Solved

Loopback for GPO folder preferences?

Posted on 2011-03-03
11
522 Views
Last Modified: 2012-05-11
Is there a way to assign loopback settings to GPO folder preferences?  We have 2 folders created at login, and it seems they need to be part of the Users section to allow the "Run in user's security context" option.  However, some users don't always login to the machines that need these folders, so the event log generates 2 warnings whenever they login to machines outside the scope of this setting.

I assume a loopback which disables this folder creation would be appropriate, but I can't figure out how to do that?
0
Comment
Question by:sbumpas
  • 5
  • 5
11 Comments
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35030995
I think you are refering to loopback processing, this can be applied as per this article: http://support.microsoft.com/kb/231287
0
 

Author Comment

by:sbumpas
ID: 35031069
Correct - but how do I create a loopback GPO for folder creation?  because the folders are typed in, not enabled/disabled/not configured like your average GPO setting.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35031104
I am not sure I understand your question?

The loopback processing ensures that settings that are applied to the computer section of the GPO are applied to the users instead. (or that's the simple terms).
0
 

Author Comment

by:sbumpas
ID: 35031128
Maybe I don't understand loopbacks, then.  My impression was that loopback settings could be used to overwrite portions of a GPO, for an object in an OU, that would otherwise receive it's settings from a higher OU or AD group.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35031142
No, you can block inheritence or no override.

This is very different from loopback processing.

You can also add a group of users to the security tab of the Group Policy and specify Deny on the "Apply Policy" setting.
0
 

Author Comment

by:sbumpas
ID: 35031243
I'm even confusing myself now - let me rephrase:

In a user-based GPO, I have 2 folder preferences (Prefs -> Windows Setting -> Folders).  Each of these preferences creates a folder for all users in the GPO.  How can I deny this preference when the user logs in to Computer Y or Z, but continue to allow it on Computers A-X?  Y-Z are in a different OU than A-X.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35031256
where are you applying the policies?
0
 

Author Comment

by:sbumpas
ID: 35031267
They are user policies on an OU containing only users.
0
 
LVL 74

Accepted Solution

by:
Glen Knight earned 500 total points
ID: 35031309
You need to apply the policies at the computer OU's rather than the user OU's and enable loopback processing as per my first link.
0
 
LVL 11

Expert Comment

by:yelbaglf
ID: 35031433
Loopback policy processing can get tricky...

If your PC's that need the folders and the PC's that do NOT are in different OU's, then you might can do this by basically combining/duplicating the GPO's you need for users.  Then apply this duplicated GPO to the OU that contains the PC's that do NOT need the folders.  Of course in this duplicated GPO, you'll want to use the 'Replace' loopback policy option, along with NOT using the group policy that creates the folders.

I'm thinking out loud here, but if thinking correctly, then this would work IF your login script is NOT set in the user's AD properties.  In other words, if it is set with group policy, then 'Replace' will do just that.

Something to note is that network drive and printer mappings ignore this setting as they always use the user context.  As, for literally just creating a folder, you could script something, which might be easier?
0
 

Author Closing Comment

by:sbumpas
ID: 35037607
It appears my understanding of loopback policies was actually the problem here.  Thanks!
0

Join & Write a Comment

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now