devryguy81
asked on
Group Policy on Desktops vs. Laptops
I have a Group Policy (GP) question I am trying to figure out. I have my Active Directory (AD) set up so that users are separated into OUs based on department. I also have computer account broken into "Desktop" and "Laptop".
For Desktop Users:
In GP, I have a Computer policy that disables offline files.
I also have a User policy that redirects the My Documents folder to the user's home folder on the file server.
For Laptop Users:
I can set up just the User policy that redirects the My Documents folder to the user's home folder on the server because that seems to auto-enable Offline Files. This will allow the My Documents folder to sync to the local computer upon user log off so they have access to their data when they are off-site. The problem is that if I needed to log in as myself or an administrative user to their laptops then the My Documents folder would redirect as it should, but the Computer policy would then enable Offline Files and cause the My Documents folder to sync when I logged out.
How can I have my cake and eat it too? Thanks!
For Desktop Users:
In GP, I have a Computer policy that disables offline files.
I also have a User policy that redirects the My Documents folder to the user's home folder on the file server.
For Laptop Users:
I can set up just the User policy that redirects the My Documents folder to the user's home folder on the server because that seems to auto-enable Offline Files. This will allow the My Documents folder to sync to the local computer upon user log off so they have access to their data when they are off-site. The problem is that if I needed to log in as myself or an administrative user to their laptops then the My Documents folder would redirect as it should, but the Computer policy would then enable Offline Files and cause the My Documents folder to sync when I logged out.
How can I have my cake and eat it too? Thanks!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Jmmody10:
I have followed your steps from your initial reply and created a GPO in my Laptops OU called (creatively enough) "Computer - Laptop Offline Files". I add a 'computer' or 'user' prefix to help me keep my policies straight...
Anyway, I have enabled loopback polich processing to merge, turned off Offline Files and added Domain Computers and Domain Admins to the GPO security filtering. That initially did not work so I changed Domain Computers to a single test machine "virtualxp" that I moved into the Laptops OU. I also changed it to be the last policy applied.
They are applying properly to the test machine and accounts (thanks to a quick check from 'gpresult'), however when I log in with the primary user's account it is NOT synching as it should, unless I have missed something from your instructions.
If you can help me out or if I need to provide more information please let me know.
Thanks!
I have followed your steps from your initial reply and created a GPO in my Laptops OU called (creatively enough) "Computer - Laptop Offline Files". I add a 'computer' or 'user' prefix to help me keep my policies straight...
Anyway, I have enabled loopback polich processing to merge, turned off Offline Files and added Domain Computers and Domain Admins to the GPO security filtering. That initially did not work so I changed Domain Computers to a single test machine "virtualxp" that I moved into the Laptops OU. I also changed it to be the last policy applied.
They are applying properly to the test machine and accounts (thanks to a quick check from 'gpresult'), however when I log in with the primary user's account it is NOT synching as it should, unless I have missed something from your instructions.
If you can help me out or if I need to provide more information please let me know.
Thanks!
Explain this a little more:
"They are applying properly to the test machine and accounts (thanks to a quick check from 'gpresult'), however when I log in with the primary user's account it is NOT synching as it should, unless I have missed something from your instructions."
If you can, export the GPO and upload it as a file.
"They are applying properly to the test machine and accounts (thanks to a quick check from 'gpresult'), however when I log in with the primary user's account it is NOT synching as it should, unless I have missed something from your instructions."
If you can, export the GPO and upload it as a file.
ASKER
Allright, after a little digging around on Google I ran across a site that might be exactly what I want, I just need a little clarification on something. Please read the excerpt below and my questions are at the bottom.
Excerpt from http://www.minasi.com/forum/topic.asp?TOPIC_ID=24127, 4th post down...
--------------------------
To implement My Documents folder redirection four GPOs will be used. The four GPOs and their settings are listed below, explanation of the approach taken and explanations of why particular GPO settings were used can be found below the listed settings.
Disable Offline Files
General
Links
Root of domain
Computer Configuration
Administrative Templates
Network/Offline Files
Allow or Disallow use of the Offline Files feature--------------Disab
My Documents Redirection
General
Links
(OU with users who will receive My Documents redirection, eventually root of domain)
User Configuration
Folder Redirection
My Documents
Setting: Advanced (Specify locations for various user groups)
GROUP1--------------------
Options
Grant user exclusive rights to My Documents-----------------
Move the contents of My Documents to the new location-----------Enabled
Policy Removal Behavior------------------
Configure Offline Files (1 of 2)
General
Links
(All Laptop-Tablet OUs)
Delegation
(Support people group(s) will have Apply Group Policy=Deny)
Computer Configuration
Administrative Templates
Network/Offline Files
Allow or Disallow use of the Offline Files Feature--------------Enabl
System/Group Policy
User Group Policy loopback processing mode----------------------
Mode:---------------------
User Configuration
Administrative Templates
Network/Offline Files
Event Logging Level---------------------
Synchronize all offline files before logging off-----------------Enable
Synchronize offline files before suspend-------------------
Type of sync to perform when suspending----------------
Configure Offline Files (2 of 2)
General
Links
(All Laptop-Tablet OUs)
Delegation
(Authenticated Users removed)
Security Filtering
(Support people group(s), only those in these group(s) will receive this policy)
Computer Configuration
Administrative Templates
System/Group Policy
User Group Policy loopback processing mode----------------------
Mode:---------------------
User Configuration
Administrative Templates
Network/Offline Files
Do not automatically make redirected folders available offline--Enabled
--------------------------
QUESTIONS - What I am unsure about are the security/delegation settings. Are they being applied to the OU containing the Laptop computer accounts, or are they being applied to the GPOs themselves? I have tried various configurations of both without hitting the right one so if someone can clarify a bit for me I would appreciate it. A "you are here" is always helpful!
GOAL - My goal here is to redirect My Documents for ALL users, and Disable Offline Files for ALL users. However, if a laptop user logs into their machine I want to Enable Offline Files for them. Also, if I (or another Admin) log into said laptop for service, we want our My Documents folders to redirect, but by default we do NOT want Offline Files to sync when we log out.
BTW - I have attempted to contact the original poster without success, which is why I am now turning to EE's wonderful resources.
Thanks again.
Excerpt from http://www.minasi.com/forum/topic.asp?TOPIC_ID=24127, 4th post down...
--------------------------
To implement My Documents folder redirection four GPOs will be used. The four GPOs and their settings are listed below, explanation of the approach taken and explanations of why particular GPO settings were used can be found below the listed settings.
Disable Offline Files
General
Links
Root of domain
Computer Configuration
Administrative Templates
Network/Offline Files
Allow or Disallow use of the Offline Files feature--------------Disab
My Documents Redirection
General
Links
(OU with users who will receive My Documents redirection, eventually root of domain)
User Configuration
Folder Redirection
My Documents
Setting: Advanced (Specify locations for various user groups)
GROUP1--------------------
Options
Grant user exclusive rights to My Documents-----------------
Move the contents of My Documents to the new location-----------Enabled
Policy Removal Behavior------------------
Configure Offline Files (1 of 2)
General
Links
(All Laptop-Tablet OUs)
Delegation
(Support people group(s) will have Apply Group Policy=Deny)
Computer Configuration
Administrative Templates
Network/Offline Files
Allow or Disallow use of the Offline Files Feature--------------Enabl
System/Group Policy
User Group Policy loopback processing mode----------------------
Mode:---------------------
User Configuration
Administrative Templates
Network/Offline Files
Event Logging Level---------------------
Synchronize all offline files before logging off-----------------Enable
Synchronize offline files before suspend-------------------
Type of sync to perform when suspending----------------
Configure Offline Files (2 of 2)
General
Links
(All Laptop-Tablet OUs)
Delegation
(Authenticated Users removed)
Security Filtering
(Support people group(s), only those in these group(s) will receive this policy)
Computer Configuration
Administrative Templates
System/Group Policy
User Group Policy loopback processing mode----------------------
Mode:---------------------
User Configuration
Administrative Templates
Network/Offline Files
Do not automatically make redirected folders available offline--Enabled
--------------------------
QUESTIONS - What I am unsure about are the security/delegation settings. Are they being applied to the OU containing the Laptop computer accounts, or are they being applied to the GPOs themselves? I have tried various configurations of both without hitting the right one so if someone can clarify a bit for me I would appreciate it. A "you are here" is always helpful!
GOAL - My goal here is to redirect My Documents for ALL users, and Disable Offline Files for ALL users. However, if a laptop user logs into their machine I want to Enable Offline Files for them. Also, if I (or another Admin) log into said laptop for service, we want our My Documents folders to redirect, but by default we do NOT want Offline Files to sync when we log out.
BTW - I have attempted to contact the original poster without success, which is why I am now turning to EE's wonderful resources.
Thanks again.
Do you have a number that I can call you at? I will be able to help until 5:30 and this is a whole lot easier to explain by actually talking.
ASKER
I am going to back up and start at the top with acbrown2010's suggestion and work my way down. I got so preoccupied with that I COULD do I lost focus on what I SHOULD be doing. "Scope creep", anyone? So, I am going to apply the KISS principle and see if that helps me out. Jmoody10, sorry for the spotty replies. Being the only IT person here and out sick recently have made it difficult for me to get back with you. I will update as I go along...
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
Select * from Win32_Battery where BatteryStatus <> 0