I recently discovered that when applying a GP object using loopback and user security filtering (allowing only specific users to apply the GP), the computer still needs read access to the GP.

Otherwise, the GP will show up as not applied due to it being “inaccessible”:

My guess is that it’s because the group policy engine is using the computer account’s security context to collect the loopback GPs.
Basically, you have to give the computer account you wish to apply the GP on read permissions on the GP object. You can simply use Domain Computers if the content of the GP is not sensitive.
You can either:

  • Grant Read permissions through the “Delegation” tab:


  • Add the computers to the security filtering (only if the GP has no computer settings, otherwise they will apply):

Now the GP loopback will work fine.