Solved

Loopback for GPO folder preferences?

Posted on 2011-03-03
11
524 Views
Last Modified: 2012-05-11
Is there a way to assign loopback settings to GPO folder preferences?  We have 2 folders created at login, and it seems they need to be part of the Users section to allow the "Run in user's security context" option.  However, some users don't always login to the machines that need these folders, so the event log generates 2 warnings whenever they login to machines outside the scope of this setting.

I assume a loopback which disables this folder creation would be appropriate, but I can't figure out how to do that?
0
Comment
Question by:sbumpas
  • 5
  • 5
11 Comments
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35030995
I think you are refering to loopback processing, this can be applied as per this article: http://support.microsoft.com/kb/231287
0
 

Author Comment

by:sbumpas
ID: 35031069
Correct - but how do I create a loopback GPO for folder creation?  because the folders are typed in, not enabled/disabled/not configured like your average GPO setting.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35031104
I am not sure I understand your question?

The loopback processing ensures that settings that are applied to the computer section of the GPO are applied to the users instead. (or that's the simple terms).
0
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

 

Author Comment

by:sbumpas
ID: 35031128
Maybe I don't understand loopbacks, then.  My impression was that loopback settings could be used to overwrite portions of a GPO, for an object in an OU, that would otherwise receive it's settings from a higher OU or AD group.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35031142
No, you can block inheritence or no override.

This is very different from loopback processing.

You can also add a group of users to the security tab of the Group Policy and specify Deny on the "Apply Policy" setting.
0
 

Author Comment

by:sbumpas
ID: 35031243
I'm even confusing myself now - let me rephrase:

In a user-based GPO, I have 2 folder preferences (Prefs -> Windows Setting -> Folders).  Each of these preferences creates a folder for all users in the GPO.  How can I deny this preference when the user logs in to Computer Y or Z, but continue to allow it on Computers A-X?  Y-Z are in a different OU than A-X.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35031256
where are you applying the policies?
0
 

Author Comment

by:sbumpas
ID: 35031267
They are user policies on an OU containing only users.
0
 
LVL 74

Accepted Solution

by:
Glen Knight earned 500 total points
ID: 35031309
You need to apply the policies at the computer OU's rather than the user OU's and enable loopback processing as per my first link.
0
 
LVL 11

Expert Comment

by:yelbaglf
ID: 35031433
Loopback policy processing can get tricky...

If your PC's that need the folders and the PC's that do NOT are in different OU's, then you might can do this by basically combining/duplicating the GPO's you need for users.  Then apply this duplicated GPO to the OU that contains the PC's that do NOT need the folders.  Of course in this duplicated GPO, you'll want to use the 'Replace' loopback policy option, along with NOT using the group policy that creates the folders.

I'm thinking out loud here, but if thinking correctly, then this would work IF your login script is NOT set in the user's AD properties.  In other words, if it is set with group policy, then 'Replace' will do just that.

Something to note is that network drive and printer mappings ignore this setting as they always use the user context.  As, for literally just creating a folder, you could script something, which might be easier?
0
 

Author Closing Comment

by:sbumpas
ID: 35037607
It appears my understanding of loopback policies was actually the problem here.  Thanks!
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This article explains how to install and use the NTBackup utility that comes with Windows Server.
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question