This article discusses loopback processing changes in Windows Vista, Windows 7, Windows Server 2008 and Windows Server 2008 R2.
When you configure a computer that is running a version of Windows that was released before Windows Vista and Windows Server 2008 for User group policy Loopback processing, the permissions for the computer account on the user-related Group Policy Object do not matter. In this situation, Read and Apply permissions are sufficient to successfully apply the Group Policy Object.
Starting in Windows Vista and Windows Server 2008, this behavior changed.
Consider the following scenarios:
- A computer that is running Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2 is configured for User Group Policy Loopback processing in Merge mode.
The GP Service reads the GPO Information in the context of the machine. In this scenario, the computer account must have at least read permissions to the Group Policy object that contains the user settings, and a user should have at least Read and Apply permission in order to successfully apply the policy.
- A a computer that is running a version of Windows that was released before Windows Vista and Windows Server 2008 is configured for User Group Policy Loopback processing in Replace mode.
In this case, the GP service impersonates the user. Therefore, only the user needs access to the GPO. In order to successfully apply a policy, a user should have at least the Read and Apply permission.