Solved

Disable folder redirection on certain desktops

Posted on 2014-01-06
26
3,517 Views
Last Modified: 2014-01-07
Folder redirection is enabled for all users in the company. However, I want to setup some computers that's for public and share usage. I was wondering if there is anyway to only load local profile via group policy on those computers and not affecting users existing folder redirection settings/files. Thanks
0
Comment
Question by:Wangstaa
  • 9
  • 8
  • 5
  • +1
26 Comments
 
LVL 12

Expert Comment

by:piattnd
ID: 39759773
You should be able to perform filtering on your GPOs to make sure they only apply to the individuals you want to apply them to.  This does depend on the type of GPO settings you wish to set though.  It's been a while since I've looked at the Folder Redirect settings, but I'm pretty sure they are User settings, not Computer settings, so you can do filtering based on groups of users.

Create your GPO and create a security group named appropriately for this particular purpose (No Folder Redirection Users).  Add your desired users to that group and modify the GPO to only apply to that group of users.  Apply the GPO to the lowest OU container possible while still making sure it blankets all your desired users.

Make sure to test first with at least 1 desired account and 1 non desired account to make sure the settings are applied properly to the desired account, but not the non desired account.
0
 
LVL 18

Expert Comment

by:Jeremy Weisinger
ID: 39759791
Yes, it can be done.

If there are specific users you don't want Folder Redirection enabled, create a new OU and place the users in it. Then create a new GPO and link it to that OU and configure the Folder Redirection settings to use the local path.

If it's specific computers, create a new OU and place the computers in it. Then create a new GPO and link it to that OU and configure the Folder Redirection settings to use the local path. Also configure the loopback processing to merge or replace (depending on what you need) so that anyone who logs on to the computer will receive the folder redirection settings.

More info on loopback processing: http://blogs.technet.com/b/askds/archive/2013/02/08/circle-back-to-loopback.aspx
0
 
LVL 12

Expert Comment

by:piattnd
ID: 39759794
You do not need to create a separate OU and move users, simply adjust the GPO filtering so it only applies to your users/computers you desire.
0
 

Author Comment

by:Wangstaa
ID: 39759795
you are right, the folder redirection GPO is a user policy and all users are enabled.

I want the users to be able to log onto a public computer with their own credentials but folder redirection disabled.
0
 
LVL 12

Expert Comment

by:piattnd
ID: 39759799
When you say "public computer" is that public computer on your domain or not?
0
 
LVL 18

Expert Comment

by:Jeremy Weisinger
ID: 39759810
@piattnd "You do not need to create a separate OU and move users, simply adjust the GPO filtering so it only applies to your users/computers you desire."

While you could use security filtering, it's best to avoid it if possible. Using OUs to organize object and apply appropriate policies is best practices. Using security filtering can affect performance and increases the administrative burden.
0
 

Author Comment

by:Wangstaa
ID: 39759811
@piattnd

yes, public computers on my domain. For example, conference room.
0
 
LVL 18

Expert Comment

by:Jeremy Weisinger
ID: 39759817
@Wangstaa
Have you reviewed my post? Do you have any questions regarding the implementation?
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 250 total points
ID: 39759830
What you need to do is put that computer is an isolated OU and then apply "Group Policy Loopback Processing Mode" using Replace Mode.

This works when the users login to the machine it will use the User Policies that are assigned to the OU itself and not use the policies from the OU where the user account currently exists.

Loopback Processing Setup - http://social.technet.microsoft.com/wiki/contents/articles/2548.windows-server-understand-user-group-policy-loopback-processing-mode.aspx

LoopBack Processing explained - http://support.microsoft.com/kb/231287

Note: make sure that you use Replace Mode and not Merge Mode. Merge mode will merge the settings from both policies, where replace mode simply uses the settings that are applied to users on that particular OU.

This can be done for User and Computer policies.

Will.
0
 
LVL 12

Expert Comment

by:piattnd
ID: 39759877
In regards to the performance implications of GPO filtering, I don't know what technical data Jeremy claims to have, but I've used filtering on many occasions with thousands of users and there's never been an issue.

http://technet.microsoft.com/en-us/library/cc752992.aspx

That link describes the process of filtering via security group, which is exactly what I'd do to make sure it only applies to desired users.
0
 
LVL 18

Expert Comment

by:Jeremy Weisinger
ID: 39759907
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 39759910
The only time processing is affected from a Group Polocy Processing Stand-point is when you are using the following features in Group Policy. This does not include startup scripts this is simply the processing stages when GP is loading.

- Blocked Inheritance
- WMI Filters

Security Filtering does not apply here.

Will.
0
 

Author Comment

by:Wangstaa
ID: 39760095
@Spec01

what do I do if i have no user configuration policies for Computer OU? Do I just put a blank GPO there and assign it to replace mode?

@Jeremy Weisinger

you are suggesting to simply apply  folder redirection policy to the appropriate computer OU, and place public computers in a separate OU?
0
 
LVL 18

Accepted Solution

by:
Jeremy Weisinger earned 250 total points
ID: 39760108
No, sorry I wasn't clear. My suggestion is:

- Create a new OU and place the public computers in it.
- Create a new GPO and link it to that OU
- In the newly created GPO, configure the Folder Redirection settings to use the local path.
- In the newly created GP configure the loopback processing to merge or replace (depending on what you need)

Will has said to use Replace Mode but it really depends on your situation and if you want other users settings applied or not.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 39760110
That is correct. If you do not want any User policies to be applied when a user logs into this machine then just leave it blank. If you still want policies but only specific to this machine then add the policies as you wish. Replace mode is the way you need to approch this based on your original question.

Will.
0
 

Author Comment

by:Wangstaa
ID: 39760132
@Jeremy
There really isn't a local path setting for folder redirection. A blank GPO would default local path.

@Spec01
I need all other user configuration policies to apply, so I presume merge is the way to go? But if I put a blank GPO on merge mode, wouldn't that override all user settings to since the blank GPO will take precedence?
0
 
LVL 18

Expert Comment

by:Jeremy Weisinger
ID: 39760196
There is:

Select Basic for the setting and then select "Redirect to the local userprofile location" for the target. Folder Redirection Settings
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 39760284
If you "want" users settings to be applied to the public computers then you would use "Merge Mode" which will merge the Users current policies based on the current OU they are located in and apply them to the computer when the user logs in. If you don't want this then you would use replace mode which will only apply the policies of the OU where the computer is located in.

Will.
0
 

Author Comment

by:Wangstaa
ID: 39760623
Well, replace mode worked. Merge mode did not, any ideas?
0
 
LVL 18

Expert Comment

by:Jeremy Weisinger
ID: 39760701
Did you configure the new policy's folder redirection to point back locally?
0
 

Author Comment

by:Wangstaa
ID: 39760709
Yes.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 39760729
Are you applying this to all users or just a select few? Did you do gpudpate /force after the policy was applied? What are you using for security filtering?


Will.
0
 

Author Comment

by:Wangstaa
ID: 39760765
I applied it to the OU where all the public computer is in.

yes to GPUPDATE/FORCE, otherwise replace wouldn't have worked

I checked rsop.msc and it did detect conflict in folder redirection, however the original folder redirection GPO took precedence which was weird.
0
 
LVL 18

Expert Comment

by:Jeremy Weisinger
ID: 39761232
Sound like you have Enforcement enabled on the other Group Policy. You should try to avoid using that if possible. Do you need Enforcement enabled?

More info on GPO inheritance. http://technet.microsoft.com/en-us/library/cc739343(WS.10).aspx
0
 

Author Closing Comment

by:Wangstaa
ID: 39762303
Thank you both for the help, the GPO started working correctly this morning.
0
 
LVL 18

Expert Comment

by:Jeremy Weisinger
ID: 39762561
Glad to help.
0

Join & Write a Comment

Resolve DNS query failed errors for Exchange
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now