Solved

How can I block domain level folder redirection Group Policy

Posted on 2011-03-02
14
1,151 Views
Last Modified: 2012-05-11
HI Experts.

I have a a domain level Folder redirection policy that applies Folder Redirection.

The Folder Redirection GP setting is in User Configuration/windows settings/folder redirection and just redirects the "My Documents" folder.

I can block users but how can I block a site or GP group holding serveral PCs inside the Domain from from this group policy?  i.e. I want to stop a range of computers urnning the policy

I've got 10 other Group policies at domain level so just blocking Inheritance isn't going to work..

Thanks

0
Comment
Question by:jmsjms
  • 7
  • 4
  • 3
14 Comments
 
LVL 8

Expert Comment

by:MarkieS
ID: 35017571
You can use Security Group filtering to only apply the policy if the <Computer> or <User>  IS or ISNOT a member of that Group.

Or you can do similar with WMI filters
0
 

Author Comment

by:jmsjms
ID: 35017609
Thanks for your comment.

Can I add a group of computers or can it only be one by one?

I have a look at WMI and it just seems to filter by OS.

0
 
LVL 8

Expert Comment

by:MarkieS
ID: 35017830
I just spotted the flaw in this plan...

Folder redirection is done under the "User Settings" part of the policy.

But you are trying to apply the policy to computers in which case only the "Computer Settings" will be applied.

To acheive this you will need "Loopback Policy Processing" turned on.  This is handled better in Win2k8 and Win7 - not so good on Win2k3 and XP.

Unfortunately I have to head off so I wont be able to advise further until tomorrow but please feel free to post to other "Experts" about Loopback Policy processing.
0
 

Author Comment

by:jmsjms
ID: 35018581
Ah I see. And googling shows up "Loopback Policy Processing" as a little unpredictable.

Any one else got any ideas or am I asking for something that isn't feasible or should be handled differently?

Thanks
0
 
LVL 12

Expert Comment

by:Navdeep
ID: 35020056
I see that you are using User Setting, This policy will only be applicable to users not computers. More over you can disable the computer policy of GPO using GPMC tool so that only User part setting will be applied.
0
 

Author Comment

by:jmsjms
ID: 35023191
I can block users but how can I block a site or GP group holding serveral PCs inside the Domain from from this group policy?  i.e. I want to stop a range of computers running the policy.  Thanks
0
 
LVL 12

Expert Comment

by:Navdeep
ID: 35024032
Hi,

As I mentioned earlier computer configuration changes will be applicable to computer and users configuration to user.

See the attached screenshot how to disable computer configuration part of the GPO


disableComputerSettings.jpg
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 

Author Comment

by:jmsjms
ID: 35036892
Thanks for your comment V-2nas, but I dont understand why disabling the computer configuration would help here?  THis is (as you mention yourself) a User setting but I'm trying to see if there's a way of blocking it on a range of PCs.
0
 

Author Comment

by:jmsjms
ID: 35036928
I'm beginning to think that I'm fighting against the wind on this one and should accept it's a policy that is User specific, not PC specific.  

Sort of makes a kind of sense in that if it was PC based and the affect users went on a PC that want affected they would have redirection working again.  which would proably make the users confused.

Therefore, unless anyone has any good ideas I'll note this as not having a solution.

0
 
LVL 8

Accepted Solution

by:
MarkieS earned 500 total points
ID: 35037098
In an XP/2003 environment the only way I got this sort of thing (Apply computer settings to users and user settings to computers)  to work reliably was to Kix script the login script and test for
- OU membership of the user - then apply registry HKLM settings
- OU membership of the computer - then apply registry HKCU settings

As I said in my first post - Win7 and Win2k8 handle this alot better...

cheers
0
 

Author Comment

by:jmsjms
ID: 35055261
OK.  Thanks MarkieS.  

Your post above suggests a way forward but I hanv't got the time/expertise to muck around with Kix so I'm just going to follow MS's thinking for now, and block it by User rather than by PC.  

As your post could be used as a starting point for someone with a similar problem I'll mark it as the answer.  Many thanks for your comments.

V2-nas, i can't see the relevance of your comments, so I'll give Markies the points.  Apologies if I'm missing a point.

0
 

Author Closing Comment

by:jmsjms
ID: 35055268
Marked as B as it's not a complete answer, more of a starting point.  (but a useful one at that!).  Cheers John
0
 
LVL 12

Expert Comment

by:Navdeep
ID: 35055284
Its ok :)
0
 
LVL 8

Expert Comment

by:MarkieS
ID: 35056907
Thanks jmsjms.

If you decide to go Kix script route drop another line.

all the best...

Markie S
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

I work for a company that primarily works with small businesses as their outsourced IT vendor. As such the majority of these customers utilize some version of Small Business Server. Due to the economics of running a small business, many of these cus…
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now