User Loopback Processing of Group Policy
Typically printer installation is done in the enterprise via login scripts that are based on usernames. This works fine in most cases, however, I recently began looking into a better way to do this.
The problem with installing printers based on usernames is that on a given day a teacher or student can log into as many as three or four different computers in various locations throughout a school. With this being the situation, we could for instance map the printer “GCHS-MATHLAB” to a student active directory account, but then when the student walks into the business lab, he will still be printing to the math lab. The obvious reaction to this would be to setup a script that installs all avaliable printers in the building for the student, however this creates an unneccesary security risk, and would allow students to print into room they are not located in which could cause trouble.
My first instinct for a solution was to install printers based on the active directory organizational unit by pushing a machine startup script. This would work perfectly as our active directory is for the most part organized by a computers physical location in a school. A machine startup script which can be found in the group policy editor under Computer ConfigurationWindows SettingsScriptsStartup is different from a login script as it is run on the target machine before a user even logs into a computer. After creating a GPO with my printer installation script set as a startup script I linked the GPO to a test OU where I began my testing. Unfortunatly, this setup didn’t seem to want to work. When the computers in the OU would boot up I would recieve a message stating the access was denied to add the printer. I knew that the problem was not with permissions accessing the script, because the error it gave me was actually on the 5th line of the script, so I know it was getting appropriate access to the file. The line it gave me the error on was the actual line that connected to and installed the printer. Sure enough, the “domain computers” group was added to the specific printers ACL, so that wasn’t the issue either. I had eventually determined that the issue with installing the printer this way was by design in windows as printers are typically managed in a user based context rather than a machine based one.
After a week or so of more research, I was about to give up when I stumbled upon some Microsoft documentation regarding something called Loopback Processing. In using loopback processing, you define settings for the User Configuration context of the group policy editor. After you finish setting these policies, browse to Computer ConfigurationAdministrative TemplatesSystemGroup Policy and select the policy called “User Group Policy Loopback Processing Mode”. Once you enable this policy you have two options to choose from. The first option is the “Merge” mode, which processes all user configuration policies as if they were machine policies AFTER whatever machine configuration policies that already exist are applied. The “Replace” mode however, does not process existing machine configuration policies, and only executes the user configuration policies. With this knowledge in hand I configured my printer installation script as a login script for group policy user configration, enabled user loopback processing merge mode, and sure enough, it worked like a charm.
A week or so removed from the discovery of loopback processing mode, I have found several other uses for it. I am actually considering changing site based drive mappings from being mapped via user defined scripts to being mapped via a group policy invoked script in order to avoid issues with teachers and faculty who roam among various schools in the district. I am also currently expiramenting with extending Mandatory user profiles via user loopback processing, so be sure to check back for my findings on that.
For more information regarding loopback processing, see the related Microsoft KB# 231287
Hello,
I read your article with interest and YES this describes what I am trying to achieve.
IE. Set printer/s in room 1 to all users who log on in room1. Room 1 being an OU containing printers, users existing within an OU called students.
I would greatly appreciate a blow by blow simple example to adding the GPO’s, scripts etc. and where to put them.
GPO Newb
Regards, Phil
Phil,
If you will provide me your e-mail address i will type up some directions for you on how to do this step be step.
Hi Chris,
good article. I’ve been reading and working on this for a short while and I have an issue regarding the filtering of a looped policy that you may have seen or have an answer for so I thought I’d run it by you.
I have an OU for Citrix servers, let’s call it “Staff Servers”. On it I have a GPO with a few Computer settings including Loopback Processing. Also in the same GPO I have a small handful of User settings, mostly that control desktop and start menu.
I have an OU for users, let’s call it “Staff Accounts”. On it I have a GPO with a bunch of User settings, less restrictive on the desktop and start menu.
So if I leave the GPO delegation as default my user hitting his own client gets a fairly free desktop, hitting a Citrix server gets a much more controlled desktop. All is well. Of course, when an admin such as myself logs into a Citrix server we are also locked down of. So I am trying to set up filtering so that staff trigger this looped back GPO but admins do not. Currently I “Apply Group Policy” unchecked for Authenticated Users, and I have the Staff group explicitly added with “Apply…”. As enar as I can tell, that SHOULD work. And in fact, according to the Group Policy Modeling simulation, it DOES work. But when I actually log in with a staff account the user settings from the server GPO are not applying (which means the server desktop is wide open.)
I have read that a better way to do it is to leave Authenticated Users as default (Read and Apply…) but add in an Admin group with Apply Group Policy set to Deny. In fact I tried that first, but it was also unsuccessful. Any ideas?
Ray
Hey Chris,
I work for a K-12 school district and we too have the problems of students printing to other classroom printer when they are not physically there. I would really appriciate it if you could send me some info on how to get students to only print in the classroom they are physically in. All of our students have Active Direcitry accounts with roaming profiles and home drives. We lock down the desktop really tight and allow them to access printers and the apps they need. It would be nice if a student would log into a computer in room A12 and get the laser printer for room A12 only as printer choice and not all the printers they may of installed for example the library or C14 printer.
Thanks in advance for your help.
Ozzy
I’ve been using loopback processing for a few years now and have found it to be flakey – unreliable and sensitive to change. A far better, more stable method is to use scripting to map printers say. All you need is standardised PC naming to assign printers by room name.
Hi Chris
Thanks for sharing all this usefull info. I recently accepted a position as syadmin at a public school and am being kept on my toes. In the corporate world the problems emanated primarily from outside the organisation. AT school it the exact opposite. I have tried unsuccessfully to solve the printer per classroom puzzle you mentioned. I keep getting what appears to be a permissions problem. Am going to try loopback processing, but would you be kind enough to send me the detailed instructions mentioned in a previous message.
Rgds
Tim
I too work at a school and would love to get some detailed instructions about how to apply a policy to a lab of computers not users. Currently I have created a OU for the lab computers, moved them into that OU, created a group and made the computers members of that group. Then I used GPMC to create a new policy applied to that OU. I have tried the loopback method but cant get the printer to populate the computer Printers. I can run the script sucessfully locally but cant get it to run from a GPO startup script.
Clifton
this is one of the best website of IT information.
Try this, has worked for me for ages.
You just need to name your computers, in a consistant manner, eg. all computers in Lab 1 are named \\lab1-001
Option Explicit
DIM RegEntry, ComputerName
RegEntry=”HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName\ComputerName”
ComputerName = ReadRegValue(RegEntry)
‘ server Queues
‘ Lab room PCs print to Lab room printer
if InStr(1,ucase(ComputerName),”lab1″,vbTextCompare) > 0 then call SetPrinter(“\\server\printer”)
‘ OR Local printer
if InStr(1,ucase(ComputerName),”thisComputerName”,vbTextCompare) > 0 then call SetPrinter(“local_printer_name”)
‘wscript.quit
‘ *** This subroutine installs and sets the default printe
Sub SetPrinter(ByVal PrinterPath)
On error resume next
DIM WshNetwork
Set WshNetwork = CreateObject(“WScript.Network”)
WshNetwork.AddWindowsPrinterConnection(PrinterPath)
WshNetwork.SetDefaultPrinter Printerpath
end sub
‘ **** This function returns the data in the registry value
Function ReadRegValue(ByVal RegValue)
DIM WSHShell
Set WSHShell = WScript.CreateObject(“WScript.Shell”)
ReadRegValue=”"
On Error Resume Next
ReadRegValue= WSHShell.RegRead(RegValue)
End Function
Hi chris,
Ive been looking at using this method for setting the default printer on a per machine but when I enable loopback mode it restricts the administrative rights to the domain users rights. I can no longer access control panel and display properties etc with an admin account
Hey Chris,
I work for a K-12 school district in WV and we too have the problems of students printing to other classroom printer when they are not physically there. I would really appriciate it if you could send me some info on how to get students to only print in the classroom they are physically in. All of our students have Active Direcitry accounts and home drives. We lock down the desktop really tight and allow them to access printers and the apps they need. It would be nice if a student would log into a computer in room 615 and get the laser printer for room 615 only as printer choice.
Chris,
This is great; and exactly what we WERE doing. We found that teachers and staff in all of our 17 schools were relocating workstations at least once per year (10-20 changes per year) and that even Network Printers were being relocated. This obviously causes an issue with group policy and with Active Directory Inventory having to stay up to date (wrong printers installed through network).
Any suggestions on this situation? Have you run into this yet?
Please email me and we can discuss this issue in depth if you like.
great article !!!!
i’m studying for the MCSE certification, and only from this example i finally understand the point of loopback processing.
Hi Chris
:
hi i’m not sure if some body will read this post again, but i take my chance to tell my story
i’m getting crazy with the next:
i have different GPOs for computers and one GPO for users .
i have one groupe of users
i have different groups of computers
i can’t create anatoher user group.
the users GPO are used only to install printers and some desktop design.
the conputers GPO are used for my different group of computers (PC1, PC2, PC3…)
on these GPOs (for Computers) the user configurations section are disabled.
but i want to hide the ‘C’ drive and ‘Hide the Favorites menu’ on one computer groupe (one kind of Computer), let it be PC1. how could I realise this. ??? since we know that those configurations exists only on user configuration under administrative templates :
(User Configuration\Administrative Templates\Windows Components\Internet Explorer\Browser menus)
i can’t make enabled the user configuration and allow the authenticated user to apply this GPO (to apply the user configuration section), becoz all authenticated users gonna apply my PC1 GPO computer (the computer configuration section) on the PC2 and PC3 and PC4 computers …!!and i wont that happen!
to resume the problem: how could we apply user configuration section fo the GPO on just one kind of Computer.
thanks for your help