• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1160
  • Last Modified:

How can I block domain level folder redirection Group Policy

HI Experts.

I have a a domain level Folder redirection policy that applies Folder Redirection.

The Folder Redirection GP setting is in User Configuration/windows settings/folder redirection and just redirects the "My Documents" folder.

I can block users but how can I block a site or GP group holding serveral PCs inside the Domain from from this group policy?  i.e. I want to stop a range of computers urnning the policy

I've got 10 other Group policies at domain level so just blocking Inheritance isn't going to work..

Thanks

0
jmsjms
Asked:
jmsjms
  • 7
  • 4
  • 3
1 Solution
 
MarkieSCommented:
You can use Security Group filtering to only apply the policy if the <Computer> or <User>  IS or ISNOT a member of that Group.

Or you can do similar with WMI filters
0
 
jmsjmsAuthor Commented:
Thanks for your comment.

Can I add a group of computers or can it only be one by one?

I have a look at WMI and it just seems to filter by OS.

0
 
MarkieSCommented:
I just spotted the flaw in this plan...

Folder redirection is done under the "User Settings" part of the policy.

But you are trying to apply the policy to computers in which case only the "Computer Settings" will be applied.

To acheive this you will need "Loopback Policy Processing" turned on.  This is handled better in Win2k8 and Win7 - not so good on Win2k3 and XP.

Unfortunately I have to head off so I wont be able to advise further until tomorrow but please feel free to post to other "Experts" about Loopback Policy processing.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
jmsjmsAuthor Commented:
Ah I see. And googling shows up "Loopback Policy Processing" as a little unpredictable.

Any one else got any ideas or am I asking for something that isn't feasible or should be handled differently?

Thanks
0
 
NavdeepCommented:
I see that you are using User Setting, This policy will only be applicable to users not computers. More over you can disable the computer policy of GPO using GPMC tool so that only User part setting will be applied.
0
 
jmsjmsAuthor Commented:
I can block users but how can I block a site or GP group holding serveral PCs inside the Domain from from this group policy?  i.e. I want to stop a range of computers running the policy.  Thanks
0
 
NavdeepCommented:
Hi,

As I mentioned earlier computer configuration changes will be applicable to computer and users configuration to user.

See the attached screenshot how to disable computer configuration part of the GPO


disableComputerSettings.jpg
0
 
jmsjmsAuthor Commented:
Thanks for your comment V-2nas, but I dont understand why disabling the computer configuration would help here?  THis is (as you mention yourself) a User setting but I'm trying to see if there's a way of blocking it on a range of PCs.
0
 
jmsjmsAuthor Commented:
I'm beginning to think that I'm fighting against the wind on this one and should accept it's a policy that is User specific, not PC specific.  

Sort of makes a kind of sense in that if it was PC based and the affect users went on a PC that want affected they would have redirection working again.  which would proably make the users confused.

Therefore, unless anyone has any good ideas I'll note this as not having a solution.

0
 
MarkieSCommented:
In an XP/2003 environment the only way I got this sort of thing (Apply computer settings to users and user settings to computers)  to work reliably was to Kix script the login script and test for
- OU membership of the user - then apply registry HKLM settings
- OU membership of the computer - then apply registry HKCU settings

As I said in my first post - Win7 and Win2k8 handle this alot better...

cheers
0
 
jmsjmsAuthor Commented:
OK.  Thanks MarkieS.  

Your post above suggests a way forward but I hanv't got the time/expertise to muck around with Kix so I'm just going to follow MS's thinking for now, and block it by User rather than by PC.  

As your post could be used as a starting point for someone with a similar problem I'll mark it as the answer.  Many thanks for your comments.

V2-nas, i can't see the relevance of your comments, so I'll give Markies the points.  Apologies if I'm missing a point.

0
 
jmsjmsAuthor Commented:
Marked as B as it's not a complete answer, more of a starting point.  (but a useful one at that!).  Cheers John
0
 
NavdeepCommented:
Its ok :)
0
 
MarkieSCommented:
Thanks jmsjms.

If you decide to go Kix script route drop another line.

all the best...

Markie S
0

Featured Post

The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

  • 7
  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now