• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 538
  • Last Modified:

Loopback for GPO folder preferences?

Is there a way to assign loopback settings to GPO folder preferences?  We have 2 folders created at login, and it seems they need to be part of the Users section to allow the "Run in user's security context" option.  However, some users don't always login to the machines that need these folders, so the event log generates 2 warnings whenever they login to machines outside the scope of this setting.

I assume a loopback which disables this folder creation would be appropriate, but I can't figure out how to do that?
0
sbumpas
Asked:
sbumpas
  • 5
  • 5
1 Solution
 
Glen KnightCommented:
I think you are refering to loopback processing, this can be applied as per this article: http://support.microsoft.com/kb/231287
0
 
sbumpasAuthor Commented:
Correct - but how do I create a loopback GPO for folder creation?  because the folders are typed in, not enabled/disabled/not configured like your average GPO setting.
0
 
Glen KnightCommented:
I am not sure I understand your question?

The loopback processing ensures that settings that are applied to the computer section of the GPO are applied to the users instead. (or that's the simple terms).
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
sbumpasAuthor Commented:
Maybe I don't understand loopbacks, then.  My impression was that loopback settings could be used to overwrite portions of a GPO, for an object in an OU, that would otherwise receive it's settings from a higher OU or AD group.
0
 
Glen KnightCommented:
No, you can block inheritence or no override.

This is very different from loopback processing.

You can also add a group of users to the security tab of the Group Policy and specify Deny on the "Apply Policy" setting.
0
 
sbumpasAuthor Commented:
I'm even confusing myself now - let me rephrase:

In a user-based GPO, I have 2 folder preferences (Prefs -> Windows Setting -> Folders).  Each of these preferences creates a folder for all users in the GPO.  How can I deny this preference when the user logs in to Computer Y or Z, but continue to allow it on Computers A-X?  Y-Z are in a different OU than A-X.
0
 
Glen KnightCommented:
where are you applying the policies?
0
 
sbumpasAuthor Commented:
They are user policies on an OU containing only users.
0
 
Glen KnightCommented:
You need to apply the policies at the computer OU's rather than the user OU's and enable loopback processing as per my first link.
0
 
yelbaglfCommented:
Loopback policy processing can get tricky...

If your PC's that need the folders and the PC's that do NOT are in different OU's, then you might can do this by basically combining/duplicating the GPO's you need for users.  Then apply this duplicated GPO to the OU that contains the PC's that do NOT need the folders.  Of course in this duplicated GPO, you'll want to use the 'Replace' loopback policy option, along with NOT using the group policy that creates the folders.

I'm thinking out loud here, but if thinking correctly, then this would work IF your login script is NOT set in the user's AD properties.  In other words, if it is set with group policy, then 'Replace' will do just that.

Something to note is that network drive and printer mappings ignore this setting as they always use the user context.  As, for literally just creating a folder, you could script something, which might be easier?
0
 
sbumpasAuthor Commented:
It appears my understanding of loopback policies was actually the problem here.  Thanks!
0

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

  • 5
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now