Solved

How do I prevent folder redirection with a loopback policy

Posted on 2009-04-09
9
429 Views
Last Modified: 2012-05-06
On our LAN we have a GPO that redirects the My Docs folders to the users home folder.

I have a couple of PCs that will always be offsite and I want to prevent the LAN users My Docs folders from redirecting when they logon on those PCs only.

I thought all I had to do was create an OU for these PCs and put a loopback policy with a setting to redirect the My Docs to the local profile (as per the MS KB 328008). However this does not seem to work. I have tried putting the redirect in the same policy as the loopback and in a seperate policy in the same OU.

When I look at the results in using Group Policy Modeling the normal policy is being applied to the user account and not the loopback one. Actually logging on confirms the GPM results are correct.

The loopback is set to replace, but I have also tried merge with no success.

I know I must be missing something but I am not sure what.

Thanks in advance for any advice given.
0
Comment
Question by:Fester7572
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 19

Expert Comment

by:PeteJThomas
ID: 24106363
So are your redirection policy settings in they're own GPO? Or are they part of a GPO that you want the other settings to still apply from?

As I understand it, you've created a separate OU for the few PCs that you DON'T want to have folder redirection for. You've linked the loopback policy directly to that specific OU, and the other GPO (that contains the original redirection settings) is being applied through inheritance.

Is that correct?
0
 

Author Comment

by:Fester7572
ID: 24106482
Hi Pete,

I have 2 Parent GPOs, one called  PCs and one called Staff. Personal preference I just like to keep my PCs and Users in seperate OUs.

The one called PCs has a sub OU that is called RemotePCs.

The LAN GPO called Standard Logon has folder redirection configured and is linked both to the PCs and Staff OUs as it contains settings that need to apply to both users and computers.

The Remote PCs has the Loopback policy linked to it.

I have tried blocking inheritance as well as enforcing the loopback but nothing seems to make a difference.

Let me know if you need further info.

Thanks for the prompt response
0
 
LVL 19

Expert Comment

by:PeteJThomas
ID: 24106607
Can you show me the expanded list of Settings in your loopback policy? I mean from the 'Settings' tab, that only shows settings within a policy that have been explicity configured. :)

Thanks!

Pete
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:Fester7572
ID: 24106658
I have exported the report from GPO Management.
RegionalLoopback.pdf
0
 
LVL 19

Expert Comment

by:PeteJThomas
ID: 24106736
Ok, a little more - When you said viewing the RSOP info shows that the original policy is applying and the loopback policy is not, what is the reason given for the loopback policy not applying? Filtered out? Access Denied etc?
0
 

Author Comment

by:Fester7572
ID: 24106835
Here is the report from the RSOP. The zip file has the htm version of the report. Just rename it with a htm extension instead of the txt used to bypass the site file filters.

Under the user configuration section it says the reason it is denied is the policy is empty. It does apply on the computer configuration section.
RSOP.pdf
ChrisSheppard-on-REGIONPC2.zip
0
 
LVL 19

Accepted Solution

by:
PeteJThomas earned 500 total points
ID: 24107519
Ok, so my initial impressions are that the loopback setting itself is being filtered out - Hence why the policy settings under user config are showing: denied (empty). The empty reason is given only when a policy is either completely empty, or has only user settings being applied to computer objects, or vice versa.

Now if loopback itself isn't applying, then essentially the policy just contains a bunch of user settings trying to apply to computer objects, and thus, will be seen as empty.

So the only confusing part for me is why the loopback policy setting itself is being filtered out. I can see that the setting is enabled and in replace mode, yet under the comp config section of the RSOP, it also shows as being empty.

So I guess we need to go back to basics. For testing purposes, I'd start by initially try creating a Loopback Test OU outside of your normal OUs, and block policy inheritance to this test OU. Move your test computer object(s) and test user object(s) into this OU, and at this stage, log on to a test PC and run a gpresult from command prompt. Provided you have no domain level policies enforced, you should basically see that no policies are applying whatsoever, which is the result we want at this stage.

Once that result has been achieved, create a loopback test policy and link it directly to your loopback test OU. No other settings should be configured, just loopback itself.

Again, log on to a PC and check that the loopback test policy is being applied successfully (i.e. no errors in gpresult under comp config for that GPO).

Now configure some user settings, may as well start with folder redirection on it's own, WITHIN the same loopback test policy you already created. Configure some very basic redirection settings here, as obviously you want to spend as little time as possible doing all this, as it's purely for testing purposes.

Now log on again, and test to see if the user settings are taking affect.

This is only advice based on what I would do by the way, take it or leave it of course. :) I'll continue from here should you decide to go down this route, once you've gotten to this point. Of course, always bare in mind that policies don't always take affect immediately after changes are made...

Pete



0
 

Author Closing Comment

by:Fester7572
ID: 31569824
Hi Pete,

I've created the test OU as you suggested along with the policies. Everything applies as expected.

I then moved the user out of the same OU as the PC and into the Users container as there are no policies there. Again all is well. The loopback is being applied and the correct folder redirection is working.

I then moved my test user into my Staff OU where all the normal user policies exist.  Again success.

So I guess we had a priority issue due to the location of the location of the PC OU. As it is more a personal preference rather than a technical reason for the OU structure I guess we can call this issue resolved.

Thanks very much for your help.
0
 
LVL 19

Expert Comment

by:PeteJThomas
ID: 24136507
You're welcome, I'm glad you found the problem! Whenever a problem makes no sense, it's usually best to go back to as basic as possible, remove as many 'outside' factors as possible (such as other policies etc) and work your way up from scratch. Often the problem will return after a certain change is made in this process, and then you know exactly what change it was that caused it, and have a good base to troubleshoot from.

Take care,

Pete

0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question