How do I prevent folder redirection with a loopback policy

Posted on 2009-04-09
Last Modified: 2012-05-06
On our LAN we have a GPO that redirects the My Docs folders to the users home folder.

I have a couple of PCs that will always be offsite and I want to prevent the LAN users My Docs folders from redirecting when they logon on those PCs only.

I thought all I had to do was create an OU for these PCs and put a loopback policy with a setting to redirect the My Docs to the local profile (as per the MS KB 328008). However this does not seem to work. I have tried putting the redirect in the same policy as the loopback and in a seperate policy in the same OU.

When I look at the results in using Group Policy Modeling the normal policy is being applied to the user account and not the loopback one. Actually logging on confirms the GPM results are correct.

The loopback is set to replace, but I have also tried merge with no success.

I know I must be missing something but I am not sure what.

Thanks in advance for any advice given.
Question by:Fester7572
  • 5
  • 4
LVL 19

Expert Comment

ID: 24106363
So are your redirection policy settings in they're own GPO? Or are they part of a GPO that you want the other settings to still apply from?

As I understand it, you've created a separate OU for the few PCs that you DON'T want to have folder redirection for. You've linked the loopback policy directly to that specific OU, and the other GPO (that contains the original redirection settings) is being applied through inheritance.

Is that correct?

Author Comment

ID: 24106482
Hi Pete,

I have 2 Parent GPOs, one called  PCs and one called Staff. Personal preference I just like to keep my PCs and Users in seperate OUs.

The one called PCs has a sub OU that is called RemotePCs.

The LAN GPO called Standard Logon has folder redirection configured and is linked both to the PCs and Staff OUs as it contains settings that need to apply to both users and computers.

The Remote PCs has the Loopback policy linked to it.

I have tried blocking inheritance as well as enforcing the loopback but nothing seems to make a difference.

Let me know if you need further info.

Thanks for the prompt response
LVL 19

Expert Comment

ID: 24106607
Can you show me the expanded list of Settings in your loopback policy? I mean from the 'Settings' tab, that only shows settings within a policy that have been explicity configured. :)



Author Comment

ID: 24106658
I have exported the report from GPO Management.
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

LVL 19

Expert Comment

ID: 24106736
Ok, a little more - When you said viewing the RSOP info shows that the original policy is applying and the loopback policy is not, what is the reason given for the loopback policy not applying? Filtered out? Access Denied etc?

Author Comment

ID: 24106835
Here is the report from the RSOP. The zip file has the htm version of the report. Just rename it with a htm extension instead of the txt used to bypass the site file filters.

Under the user configuration section it says the reason it is denied is the policy is empty. It does apply on the computer configuration section.
LVL 19

Accepted Solution

PeteJThomas earned 500 total points
ID: 24107519
Ok, so my initial impressions are that the loopback setting itself is being filtered out - Hence why the policy settings under user config are showing: denied (empty). The empty reason is given only when a policy is either completely empty, or has only user settings being applied to computer objects, or vice versa.

Now if loopback itself isn't applying, then essentially the policy just contains a bunch of user settings trying to apply to computer objects, and thus, will be seen as empty.

So the only confusing part for me is why the loopback policy setting itself is being filtered out. I can see that the setting is enabled and in replace mode, yet under the comp config section of the RSOP, it also shows as being empty.

So I guess we need to go back to basics. For testing purposes, I'd start by initially try creating a Loopback Test OU outside of your normal OUs, and block policy inheritance to this test OU. Move your test computer object(s) and test user object(s) into this OU, and at this stage, log on to a test PC and run a gpresult from command prompt. Provided you have no domain level policies enforced, you should basically see that no policies are applying whatsoever, which is the result we want at this stage.

Once that result has been achieved, create a loopback test policy and link it directly to your loopback test OU. No other settings should be configured, just loopback itself.

Again, log on to a PC and check that the loopback test policy is being applied successfully (i.e. no errors in gpresult under comp config for that GPO).

Now configure some user settings, may as well start with folder redirection on it's own, WITHIN the same loopback test policy you already created. Configure some very basic redirection settings here, as obviously you want to spend as little time as possible doing all this, as it's purely for testing purposes.

Now log on again, and test to see if the user settings are taking affect.

This is only advice based on what I would do by the way, take it or leave it of course. :) I'll continue from here should you decide to go down this route, once you've gotten to this point. Of course, always bare in mind that policies don't always take affect immediately after changes are made...



Author Closing Comment

ID: 31569824
Hi Pete,

I've created the test OU as you suggested along with the policies. Everything applies as expected.

I then moved the user out of the same OU as the PC and into the Users container as there are no policies there. Again all is well. The loopback is being applied and the correct folder redirection is working.

I then moved my test user into my Staff OU where all the normal user policies exist.  Again success.

So I guess we had a priority issue due to the location of the location of the PC OU. As it is more a personal preference rather than a technical reason for the OU structure I guess we can call this issue resolved.

Thanks very much for your help.
LVL 19

Expert Comment

ID: 24136507
You're welcome, I'm glad you found the problem! Whenever a problem makes no sense, it's usually best to go back to as basic as possible, remove as many 'outside' factors as possible (such as other policies etc) and work your way up from scratch. Often the problem will return after a certain change is made in this process, and then you know exactly what change it was that caused it, and have a good base to troubleshoot from.

Take care,



Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Synchronize a new Active Directory domain with an existing Office 365 tenant
This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

25 Experts available now in Live!

Get 1:1 Help Now