How do I prevent folder redirection with a loopback policy

Posted on 2009-04-09
Medium Priority
Last Modified: 2012-05-06
On our LAN we have a GPO that redirects the My Docs folders to the users home folder.

I have a couple of PCs that will always be offsite and I want to prevent the LAN users My Docs folders from redirecting when they logon on those PCs only.

I thought all I had to do was create an OU for these PCs and put a loopback policy with a setting to redirect the My Docs to the local profile (as per the MS KB 328008). However this does not seem to work. I have tried putting the redirect in the same policy as the loopback and in a seperate policy in the same OU.

When I look at the results in using Group Policy Modeling the normal policy is being applied to the user account and not the loopback one. Actually logging on confirms the GPM results are correct.

The loopback is set to replace, but I have also tried merge with no success.

I know I must be missing something but I am not sure what.

Thanks in advance for any advice given.
Question by:Fester7572
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
LVL 19

Expert Comment

ID: 24106363
So are your redirection policy settings in they're own GPO? Or are they part of a GPO that you want the other settings to still apply from?

As I understand it, you've created a separate OU for the few PCs that you DON'T want to have folder redirection for. You've linked the loopback policy directly to that specific OU, and the other GPO (that contains the original redirection settings) is being applied through inheritance.

Is that correct?

Author Comment

ID: 24106482
Hi Pete,

I have 2 Parent GPOs, one called  PCs and one called Staff. Personal preference I just like to keep my PCs and Users in seperate OUs.

The one called PCs has a sub OU that is called RemotePCs.

The LAN GPO called Standard Logon has folder redirection configured and is linked both to the PCs and Staff OUs as it contains settings that need to apply to both users and computers.

The Remote PCs has the Loopback policy linked to it.

I have tried blocking inheritance as well as enforcing the loopback but nothing seems to make a difference.

Let me know if you need further info.

Thanks for the prompt response
LVL 19

Expert Comment

ID: 24106607
Can you show me the expanded list of Settings in your loopback policy? I mean from the 'Settings' tab, that only shows settings within a policy that have been explicity configured. :)


What Is Blockchain Technology?

Blockchain is a technology that underpins the success of Bitcoin and other digital currencies, but it has uses far beyond finance. Learn how blockchain works and why it is proving disruptive to other areas of IT.


Author Comment

ID: 24106658
I have exported the report from GPO Management.
LVL 19

Expert Comment

ID: 24106736
Ok, a little more - When you said viewing the RSOP info shows that the original policy is applying and the loopback policy is not, what is the reason given for the loopback policy not applying? Filtered out? Access Denied etc?

Author Comment

ID: 24106835
Here is the report from the RSOP. The zip file has the htm version of the report. Just rename it with a htm extension instead of the txt used to bypass the site file filters.

Under the user configuration section it says the reason it is denied is the policy is empty. It does apply on the computer configuration section.
LVL 19

Accepted Solution

PeteJThomas earned 2000 total points
ID: 24107519
Ok, so my initial impressions are that the loopback setting itself is being filtered out - Hence why the policy settings under user config are showing: denied (empty). The empty reason is given only when a policy is either completely empty, or has only user settings being applied to computer objects, or vice versa.

Now if loopback itself isn't applying, then essentially the policy just contains a bunch of user settings trying to apply to computer objects, and thus, will be seen as empty.

So the only confusing part for me is why the loopback policy setting itself is being filtered out. I can see that the setting is enabled and in replace mode, yet under the comp config section of the RSOP, it also shows as being empty.

So I guess we need to go back to basics. For testing purposes, I'd start by initially try creating a Loopback Test OU outside of your normal OUs, and block policy inheritance to this test OU. Move your test computer object(s) and test user object(s) into this OU, and at this stage, log on to a test PC and run a gpresult from command prompt. Provided you have no domain level policies enforced, you should basically see that no policies are applying whatsoever, which is the result we want at this stage.

Once that result has been achieved, create a loopback test policy and link it directly to your loopback test OU. No other settings should be configured, just loopback itself.

Again, log on to a PC and check that the loopback test policy is being applied successfully (i.e. no errors in gpresult under comp config for that GPO).

Now configure some user settings, may as well start with folder redirection on it's own, WITHIN the same loopback test policy you already created. Configure some very basic redirection settings here, as obviously you want to spend as little time as possible doing all this, as it's purely for testing purposes.

Now log on again, and test to see if the user settings are taking affect.

This is only advice based on what I would do by the way, take it or leave it of course. :) I'll continue from here should you decide to go down this route, once you've gotten to this point. Of course, always bare in mind that policies don't always take affect immediately after changes are made...



Author Closing Comment

ID: 31569824
Hi Pete,

I've created the test OU as you suggested along with the policies. Everything applies as expected.

I then moved the user out of the same OU as the PC and into the Users container as there are no policies there. Again all is well. The loopback is being applied and the correct folder redirection is working.

I then moved my test user into my Staff OU where all the normal user policies exist.  Again success.

So I guess we had a priority issue due to the location of the location of the PC OU. As it is more a personal preference rather than a technical reason for the OU structure I guess we can call this issue resolved.

Thanks very much for your help.
LVL 19

Expert Comment

ID: 24136507
You're welcome, I'm glad you found the problem! Whenever a problem makes no sense, it's usually best to go back to as basic as possible, remove as many 'outside' factors as possible (such as other policies etc) and work your way up from scratch. Often the problem will return after a certain change is made in this process, and then you know exactly what change it was that caused it, and have a good base to troubleshoot from.

Take care,



Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Let's recap what we learned from yesterday's Skyport Systems webinar.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses
Course of the Month15 days, 16 hours left to enroll

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question