Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 896
  • Last Modified:

Group Policy on Desktops vs. Laptops

I have a Group Policy (GP) question I am trying to figure out.  I have my Active Directory (AD) set up so that users are separated into OUs based on department.  I also have computer account broken into "Desktop" and "Laptop".

For Desktop Users:
In GP, I have a Computer policy that disables offline files.
I also have a User policy that redirects the My Documents folder to the user's home folder on the file server.

For Laptop Users:
I can set up just the User policy that redirects the My Documents folder to the user's home folder on the server because that seems to auto-enable Offline Files.  This will allow the My Documents folder to sync to the local computer upon user log off so they have access to their data when they are off-site.  The problem is that if I needed to log in as myself or an administrative user to their laptops then the My Documents folder would redirect as it should, but the Computer policy would then enable Offline Files and cause the My Documents folder to sync when I logged out.

How can I have my cake and eat it too?  Thanks!
0
devryguy81
Asked:
devryguy81
3 Solutions
 
Adam BrownSr Solutions ArchitectCommented:
One possible solution is to set up a Security group and add the users that you want to have offline files running on the laptops to it. Build another GPO that *only* configures the offline file transfer and remove that configuration from the GPO that you want to apply to everyone. Once that's done, add the Laptop users group to the security filtering list for the Offline File Transfer GPO in GPMC and remove the Authenticated Users group.
0
 
kevinhsiehCommented:
You can login to the laptops as an administrative user that doesn't have folder redirection enabled. You can do this by either having the user in an OU that doesn't get the GPO applied, or you con go to the delegation tab of the GPO and add the user under advanced and put a deny group policy in the permissions.
0
 
Joseph MoodyBlogger and wearer of all hats.Commented:
On the laptop OU, create a new GPO.

1. Enable loopback policy processing (merge). (Computer Config\Policies\Admin Templates\System\Group Policy)

2. Turn off offline files

3. In the scope of the GPO, add only Domain Computers and your username (or Domain Admins)

4. Left click on the laptop OU. Make sure that this new policy is the last in the link orders.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
Joseph MoodyBlogger and wearer of all hats.Commented:
Below is a WMI filter for laptops. You can actually add this to your GPO and link it higher in your domain. This way, you could merge your laptop and desktop OUs and eliminate that overhead.

Select * from Win32_Battery where BatteryStatus <> 0
0
 
devryguy81Author Commented:
Jmmody10:

I have followed your steps from your initial reply and created a GPO in my Laptops OU called (creatively enough) "Computer - Laptop Offline Files".  I add a 'computer' or 'user' prefix to help me keep my policies straight...
Anyway, I have enabled loopback polich processing to merge, turned off Offline Files and added Domain Computers and Domain Admins to the GPO security filtering.  That initially did not work so I changed Domain Computers to a single test machine "virtualxp" that I moved into the Laptops OU.  I also changed it to be the last policy applied.

They are applying properly to the test machine and accounts (thanks to a quick check from 'gpresult'), however when I log in with the primary user's account it is NOT synching as it should, unless I have missed something from your instructions.

If you can help me out or if I need to provide more information please let me know.

Thanks!
0
 
Joseph MoodyBlogger and wearer of all hats.Commented:
Explain this a little more:

"They are applying properly to the test machine and accounts (thanks to a quick check from 'gpresult'), however when I log in with the primary user's account it is NOT synching as it should, unless I have missed something from your instructions."

If you can, export the GPO and upload it as a file.
0
 
devryguy81Author Commented:
Allright, after a little digging around on Google I ran across a site that might be exactly what I want, I just need a little clarification on something.  Please read the excerpt below and my questions are at the bottom.

Excerpt from http://www.minasi.com/forum/topic.asp?TOPIC_ID=24127, 4th post down...
-----------------------------------------------------------------------------------------------------------------
To implement My Documents folder redirection four GPOs will be used. The four GPOs and their settings are listed below, explanation of the approach taken and explanations of why particular GPO settings were used can be found below the listed settings.
Disable Offline Files
General
Links
Root of domain
Computer Configuration
Administrative Templates
Network/Offline Files
Allow or Disallow use of the Offline Files feature--------------Disabled

My Documents Redirection
General
Links
(OU with users who will receive My Documents redirection, eventually root of domain)
User Configuration
Folder Redirection
My Documents
Setting: Advanced (Specify locations for various user groups)
GROUP1----------------------------------------------------------Location1
Options
Grant user exclusive rights to My Documents---------------------Disabled
Move the contents of My Documents to the new location-----------Enabled
Policy Removal Behavior-----------------------------------------Restore Contents

Configure Offline Files (1 of 2)
General
Links
(All Laptop-Tablet OUs)
Delegation
(Support people group(s) will have Apply Group Policy=Deny)
Computer Configuration
Administrative Templates
Network/Offline Files
Allow or Disallow use of the Offline Files Feature--------------Enabled
System/Group Policy
User Group Policy loopback processing mode----------------------Enabled
Mode:----------------------------------------------------------Merge
User Configuration
Administrative Templates
Network/Offline Files
Event Logging Level---------------------------------------------Enabled (3)
Synchronize all offline files before logging off-----------------Enabled
Synchronize offline files before suspend-------------------------Enabled
Type of sync to perform when suspending-------------------------Full

Configure Offline Files (2 of 2)
General
Links
(All Laptop-Tablet OUs)
Delegation
(Authenticated Users removed)
Security Filtering
(Support people group(s), only those in these group(s) will receive this policy)
Computer Configuration
Administrative Templates
System/Group Policy
User Group Policy loopback processing mode----------------------Enabled
Mode:----------------------------------------------------------Merge
User Configuration
Administrative Templates
Network/Offline Files
Do not automatically make redirected folders available offline--Enabled
-----------------------------------------------------------------------------------------------------------------

QUESTIONS - What I am unsure about are the security/delegation settings.  Are they being applied to the OU containing the Laptop computer accounts, or are they being applied to the GPOs themselves?  I have tried various configurations of both without hitting the right one so if someone can clarify a bit for me I would appreciate it.  A "you are here" is always helpful!

GOAL - My goal here is to redirect My Documents for ALL users, and Disable Offline Files for ALL users.  However, if a laptop user logs into their machine I want to Enable Offline Files for them.  Also, if I (or another Admin) log into said laptop for service, we want our My Documents folders to redirect, but by default we do NOT want Offline Files to sync when we log out.  

BTW - I have attempted to contact the original poster without success, which is why I am now turning to EE's wonderful resources.

Thanks again.
0
 
Joseph MoodyBlogger and wearer of all hats.Commented:
Do you have a number that I can call you at? I will be able to help until 5:30 and this is a whole lot easier to explain by actually talking.
0
 
devryguy81Author Commented:
I am going to back up and start at the top with acbrown2010's suggestion and work my way down.  I got so preoccupied with that I COULD do I lost focus on what I SHOULD be doing.  "Scope creep", anyone?  So, I am going to apply the KISS principle and see if that helps me out.  Jmoody10, sorry for the spotty replies.  Being the only IT person here and out sick recently have made it difficult for me to get back with you.  I will update as I go along...
0
 
Glen KnightCommented:
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now