Share via

Group Policy Loopback Not Blocking Site-Based User Policy

Anonymous
2025-02-14T01:52:53+00:00

I've got a loopback policy (Configure user Group Policy loopback processing mode = replace) targeted at an OU containing a terminal server (Windows 2022). This prevents any user policies targeted at the User OU from being applied when the user logs in and is working as expected.

However, there are User policies targeted at the site-level that are still being applied to the user when he logs in to terminal server. And these site-based policies are not enforced.

My understanding is that group policies are applied in the following order:

  • Local
  • Site
  • Domain
  • OU
  • Child OU

Given the terminal server is located at the Child OU, why are the site-based user policies still being applied? One of the site-based user policy is to add a shortcut to the desktop. This shouldn't be applied to a user logging in to the terminal server as the loopback policy should block it.

Any pointers would be much appreciated. Thanks.

Windows Server Identity and access Deploy group policy objects

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments

10 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2025-02-25T00:37:13+00:00

    Yes, the expected behavior is the user who logins to the server will have ALL user policies blocked except for any user policies applied at the server OU.

    The user account is in a separate "User" OU and all the user policies applied here are blocked as expected. Its just the user policy applied at the site level that is still being applied.

    Our OU structure is something like this:

    Domain

    Server OU

- lookback policy applied here

User OU

- multiple user policies applied here

    Site

    • several user policies applied here

    When the user logins into the server, all the user policies applied at the User OU is NOT applied (as expected) but the user policies at the Site level are still being applied (which is not what I expect).

    Thanks.

    0 comments
  2. Anonymous
    2025-02-27T02:09:57+00:00

    Which is exactly what the loopback policy is doing ...

    • user policies at the Users OU are NOT being applied
    • user policies at the Server OU are being applied

    ... except user polices at the site level are ALSO being applied. Which should NOT happen when using loopback.

    Loopback says the ONLY user policies that will be applied are those targeted at the Server OU.

    Unless I'm mis-understanding how loopback works, user policies targeted at the site level should not apply when using loopback.

    Thanks.

    0 comments
  3. Anonymous
    2025-02-25T09:39:07+00:00

    Hello

    Greetings!

    It seems it applies to OU.

    For more information, please read here.

    Loopback processing of Group Policy - Windows Server | Microsoft Learn

    Please note:

    Windows Client for IT Pros and Windows Server forums are moving to Microsoft Q&A

    We’re transitioning to Microsoft Q&A for a more streamlined experience. Starting February 26th*, new questions can only be posted on* Microsoft Q&A. Existing discussions will remain accessible here.

    Beginning March 3rdcustomers looking for support on Answers will be automatically redirected to Microsoft Q&A.

    Best Regards,
    Daisy Zhou

    0 comments
  4. Anonymous
    2025-02-27T08:31:26+00:00

    Hello

    Greetings!

    Do you put user account objects in one site and link user policy to this site?

    Please note:

    Windows Client for IT Pros and Windows Server forums are moving to Microsoft Q&A

    We’re transitioning to Microsoft Q&A for a more streamlined experience. StartingFebruary 26th*, new questions can only be posted on*Microsoft Q&A. Existing discussions will remain accessible here.

    BeginningMarch 3rdcustomers looking for support on Answers will be automatically redirected toMicrosoft Q&A.

    Best Regards,
    Daisy Zhou

    0 comments
  5. Anonymous
    2025-02-27T23:56:06+00:00

    There are no "objects" at the site level. Active Directory sites are based on subnets ... so anyone logging in to a machine with an ip address will automatically belong to its respective site and the site policy will be applied.

    Cheers.

    0 comments