As you probably know, loopback processing is a feature of Active Directory Group Policies which applies user settings in a GPO to any user who logs on to computers in the GPO’s scope (whereas the standard behavior would be to apply user settings only if l’utilisateur account is actually located whithin the GPO’s scope). This is useful when you want all users logging on to a specific computer to receive some user policy, regardless of where their user accounts are actually located in AD.
The problem: when loopback processing is enabled, a GPO containing user settings is applied to everyone using those computers, and you can’t bypass this by using ACLs on the GPO, because it’s not actually applied to users, but to computers.
The question: how can loopback processing be bypassed for specific users who need to log on to those computers but should not be subject to those policy settings?
Case in point: tVoici several terminal servers where GPOs with loopback processing are used to enforce heavy user restrictions on everyone who logs on to them (they should basically only be able to run a bunch of company-approved applications); but this applies even to Domain Admins, which are thus rendered unable to even launch a command prompt or open the task manager. In this scenario, how can I tell AD to not enforce those settings if l’utilisateur logging on belongs to a specific group (tel que Domain Admins)? Alternativement, even the opposite solution (“only apply those settings to users belonging to a specific group”) would be fine.
But please, remember that we are talking about loopback processing here. The policies are applied to computers, and l’utilisateur settings inside them are applied to users only because they are logging on to those computers (yes, Je sais it’s confusing, loopback processing is one of the trickiest things to get right about Group Policies).