Thursday, July 28, 2011

Group Policy Loopback Processing: Replace vs Merge

Recommended reading:

http://feeds.4sysops.com/~r/4sysops/~3/1zE6FrBmHj0/

This is a great "part 2" article on Group Policy Loopback processing by Kyle Beckman at 4SysOps.  The entire article set is a great resource for anyone who works with Active Directory Group Policy, even if you don't bother with loopback processing.

The best way to summarize loopback processing to someone that has no idea what Group Policy is, would be to say it's like an election ballot where the question reads: "Vote NO to not allow the disallowance of none of the nothings nobody never not wanted"  It can be pretty twisted if you don't pace yourself on the way in.  The best advice I can give anyone (if I'm permitted to give any advice of any kind) is that you shouldn't touch any Group Policy feature without first [A] reading up on it from as many sources as you can find, and [B] testing the behavior in a lab that mimicks your actual production environment.

I cannot stress [B] enough.  Having a lab that is "sort of" like the production environment is fine for testing applications, Windows deployments, SCCM, SCOM, SQL, LDAP and so on, but for Group Policy testing it is not going to work.  There is way too much involved with layering, merging, blocking, inheritance, WMI filtering, user vs computer, loopback processing, and so on.  One small difference can change the course of the entire test.  And with "tattooing" you can end up with a mistake that is very difficult to undo or reconfigure.  A minimalist approach is the absolute best approach to implementing Group Policy.

With all this in mind, this article is a fantastic resource for wrapping your mind around one of the more terse aspects of Group Policy: loopback processing.  Enjoy!

No comments: