1
00:00:03,070 --> 00:00:08,950
So as we start this module, I'm going to be looking at an interesting scenario, which are the deployment

2
00:00:08,950 --> 00:00:12,970
of kiosks and remote desktop services or VDI installations.

3
00:00:13,880 --> 00:00:17,330
And how group policy can play in that kind of an environment.

4
00:00:18,350 --> 00:00:23,900
So what I want to talk about is the challenges around these particular sorts of configurations.

5
00:00:24,930 --> 00:00:29,190
For example, kiosks very usually highly locked down.

6
00:00:30,150 --> 00:00:34,380
They have, you know, running a specific application or a specific use.

7
00:00:34,380 --> 00:00:39,960
Like, for example, you might have a computer running windows in a public area, like a library or

8
00:00:39,960 --> 00:00:41,940
an airport or someplace like that.

9
00:00:42,880 --> 00:00:46,060
And you want to give access to a particular application.

10
00:00:46,270 --> 00:00:50,410
Maybe it's to print your boarding pass or to do some specific activity.

11
00:00:51,390 --> 00:00:55,830
So you want to give the user as little access to the system as possible.

12
00:00:56,790 --> 00:01:00,360
You want to give them access to maybe a single application.

13
00:01:01,260 --> 00:01:06,750
And, you know, having that kind of highly locked down configuration is something that, of course,

14
00:01:06,780 --> 00:01:08,700
grew policy specializes in.

15
00:01:09,580 --> 00:01:15,820
And kiosk mode in particular, or kiosks in particular are placed where group policy can really help

16
00:01:15,820 --> 00:01:16,150
out.

17
00:01:17,160 --> 00:01:23,040
The other scenario where we see a lot of this kind of activity is in remote desktop server implementations

18
00:01:23,040 --> 00:01:29,460
or Citrix Zen app or even VDI systems where they're often systems, especially remote desktop servers

19
00:01:29,640 --> 00:01:35,850
where they're being logged into by multiple users, often at the same time running particular applications.

20
00:01:36,840 --> 00:01:38,100
It could be office.

21
00:01:38,100 --> 00:01:39,510
It could be the browser.

22
00:01:40,520 --> 00:01:46,430
It could be any number of applications and they're really all sharing a single OS in the case of remote

23
00:01:46,430 --> 00:01:48,830
desktop servers or Citrix Zen app.

24
00:01:49,800 --> 00:01:55,380
In the case of VDI, it's really more about sharing a single infrastructure, whether it be computer,

25
00:01:55,410 --> 00:02:00,690
hard disk and memory, and you want those users to behave across all those VDI systems.

26
00:02:01,640 --> 00:02:07,400
And what behav means is to perform activities in windows that don't impact other people on that same

27
00:02:07,400 --> 00:02:08,600
shared infrastructure.

28
00:02:09,590 --> 00:02:15,680
And you know, the other aspect of this is that they may only log into these Zs servers or these VTI

29
00:02:15,680 --> 00:02:20,480
VDI servers periodically, so they may not actually be their primary machines.

30
00:02:21,450 --> 00:02:26,850
They may be logging in when they're remote from the office or, you know, over a VPN or just for a

31
00:02:26,850 --> 00:02:28,380
particular application.

32
00:02:28,380 --> 00:02:29,970
But they need to get access to.

33
00:02:30,870 --> 00:02:36,690
So these kinds of sort of special use scenarios are another area where a particular aspect of group

34
00:02:36,690 --> 00:02:40,680
policy can be really helpful, and that's called loop back processing.

35
00:02:41,580 --> 00:02:47,100
And all of these scenarios really have one thing in common, which is that the user's normal experience

36
00:02:47,100 --> 00:02:51,690
when they're logging into their windows system is different depending upon that computer that they're

37
00:02:51,690 --> 00:02:52,620
logging into.

38
00:02:53,550 --> 00:02:59,910
So if I'm on my regular desktop and I go log into a kiosk machine, my experience has to be different

39
00:02:59,910 --> 00:03:01,380
on that kiosk machine.

40
00:03:02,310 --> 00:03:08,850
And similarly, if I'm logged into my regular desktop and I log into a remote desktop server or a Zen

41
00:03:08,850 --> 00:03:14,550
app server or a VDI system, again, my user experience is likely to need to be different.

42
00:03:15,520 --> 00:03:19,390
And this is where the so-called loopback processing comes into play.

43
00:03:19,570 --> 00:03:22,360
And it's a special mode of group policy processing.

44
00:03:23,320 --> 00:03:25,090
So what is loopback?

45
00:03:26,080 --> 00:03:28,420
Well, it can be really confusing.

46
00:03:29,330 --> 00:03:35,270
Whenever I try to explain it to folks, it's always a challenge to get the idea across the first time.

47
00:03:36,230 --> 00:03:41,210
So I encourage you to look at this section again and again, and I'll have some demos that'll show you

48
00:03:41,210 --> 00:03:42,380
sort of how it works.

49
00:03:43,390 --> 00:03:49,090
But the idea is it's meant to solve this problem that you need to deliver different group policy settings

50
00:03:49,090 --> 00:03:52,360
to the user depending on which machine they log into.

51
00:03:53,250 --> 00:03:56,940
And really it's about categorising these special role machines.

52
00:03:57,920 --> 00:04:03,830
These special types of machines like kiosks or remote desktop terminal services as loopback enabled

53
00:04:03,830 --> 00:04:04,520
machines.

54
00:04:05,470 --> 00:04:10,360
And when they're loopback enabled the user, when they log into that machine, they're going to get

55
00:04:10,360 --> 00:04:15,460
a different set of user based group policy settings than they would get from a normal system that they're

56
00:04:15,460 --> 00:04:16,330
logged into.

57
00:04:17,250 --> 00:04:21,120
So let's just kind of graphically look at this, how this works.

58
00:04:22,130 --> 00:04:26,870
So on the left hand side, we've got the user in blue on their regular PC.

59
00:04:27,820 --> 00:04:33,220
That little cog indicates their normal user settings that they get from the GPOs that are linked to

60
00:04:33,220 --> 00:04:34,690
their user account on ADD.

61
00:04:35,980 --> 00:04:40,540
And their computer gets those GPOs that are linked to the computer account in ADD.

62
00:04:41,880 --> 00:04:47,250
Now let's say this user goes and logs into this computer on the right, this green computer.

63
00:04:48,210 --> 00:04:50,700
And this is a PC with loopback enabled.

64
00:04:50,850 --> 00:04:52,200
Maybe it's a kiosk.

65
00:04:53,110 --> 00:04:56,870
And it's getting its own set of computer and user GPOs.

66
00:04:57,840 --> 00:05:03,000
And what happens in loopback mode is that the user then gets the settings that are specific for this

67
00:05:03,000 --> 00:05:06,900
computer end user in that loopback state or on that kiosk machine.

68
00:05:07,870 --> 00:05:10,960
So the users no longer getting their blue settings.

69
00:05:11,930 --> 00:05:17,210
They're getting the green settings that have been delivered by the GPOs that are linked to the computer.

70
00:05:18,220 --> 00:05:23,500
So this is kind of goes against all the previous discussions we've had about, you know, GPOs with

71
00:05:23,500 --> 00:05:28,630
settings that are the computer settings linked to the computer object and user settings linked to the

72
00:05:28,630 --> 00:05:29,560
user object.

73
00:05:30,540 --> 00:05:34,080
In a case of loopback that's sort of turned on its head.

74
00:05:35,010 --> 00:05:39,090
And you can have user settings that apply to a computer that's in loopback mode.

75
00:05:39,090 --> 00:05:44,040
And anyone that logs into that computer that's in loopback mode will get those user settings.

76
00:05:45,070 --> 00:05:47,050
So how do you enable this?

77
00:05:48,030 --> 00:05:53,700
Well, it's enabled on a per computer basis and you just basically need to flip a switch on an admin

78
00:05:53,700 --> 00:05:57,360
template setting on a computer that you want to enable loopback for.

79
00:05:58,330 --> 00:06:01,630
And it's this policy area here under group policy.

80
00:06:01,720 --> 00:06:04,360
Configure user loopback processing mode.

81
00:06:05,310 --> 00:06:07,830
There's really two modes that Loopback supports.

82
00:06:08,010 --> 00:06:11,280
One is called merge mode and the other is called replace mode.

83
00:06:12,270 --> 00:06:18,510
Merge mode is where the user's regular policy settings that their regular user account in and gets those

84
00:06:18,510 --> 00:06:22,890
are processed first when the user logs on to a kiosk or a loopback system.

85
00:06:23,780 --> 00:06:27,920
And then the user settings that apply to the loopback computer are processed.

86
00:06:27,920 --> 00:06:28,460
Second.

87
00:06:29,450 --> 00:06:34,580
So you end up getting two sets of user policy on this kiosk or loopback system.

88
00:06:35,510 --> 00:06:41,720
Now replace mode is where user settings that apply to the loopback computer are processed first and

89
00:06:41,720 --> 00:06:44,510
the user's regular settings are completely ignored.

90
00:06:45,500 --> 00:06:52,340
So they basically these kiosk or loopback user settings absolutely override or apply in place of the

91
00:06:52,340 --> 00:06:54,170
user's regular user settings.

92
00:06:55,190 --> 00:07:00,650
So let's get in and kind of dig into this a little bit and show you how this loopback processing is

93
00:07:00,650 --> 00:07:01,310
configured.

94
00:07:01,550 --> 00:07:03,650
And then we'll dive into some examples.