Windows AD: Is loopback processing absolutely necessary in order to apply a user policy to users logging into computers in the OU

It sounds to me like your clients aren't using your DCs as their DNS servers. You should make sure that your DCs are indeed running DNS for your AD zone and that your clients are configured to use them.

If there was a change in your config, the old policies will still apply since they're cached on the clients, but they won't be able to update or check for new policy. If you're using DHCP, make sure that it's set to configure clients to use the proper DNS servers.

I took a different approach to this, figuring the only way to do it with this approach is to utilise the OU's in one way or another.

This is what I did instead:

• Security Filter the GPO based on the target USERS rather than the single target COMPUTER. In this case my only security filter was Domain Users
• I created a WMI filter to match the computer name of the server I am targeting: Select * from Win32_ComputerSystem where Name like "SERVERX%"

The result is that the policy is mapped to all computers that the Domain Users log in to, however it will get denied due to the WMI filter unless the name of the computer is ServerX

Basically it seems the loopback processing mode must have the users logging onto the specified computer having the 'apply this policy' delegation privilege to that policy, otherwise we get the denied error based on security filtering.

It all comes down to using this form of structure:

• Filter computers using OU structure, then users using Security Filtering

However if the GPO is linked higher up in the hierarchy (rather than to the most specific OU which contains ONLY the affected computers) then extra filtering is needed to filter out all the exclusion computers. And I do this above via WMI filters.