Solved

How can I block domain level folder redirection Group Policy

Posted on 2011-03-02
14
1,157 Views
Last Modified: 2012-05-11
HI Experts.

I have a a domain level Folder redirection policy that applies Folder Redirection.

The Folder Redirection GP setting is in User Configuration/windows settings/folder redirection and just redirects the "My Documents" folder.

I can block users but how can I block a site or GP group holding serveral PCs inside the Domain from from this group policy?  i.e. I want to stop a range of computers urnning the policy

I've got 10 other Group policies at domain level so just blocking Inheritance isn't going to work..

Thanks

0
Comment
Question by:jmsjms
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
  • 3
14 Comments
 
LVL 8

Expert Comment

by:MarkieS
ID: 35017571
You can use Security Group filtering to only apply the policy if the <Computer> or <User>  IS or ISNOT a member of that Group.

Or you can do similar with WMI filters
0
 

Author Comment

by:jmsjms
ID: 35017609
Thanks for your comment.

Can I add a group of computers or can it only be one by one?

I have a look at WMI and it just seems to filter by OS.

0
 
LVL 8

Expert Comment

by:MarkieS
ID: 35017830
I just spotted the flaw in this plan...

Folder redirection is done under the "User Settings" part of the policy.

But you are trying to apply the policy to computers in which case only the "Computer Settings" will be applied.

To acheive this you will need "Loopback Policy Processing" turned on.  This is handled better in Win2k8 and Win7 - not so good on Win2k3 and XP.

Unfortunately I have to head off so I wont be able to advise further until tomorrow but please feel free to post to other "Experts" about Loopback Policy processing.
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 

Author Comment

by:jmsjms
ID: 35018581
Ah I see. And googling shows up "Loopback Policy Processing" as a little unpredictable.

Any one else got any ideas or am I asking for something that isn't feasible or should be handled differently?

Thanks
0
 
LVL 12

Expert Comment

by:Navdeep
ID: 35020056
I see that you are using User Setting, This policy will only be applicable to users not computers. More over you can disable the computer policy of GPO using GPMC tool so that only User part setting will be applied.
0
 

Author Comment

by:jmsjms
ID: 35023191
I can block users but how can I block a site or GP group holding serveral PCs inside the Domain from from this group policy?  i.e. I want to stop a range of computers running the policy.  Thanks
0
 
LVL 12

Expert Comment

by:Navdeep
ID: 35024032
Hi,

As I mentioned earlier computer configuration changes will be applicable to computer and users configuration to user.

See the attached screenshot how to disable computer configuration part of the GPO


disableComputerSettings.jpg
0
 

Author Comment

by:jmsjms
ID: 35036892
Thanks for your comment V-2nas, but I dont understand why disabling the computer configuration would help here?  THis is (as you mention yourself) a User setting but I'm trying to see if there's a way of blocking it on a range of PCs.
0
 

Author Comment

by:jmsjms
ID: 35036928
I'm beginning to think that I'm fighting against the wind on this one and should accept it's a policy that is User specific, not PC specific.  

Sort of makes a kind of sense in that if it was PC based and the affect users went on a PC that want affected they would have redirection working again.  which would proably make the users confused.

Therefore, unless anyone has any good ideas I'll note this as not having a solution.

0
 
LVL 8

Accepted Solution

by:
MarkieS earned 500 total points
ID: 35037098
In an XP/2003 environment the only way I got this sort of thing (Apply computer settings to users and user settings to computers)  to work reliably was to Kix script the login script and test for
- OU membership of the user - then apply registry HKLM settings
- OU membership of the computer - then apply registry HKCU settings

As I said in my first post - Win7 and Win2k8 handle this alot better...

cheers
0
 

Author Comment

by:jmsjms
ID: 35055261
OK.  Thanks MarkieS.  

Your post above suggests a way forward but I hanv't got the time/expertise to muck around with Kix so I'm just going to follow MS's thinking for now, and block it by User rather than by PC.  

As your post could be used as a starting point for someone with a similar problem I'll mark it as the answer.  Many thanks for your comments.

V2-nas, i can't see the relevance of your comments, so I'll give Markies the points.  Apologies if I'm missing a point.

0
 

Author Closing Comment

by:jmsjms
ID: 35055268
Marked as B as it's not a complete answer, more of a starting point.  (but a useful one at that!).  Cheers John
0
 
LVL 12

Expert Comment

by:Navdeep
ID: 35055284
Its ok :)
0
 
LVL 8

Expert Comment

by:MarkieS
ID: 35056907
Thanks jmsjms.

If you decide to go Kix script route drop another line.

all the best...

Markie S
0

Featured Post

Does Your Cloud Backup Use Blockchain Technology?

Blockchain technology has already revolutionized finance thanks to Bitcoin. Now it's disrupting other areas, including the realm of data protection. Learn how blockchain is now being used to authenticate backup files and keep them safe from hackers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

626 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question