Premkumar Yogeswaran's Blog

Active Directory | PowerShell | DNS | DHCP | Exchange Server | VM Ware

Archive for September, 2013

Loopback processing of Group Policy, explained

Posted by Premkumar Yogeswaran on September 19, 2013

Hi guys,

Today I want to write a few words about Loopback processing of Group Policy. When you deal with this setting for the first time it may be a little bit confusing. You can find explanations of this policy setting on the internet, but in my case I will try to explain everything in simple words.

As we know group policy has two main configurations, user and computer. Accordingly, the computer policy is applied to the computer despite of the logged user and the user configuration is applied to the user despite of the computer he is logged on.
For example we have a Domain, this Domain has two different organizational units (OU) Green and Red, Green OU contains a Computer account and Red OU contains User account. The Green policy, which has settings “Computer Configuration 2” and “User Configuration 2” is applied to the OU with the computer account. The Red policy, which has settings “Computer Configuration 1” and “User Configuration 1”, is applied to the OU with the User account. If you have a look at the picture below it will become clearer.

If Loopback processing of Group Policy is not enabled and our User logs on to our Computer, the following is true:

As we can see from the picture, the User gets Computer Configuration 2 and User Configuration 1. This is absolutely standard situation, where policies are applied according to the belonging to the OU. User belongs to the Red OU, he gets the Red User configuration 1 accordingly.

Now let’s enable the Loopback processing of Group Policy for the Green OU. In this case if the User logs on to the Computer, the policies applied in the following way:

As we can see, now the User is getting User Configuration 2 despite of the fact that he belongs to the Red OU. So, what has happened in this scenario, the User Configuration 1 was replaced with the User Configuration 2, i.e. with the configuration applied to the Computer account.

As you have probably noticed, the picture above says “Loopback in replace mode”. I have to mention that the Loopback processing of Group Policy has two different modes, Replace and Merge. It is obvious that Replace mode replaces User Configuration with the one applied to the Computer, whereas Merge mode merges two User Configurations.

In Merge mode, if there is a conflict, for example two policies provide different values for the same configuration setting, the Computer’s policy has more privilege. For example in our scenario, in case of the conflict the User Configuration 2 would be enforced.

In the real work environment Loopback processing of Group Policy is usually used on Terminal Servers. For example you have users with enabled folder redirection settings, but you do not want these folder redirection to work when the users log on to the Terminal Server, in this case we enable Loopback processing of Group Policy in the Policy linked to the Terminal Server’s Computer account and do not enable the folder redirection settings. In this case, once the User logged on to the Terminal Server his folder redirection policy will not be applied.

Thank you!


Posted in Active Directory | Leave a Comment »

Bulk Adding Entries in DNS

Posted by Premkumar Yogeswaran on September 4, 2013

The format of the dnscmd.exe tool to add a record in DNS is:

dnscmd <server> /RecordAdd <zone> <node> <RR type> <RR data>

To create a host (A) record, the actual command would look like this:

dnscmd . /RecordAdd host1 A

The “.” syntax here refers to the local server; this can be easily substituted with an IP address or hostname of a remote DNS server.

Using some of the same techniques as before, combining dsncmd.exe with the “for” batch command allows us to do something like this:

for /f "tokens=1,2" %1 in (newhosts.txt) do
@dnscmd /RecordAdd %1 A %2

This assumes that the “newhosts.txt” file contains something like this:


Here’s a small twist, though: What if your list isn’t space delimited, but comma delimited? No problem, just adjust your command accordingly:

for /f "tokens=1,2 delims=," %1 in (newhosts.txt) do
@dnscmd /RecordAdd %1 A %2

The “delims=,” parameter tells the “for” command to use a comma as the delimiter, allowing us to use comma-separated input.

With this command, we now can pretty easily add large numbers of hosts to a DNS zone file.

Posted in Active Directory | Leave a Comment »