I guess I wasn’t paying attention. It’s now November 2012, and I’m just now realizing that Group Policy Loopback, with Merge selected, no longer works as I’d expect with Windows 7 and Server 2008(R2)

It used to work like this:

Replace mode would ignore all GPOs applied to the user up until it got to the OU with the loopback policy, and then apply ONLY the GPOs with user settings in the OU with the loopback policy. This still works as expected in 2008/win7.

Merge mode would ADD the additional GPOs to what was already applied to the user, overriding any existing settings as needed, effectively merging them. This is what no longer works as expected.

Here is what I’ve found:

Microsoft published this KB, 953786, which says that the PCs now need to have a entry in the ACL of the GPO allowing them to read the settings of said GPO. What I’ve done to make this easier for myself is added the “Domain Computers” Active Directory group to any GPO which contains the user settings that I wish to apply via loopback merge.

In my testing, this added ACL entry has solved the issue, and allowed it to work as I expected, which is the way that 2003/xp behaved.