Solved

Group Policy on Desktops vs. Laptops

Posted on 2010-09-14
11
876 Views
Last Modified: 2013-11-25
I have a Group Policy (GP) question I am trying to figure out.  I have my Active Directory (AD) set up so that users are separated into OUs based on department.  I also have computer account broken into "Desktop" and "Laptop".

For Desktop Users:
In GP, I have a Computer policy that disables offline files.
I also have a User policy that redirects the My Documents folder to the user's home folder on the file server.

For Laptop Users:
I can set up just the User policy that redirects the My Documents folder to the user's home folder on the server because that seems to auto-enable Offline Files.  This will allow the My Documents folder to sync to the local computer upon user log off so they have access to their data when they are off-site.  The problem is that if I needed to log in as myself or an administrative user to their laptops then the My Documents folder would redirect as it should, but the Computer policy would then enable Offline Files and cause the My Documents folder to sync when I logged out.

How can I have my cake and eat it too?  Thanks!
0
Comment
Question by:devryguy81
11 Comments
 
LVL 38

Accepted Solution

by:
Adam Brown earned 84 total points
Comment Utility
One possible solution is to set up a Security group and add the users that you want to have offline files running on the laptops to it. Build another GPO that *only* configures the offline file transfer and remove that configuration from the GPO that you want to apply to everyone. Once that's done, add the Laptop users group to the security filtering list for the Offline File Transfer GPO in GPMC and remove the Authenticated Users group.
0
 
LVL 42

Assisted Solution

by:kevinhsieh
kevinhsieh earned 83 total points
Comment Utility
You can login to the laptops as an administrative user that doesn't have folder redirection enabled. You can do this by either having the user in an OU that doesn't get the GPO applied, or you con go to the delegation tab of the GPO and add the user under advanced and put a deny group policy in the permissions.
0
 
LVL 21

Assisted Solution

by:Joseph Moody
Joseph Moody earned 83 total points
Comment Utility
On the laptop OU, create a new GPO.

1. Enable loopback policy processing (merge). (Computer Config\Policies\Admin Templates\System\Group Policy)

2. Turn off offline files

3. In the scope of the GPO, add only Domain Computers and your username (or Domain Admins)

4. Left click on the laptop OU. Make sure that this new policy is the last in the link orders.
0
 
LVL 21

Expert Comment

by:Joseph Moody
Comment Utility
Below is a WMI filter for laptops. You can actually add this to your GPO and link it higher in your domain. This way, you could merge your laptop and desktop OUs and eliminate that overhead.

Select * from Win32_Battery where BatteryStatus <> 0
0
 

Author Comment

by:devryguy81
Comment Utility
Jmmody10:

I have followed your steps from your initial reply and created a GPO in my Laptops OU called (creatively enough) "Computer - Laptop Offline Files".  I add a 'computer' or 'user' prefix to help me keep my policies straight...
Anyway, I have enabled loopback polich processing to merge, turned off Offline Files and added Domain Computers and Domain Admins to the GPO security filtering.  That initially did not work so I changed Domain Computers to a single test machine "virtualxp" that I moved into the Laptops OU.  I also changed it to be the last policy applied.

They are applying properly to the test machine and accounts (thanks to a quick check from 'gpresult'), however when I log in with the primary user's account it is NOT synching as it should, unless I have missed something from your instructions.

If you can help me out or if I need to provide more information please let me know.

Thanks!
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 21

Expert Comment

by:Joseph Moody
Comment Utility
Explain this a little more:

"They are applying properly to the test machine and accounts (thanks to a quick check from 'gpresult'), however when I log in with the primary user's account it is NOT synching as it should, unless I have missed something from your instructions."

If you can, export the GPO and upload it as a file.
0
 

Author Comment

by:devryguy81
Comment Utility
Allright, after a little digging around on Google I ran across a site that might be exactly what I want, I just need a little clarification on something.  Please read the excerpt below and my questions are at the bottom.

Excerpt from http://www.minasi.com/forum/topic.asp?TOPIC_ID=24127, 4th post down...
-----------------------------------------------------------------------------------------------------------------
To implement My Documents folder redirection four GPOs will be used. The four GPOs and their settings are listed below, explanation of the approach taken and explanations of why particular GPO settings were used can be found below the listed settings.
Disable Offline Files
General
Links
Root of domain
Computer Configuration
Administrative Templates
Network/Offline Files
Allow or Disallow use of the Offline Files feature--------------Disabled

My Documents Redirection
General
Links
(OU with users who will receive My Documents redirection, eventually root of domain)
User Configuration
Folder Redirection
My Documents
Setting: Advanced (Specify locations for various user groups)
GROUP1----------------------------------------------------------Location1
Options
Grant user exclusive rights to My Documents---------------------Disabled
Move the contents of My Documents to the new location-----------Enabled
Policy Removal Behavior-----------------------------------------Restore Contents

Configure Offline Files (1 of 2)
General
Links
(All Laptop-Tablet OUs)
Delegation
(Support people group(s) will have Apply Group Policy=Deny)
Computer Configuration
Administrative Templates
Network/Offline Files
Allow or Disallow use of the Offline Files Feature--------------Enabled
System/Group Policy
User Group Policy loopback processing mode----------------------Enabled
Mode:----------------------------------------------------------Merge
User Configuration
Administrative Templates
Network/Offline Files
Event Logging Level---------------------------------------------Enabled (3)
Synchronize all offline files before logging off-----------------Enabled
Synchronize offline files before suspend-------------------------Enabled
Type of sync to perform when suspending-------------------------Full

Configure Offline Files (2 of 2)
General
Links
(All Laptop-Tablet OUs)
Delegation
(Authenticated Users removed)
Security Filtering
(Support people group(s), only those in these group(s) will receive this policy)
Computer Configuration
Administrative Templates
System/Group Policy
User Group Policy loopback processing mode----------------------Enabled
Mode:----------------------------------------------------------Merge
User Configuration
Administrative Templates
Network/Offline Files
Do not automatically make redirected folders available offline--Enabled
-----------------------------------------------------------------------------------------------------------------

QUESTIONS - What I am unsure about are the security/delegation settings.  Are they being applied to the OU containing the Laptop computer accounts, or are they being applied to the GPOs themselves?  I have tried various configurations of both without hitting the right one so if someone can clarify a bit for me I would appreciate it.  A "you are here" is always helpful!

GOAL - My goal here is to redirect My Documents for ALL users, and Disable Offline Files for ALL users.  However, if a laptop user logs into their machine I want to Enable Offline Files for them.  Also, if I (or another Admin) log into said laptop for service, we want our My Documents folders to redirect, but by default we do NOT want Offline Files to sync when we log out.  

BTW - I have attempted to contact the original poster without success, which is why I am now turning to EE's wonderful resources.

Thanks again.
0
 
LVL 21

Expert Comment

by:Joseph Moody
Comment Utility
Do you have a number that I can call you at? I will be able to help until 5:30 and this is a whole lot easier to explain by actually talking.
0
 

Author Comment

by:devryguy81
Comment Utility
I am going to back up and start at the top with acbrown2010's suggestion and work my way down.  I got so preoccupied with that I COULD do I lost focus on what I SHOULD be doing.  "Scope creep", anyone?  So, I am going to apply the KISS principle and see if that helps me out.  Jmoody10, sorry for the spotty replies.  Being the only IT person here and out sick recently have made it difficult for me to get back with you.  I will update as I go along...
0
 
LVL 74

Expert Comment

by:Glen Knight
Comment Utility
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
scripting 6 52
Move Users to New Domain from Old Domain 8 58
ADFS 3.0 and UPN Problem 6 15
Question on security Audit 2 19
You can provide a virtual interface for remote stakeholders in a SWOT analysis through a Google Drawing template. By making real time viewing and collaboration possible, your team can build a stronger product.
Communication between departments might not happen in two different languages, but they do exist in two different worlds. With different targets and performance goals the same phrase often means something completely different to each party. Learn ho…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now