Solved

Loopback for GPO folder preferences?

Posted on 2011-03-03
11
525 Views
Last Modified: 2012-05-11
Is there a way to assign loopback settings to GPO folder preferences?  We have 2 folders created at login, and it seems they need to be part of the Users section to allow the "Run in user's security context" option.  However, some users don't always login to the machines that need these folders, so the event log generates 2 warnings whenever they login to machines outside the scope of this setting.

I assume a loopback which disables this folder creation would be appropriate, but I can't figure out how to do that?
0
Comment
Question by:sbumpas
  • 5
  • 5
11 Comments
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35030995
I think you are refering to loopback processing, this can be applied as per this article: http://support.microsoft.com/kb/231287
0
 

Author Comment

by:sbumpas
ID: 35031069
Correct - but how do I create a loopback GPO for folder creation?  because the folders are typed in, not enabled/disabled/not configured like your average GPO setting.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35031104
I am not sure I understand your question?

The loopback processing ensures that settings that are applied to the computer section of the GPO are applied to the users instead. (or that's the simple terms).
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:sbumpas
ID: 35031128
Maybe I don't understand loopbacks, then.  My impression was that loopback settings could be used to overwrite portions of a GPO, for an object in an OU, that would otherwise receive it's settings from a higher OU or AD group.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35031142
No, you can block inheritence or no override.

This is very different from loopback processing.

You can also add a group of users to the security tab of the Group Policy and specify Deny on the "Apply Policy" setting.
0
 

Author Comment

by:sbumpas
ID: 35031243
I'm even confusing myself now - let me rephrase:

In a user-based GPO, I have 2 folder preferences (Prefs -> Windows Setting -> Folders).  Each of these preferences creates a folder for all users in the GPO.  How can I deny this preference when the user logs in to Computer Y or Z, but continue to allow it on Computers A-X?  Y-Z are in a different OU than A-X.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35031256
where are you applying the policies?
0
 

Author Comment

by:sbumpas
ID: 35031267
They are user policies on an OU containing only users.
0
 
LVL 74

Accepted Solution

by:
Glen Knight earned 500 total points
ID: 35031309
You need to apply the policies at the computer OU's rather than the user OU's and enable loopback processing as per my first link.
0
 
LVL 11

Expert Comment

by:yelbaglf
ID: 35031433
Loopback policy processing can get tricky...

If your PC's that need the folders and the PC's that do NOT are in different OU's, then you might can do this by basically combining/duplicating the GPO's you need for users.  Then apply this duplicated GPO to the OU that contains the PC's that do NOT need the folders.  Of course in this duplicated GPO, you'll want to use the 'Replace' loopback policy option, along with NOT using the group policy that creates the folders.

I'm thinking out loud here, but if thinking correctly, then this would work IF your login script is NOT set in the user's AD properties.  In other words, if it is set with group policy, then 'Replace' will do just that.

Something to note is that network drive and printer mappings ignore this setting as they always use the user context.  As, for literally just creating a folder, you could script something, which might be easier?
0
 

Author Closing Comment

by:sbumpas
ID: 35037607
It appears my understanding of loopback policies was actually the problem here.  Thanks!
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question