Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 5183
  • Last Modified:

Disable folder redirection on certain desktops

Folder redirection is enabled for all users in the company. However, I want to setup some computers that's for public and share usage. I was wondering if there is anyway to only load local profile via group policy on those computers and not affecting users existing folder redirection settings/files. Thanks
0
Wangstaa
Asked:
Wangstaa
  • 9
  • 8
  • 5
  • +1
2 Solutions
 
piattndCommented:
You should be able to perform filtering on your GPOs to make sure they only apply to the individuals you want to apply them to.  This does depend on the type of GPO settings you wish to set though.  It's been a while since I've looked at the Folder Redirect settings, but I'm pretty sure they are User settings, not Computer settings, so you can do filtering based on groups of users.

Create your GPO and create a security group named appropriately for this particular purpose (No Folder Redirection Users).  Add your desired users to that group and modify the GPO to only apply to that group of users.  Apply the GPO to the lowest OU container possible while still making sure it blankets all your desired users.

Make sure to test first with at least 1 desired account and 1 non desired account to make sure the settings are applied properly to the desired account, but not the non desired account.
0
 
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
Yes, it can be done.

If there are specific users you don't want Folder Redirection enabled, create a new OU and place the users in it. Then create a new GPO and link it to that OU and configure the Folder Redirection settings to use the local path.

If it's specific computers, create a new OU and place the computers in it. Then create a new GPO and link it to that OU and configure the Folder Redirection settings to use the local path. Also configure the loopback processing to merge or replace (depending on what you need) so that anyone who logs on to the computer will receive the folder redirection settings.

More info on loopback processing: http://blogs.technet.com/b/askds/archive/2013/02/08/circle-back-to-loopback.aspx
0
 
piattndCommented:
You do not need to create a separate OU and move users, simply adjust the GPO filtering so it only applies to your users/computers you desire.
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 
WangstaaAuthor Commented:
you are right, the folder redirection GPO is a user policy and all users are enabled.

I want the users to be able to log onto a public computer with their own credentials but folder redirection disabled.
0
 
piattndCommented:
When you say "public computer" is that public computer on your domain or not?
0
 
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
@piattnd "You do not need to create a separate OU and move users, simply adjust the GPO filtering so it only applies to your users/computers you desire."

While you could use security filtering, it's best to avoid it if possible. Using OUs to organize object and apply appropriate policies is best practices. Using security filtering can affect performance and increases the administrative burden.
0
 
WangstaaAuthor Commented:
@piattnd

yes, public computers on my domain. For example, conference room.
0
 
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
@Wangstaa
Have you reviewed my post? Do you have any questions regarding the implementation?
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
What you need to do is put that computer is an isolated OU and then apply "Group Policy Loopback Processing Mode" using Replace Mode.

This works when the users login to the machine it will use the User Policies that are assigned to the OU itself and not use the policies from the OU where the user account currently exists.

Loopback Processing Setup - http://social.technet.microsoft.com/wiki/contents/articles/2548.windows-server-understand-user-group-policy-loopback-processing-mode.aspx

LoopBack Processing explained - http://support.microsoft.com/kb/231287

Note: make sure that you use Replace Mode and not Merge Mode. Merge mode will merge the settings from both policies, where replace mode simply uses the settings that are applied to users on that particular OU.

This can be done for User and Computer policies.

Will.
0
 
piattndCommented:
In regards to the performance implications of GPO filtering, I don't know what technical data Jeremy claims to have, but I've used filtering on many occasions with thousands of users and there's never been an issue.

http://technet.microsoft.com/en-us/library/cc752992.aspx

That link describes the process of filtering via security group, which is exactly what I'd do to make sure it only applies to desired users.
0
 
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
The only time processing is affected from a Group Polocy Processing Stand-point is when you are using the following features in Group Policy. This does not include startup scripts this is simply the processing stages when GP is loading.

- Blocked Inheritance
- WMI Filters

Security Filtering does not apply here.

Will.
0
 
WangstaaAuthor Commented:
@Spec01

what do I do if i have no user configuration policies for Computer OU? Do I just put a blank GPO there and assign it to replace mode?

@Jeremy Weisinger

you are suggesting to simply apply  folder redirection policy to the appropriate computer OU, and place public computers in a separate OU?
0
 
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
No, sorry I wasn't clear. My suggestion is:

- Create a new OU and place the public computers in it.
- Create a new GPO and link it to that OU
- In the newly created GPO, configure the Folder Redirection settings to use the local path.
- In the newly created GP configure the loopback processing to merge or replace (depending on what you need)

Will has said to use Replace Mode but it really depends on your situation and if you want other users settings applied or not.
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
That is correct. If you do not want any User policies to be applied when a user logs into this machine then just leave it blank. If you still want policies but only specific to this machine then add the policies as you wish. Replace mode is the way you need to approch this based on your original question.

Will.
0
 
WangstaaAuthor Commented:
@Jeremy
There really isn't a local path setting for folder redirection. A blank GPO would default local path.

@Spec01
I need all other user configuration policies to apply, so I presume merge is the way to go? But if I put a blank GPO on merge mode, wouldn't that override all user settings to since the blank GPO will take precedence?
0
 
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
There is:

Select Basic for the setting and then select "Redirect to the local userprofile location" for the target. Folder Redirection Settings
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
If you "want" users settings to be applied to the public computers then you would use "Merge Mode" which will merge the Users current policies based on the current OU they are located in and apply them to the computer when the user logs in. If you don't want this then you would use replace mode which will only apply the policies of the OU where the computer is located in.

Will.
0
 
WangstaaAuthor Commented:
Well, replace mode worked. Merge mode did not, any ideas?
0
 
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
Did you configure the new policy's folder redirection to point back locally?
0
 
WangstaaAuthor Commented:
Yes.
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
Are you applying this to all users or just a select few? Did you do gpudpate /force after the policy was applied? What are you using for security filtering?


Will.
0
 
WangstaaAuthor Commented:
I applied it to the OU where all the public computer is in.

yes to GPUPDATE/FORCE, otherwise replace wouldn't have worked

I checked rsop.msc and it did detect conflict in folder redirection, however the original folder redirection GPO took precedence which was weird.
0
 
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
Sound like you have Enforcement enabled on the other Group Policy. You should try to avoid using that if possible. Do you need Enforcement enabled?

More info on GPO inheritance. http://technet.microsoft.com/en-us/library/cc739343(WS.10).aspx
0
 
WangstaaAuthor Commented:
Thank you both for the help, the GPO started working correctly this morning.
0
 
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
Glad to help.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 9
  • 8
  • 5
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now