Disable My Documents Redirection GPO on Windows Vista Laptops

There are multiple Options.
1. You can always Limit the Scope of the GPO to a Security Group that contains only Desktops.
Create a Group Called Desktops.
On the GPO under Scope "Setting in this GPO can apply to the following groups, users, and computers"
Remove Authenticated Users
Add Group Called Desktops that contains all desktops
2. Create  2 OUs, 1 for Desktops and 1 for Laptops
apply the GPO to a OU that contains only Desktops. (assuming the users are in a different OU, Loopback processing will be needed.)
If this is the case loopback is under:
Computer Configuration\Administrative Templates\System\Group policy
Set User Group Policy Loopback processing mode : Merge - This will insure the GPO that only applies to the computer object in AD based on OU link is added to the GPOs List apply to the user when logging in to that specific computer.
3. WMI Filter for the GPO that makes it only apply to Desktops. I wouldnt use this it is to difficult to determine if a computer has a battery (Laptop) because there are so many different locations in WMI and multiple chasis types and every vender has settings in different spaces. Its to hard to manage from model to model. If you did use this you probably wont have 100% coverage when trying to insure Laptops dont use folder redirect. I have way to many problems with this in the past. I personally create 2 different OUs for Desktops and Laptops.

Hope this gives you a starting point.

OK, so:
1. I've moved the laptops out of the SBSComputers OU and into the newly created SBSMobile OU.
2. I've adjusted the Home Folder Redirection GPO to include loopback processing (merge).

How do I prevent the SBSMobile from inheriting Home Folder Redirection?  Take a look at my attached screenshot for more clarification.
Group-Policy-Management.JPG

Right Click on the Home Folder Policy at the Domain Level , then uncheck Enforced and Link Enabled.
Then click on the Computers Folder and Right Click. Choose "Link an Existing GPO" and select Home Folder Policy.

Before doing this make sure the Folder redirect Policy has "Policy Removal"
"Redirect the folder back to the local userprofile location when policy is removed."
If this setting isnt set, set it and give it a minumum 90 + 30 mins to apply to all computers.
I'd make sure all laptops are on the network, just to insure that they get the policy.

Done and done.  That makes sense now.

I will let you know how things go tomorrow!

I thought I would be a good idea to test it first...  So I logged into a workstation and now the My Documents folder path is editable and points back to the workstation's default local My Documents path. Which is how I would love the laptops to work, but not the desktops!

If I check the Link Enabled option and log back in on the workstation, the path is not editable and mapped back to the user's home folder on the server.  But I assume the whole domain (including SBSMobile) is using this GPO now.

Help...

If the Home folder redirect GPO is only Linked to the Computers OU, then only computers in that OU should get the policy. Make sure that the policy isnt enforced at the domain level.

When the Home Folder Redirection GPO is linked to only the Computers OU, it didn't redirect the My Documents folder.  When I check the Link Enabled option, it does, but also for the Laptops (and all) OU(s) too.

ahhh..

I think its because you have 2 OUs called Computers... If the policy is linked to MyBusiness\Computers <-the policy will apply to both desktops and laptops because it is inherited from the parent OU.

The Policy needs to be linked at MyBusiness\Computers\Computers <- Next level. at the same level as
MyBusiness\Computers\Mobile so mobile wont inherit the policy.

Now that the Policy is linked. Go Into Active Directory Users and Computers from administrator tools and make sure that laptops are in the Computers\mobile OU and Desktops are in Computers\Computers.
If computers arent separated into these OUs the GPO will apply.

No I made sure to do that right off the bat.  I moved all the computers from Computers into SBSComputers OU and all the laptops from Computers into SBSMobile OU.  I linked the Home Folder Redirection GPO to only the SBSComputers OU, unchecked Enforced and Linked Enabled.

Then when I tested it, the My Documents path was editable and pointed to the local workstation's My Document's path.

When I check Linked Enabled, it the My Documents path is not editable and points to the user's home folder on the server.

So for some reason, even though it's linked to the SBSComputers OU, it's not taking affect on those workstations...

It can take a few hours for the workstations to get the new Policy. The default interval is 90mins with a deviation up to 30mins so that all computers don't request information at the same time. Depending on your AD if you have multiple Domain Controllers it can take even longer with replication.
Also winxp and vista (i think) load the network stack after a user logs in by default, so it can take up to 2 reboots for the new policy to be acquired. To insure that the policy is applied sooner you can add this setting to your GPO:
Computer Configuration\Administrative Templates\System\Logon
Always wait for network at computer startup and logon <- enabled
Computers might take a little bit longer to login but this will insure new policies are applied as soon as possible without a 2x reboot possibility.
In the mean time , to Debug this go to the computers that it is not applying to:
Open cmd and run gpresult to see if the computer is getting the policy.
If gpresult does not show the policy on the list, try gpupdate /force
Then gpresult again.
If the policy is being applied but nothing is happening look at the event logs on the computer.

If the my documents redirection is only a problem on workstations with Vista, this MS document should help.
http://technet2.microsoft.com/WindowsVista/en/library/fb3681b2-da39-4944-93ad-dd3b6e8ca4dc1033.mspx?mfr=true

Let me know how it goes.

I always run a gpupdate /force on the workstations that I'm testing.  That's how I know when Linked Enabled is checked it works, and when it's not checked it doesn't work.

The workstation I'm testing it on is Windows XP.  I will check the Vista workstations after I can make the Windows XP workstations/laptops function properly.

Any other thoughts?

Computer Configuration\Administrative Templates\System\Group policy
Set User Group Policy Loopback processing mode : Merge - This will insure the GPO that only applies to the computer object in AD based on OU link, is added to the GPOs processed by the any user logging in to that computer.

I already did that.  You set it on the Home Folder Redirection GPO right?

yes

OK, so what are your thoughts?

When the Home Folder Redirection GPO is linked to only the Computers OU, it didn't redirect the My Documents folder.  When I check the Link Enabled option, it does, but also for the Laptops (and all) OU(s) too.

Can you provide a screenshot showing this configuration like the previous one you posted? Also on the GPO configuration, Scope Tab, what groups does the GPO apply to? Can you post the GPO report under the setting tab on the GPO, right click and save the report.
In gpresult is the GPO on the list for the Computer Object and the User object?

Hold on, I will post a response.

I have posted the requested screenshots and files.  Please review and update me with your thoughts.

You will need to download "Home Folder Redirection.txt" and rename to "Home Folder Redirection.htm".
AD-Computer-OUs.JPG
GPO-Home-Folder-Redirection.JPG
Home-Folder-Redirection.txt
gpresult.txt

I'm pretty tired so sorry if I ramble.
With the current configuration: (Home-Folder-Redirection.txt )
under Links:
Location: Company  Enforced: No   Link Status:Enabled   Path:  Company.local
This setting is applying the GPO at the Domain level, so all computers/users/Servers will have there my documents redirected. This link will need to be disabled to insure Laptops/Servers aren't getting the policy.
Location: SBSComputers    Enforced:No  Link Status:Enabled
Path: Company.local/MyBusiness/Computers/SBSComputers
 Looks to be correctly linked to only workstation computers.
I was also wondering under the User Configuration -> My Documents
Path: \\SERVER\%username%$ <- is this correct is the server's name SERVER?
If its not server that could cause a problem...Also if WINS isnt configured the netbios name may not resolve. In a completely DNS environment I would use the FQDN: SERVER.Company.local. This may not be a problem you can use nslookup from cmd to make sure the name you are using is resolving to the ip of the server.
Also note: by default the creator of the GPO/Domain Admins will not have security permissions set so that the GPO applies to them, so if testing with an account that is a member of Domain Admins the GPO might not seem to be working. So I would test with a different account.
To make the GPO apply to the creator/Domain admins:
In GPMC click on the GPO. On the left click on the Delegation Tab at the top. This should show you the security permissions for the GPO. Click on Advanced in the bottom right corner. In the Security window that opens select Domain Admins or user that created the policy. In permissions in the view below that check Apply Group Policy. This will now apply the GPO to Domain Admins/creator.
If this still fails to work, run gpresult /z from the cmd on the workstation, after gpupdate /force. you should see Home-Folder-Redirection under the list of GPOs being processed by the user logged into the workstation. If this isnt showing up then the policy isnt being applied. In that case we might need to look else where for the root cause.

Hi NoEvil,

I had to Link Enable the Home Folder Redirection GPO at the Domain level otherwise all the computers in the domain wouldn't redirect their home folders back to the server.  I know it doesn't make sense, but this is the problem I'm facing.

As for the path, I changed the server name in the html file to protect the client's identity.

The account that we are testing with is an actual Domain User.

I think we're stuck at the point where without Link Enabling the GPO to the Domain level, the SBSComputers are not redirecting their home folders back to the server.

So I enabled Block Inheritance on SBSMobile and ran a gpupdate /force on GORD-LG.  I've attached the gpresult output after changing the server name and login name to protect their identity.

From what I see, looks like the GPO is running as the User...  How do I disable this?
gpresult---USER-on-GORD-LG.txt

The following GPOs were not applied because they were filtered out
   -------------------------------------------------------------------
Home Folder Redirection
 Filtering:  Not Applied (Unknown Reason)
Now the problem gets into a gray area.
With the GPO applied at the domain level the Folder Redirection policy, which is a user policy is now applying directly to the user objects. As a result no matter which computer they logon to the my documents will be redirected, even on servers. (can be tested). It doesnt even need to be applied to computers if it applies to the user objects directly.
Applying the user policy with loopback on specific computers, allows us to control the pcs that enforce a user policy when using them. So the policy indirectly applies to the user based on specific machines.
Now I would take a look at Security Permissions in AD. Login to a PC as a domain user, install ADUC (active directory users and computers) and try to navigate to the computer object OU. I'm looking to see if the user object can view the computer object in AD. If it can not view the computer object it can not read the GPO applied to that object that has user settings.
This is a shot in the dark. By default all authenticated users can read the directory, but I have run into this problem before in more secure environments.
If this isnt the case then I would turn on USERENV logging to see why the GPO is failing. Normally problems dont come to this and this log is quite cryptic so I generally use it as a last resort. Use info here to turn it on: http://searchwinit.techtarget.com/tip/0,289483,sid1_gci1250007,00.html

I installed ADUC on a Vista workstation (boy that was fun).  I wasn't 100% sure what you were looking for so I attached a screenshot.  It looks like user object can view the computer object in AD.

As for USERENV I looked at that link and was wondering if you could provide more simple step-by-step instructions.

Thanks.
ADUC-from-Vista-Laptop.jpg