documents and Settings\All Users\Start Menu. After configuring the Start Menu, it was all go. Only the PCs that are in this OU will have this configuration applied, because only they have the reconfigured All Users start menu.

The drawback of loopback policy like this is that every user who logs onto a PC gets the same user settings. In this case everyone gets the limited Start menu, even if they are an administrator. Only the local administrator account can get full access to the PC. In this case, I'll only use loopback until such time as every pupil PC in the school is configured with the new start menu settings, and then apply them to pupil users globally.

Why, incidentally, would it be necessary to redirect the start menu? We need to restrict what appears on the Start menu for pupils. Partly this is for security, limiting the ability to tamper with settings, and partly meeting the AUP. Windows XP has changed from previous versions of Windows in terms of the policy settings that control access to the start menu. The options were reduced somewhat. MS seems to want to discourage limiting the Start menu, but I doubt that many sysadmins would agree with them.