none
Advise please: Folder redirect best way to disable for Laptops and on Servers.

    Question

  • We have a folder redirection policy in place for all of our users policy. We are trying to restructure our policies. I don't want to screw up our current structure, but would like not like to enable folder redirect  on servers and laptops. How should I go about doing? What steps should I take to do so? Create a new OU for the Servers and Mobile devices? Sorry new to GP and trying to make a good impression at work :). Any feedback would be appreciated! Thanks!

    Tuesday, March 31, 2015 4:55 AM

Answers

  • Hi,

    The best way to do this depends upon your current Active Directory OU structure. 

    Group Policies contain both user and computer settings. Folder redirection settings are user settings.

    I would suggest that you need to create a seperate OU structure for your Desktops, Laptops and Servers.

    I would also suggest a separate OU to store your administrative user accounts in and don't apply folder redirection policies to those users.

    Only allow the administrative users the ability to log on to servers.

    You can use the block inheritance feature in GPMC to stop policies being applied at lower level nested OU's.

    But you need to be a little cautious and do a little more planning if you are using loopback GPOs.


    Steven Hodson | http://www.stevenhodson.com | @_hodders Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This posting is provided "AS IS" with no warranties, and confers no rights.

    • Marked as answer by ITNERDMIAMI11 Tuesday, March 31, 2015 2:48 PM
    Tuesday, March 31, 2015 5:11 AM
  • > It really depends
     
    I second that :)
     
    For workstations, it is generally not neccessary (unless we are talking
    about kiosk computers, of course). For terminal servers, we use Loopback
    "Merge mode" to do things like remove "shutdown" and "restart". For all
    other servers, we use Loopback "Replace", because servers have a quite
    different user environment.
     
    Some more reading:
     
     
    I also agree with askds that in general, it is best to NOT use loopback.
    At least as long as you are unsure how it works and what issues it might
    impose.
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    • Marked as answer by ITNERDMIAMI11 Tuesday, March 31, 2015 4:48 PM
    Tuesday, March 31, 2015 3:32 PM

All replies

  • Hi,

    The best way to do this depends upon your current Active Directory OU structure. 

    Group Policies contain both user and computer settings. Folder redirection settings are user settings.

    I would suggest that you need to create a seperate OU structure for your Desktops, Laptops and Servers.

    I would also suggest a separate OU to store your administrative user accounts in and don't apply folder redirection policies to those users.

    Only allow the administrative users the ability to log on to servers.

    You can use the block inheritance feature in GPMC to stop policies being applied at lower level nested OU's.

    But you need to be a little cautious and do a little more planning if you are using loopback GPOs.


    Steven Hodson | http://www.stevenhodson.com | @_hodders Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This posting is provided "AS IS" with no warranties, and confers no rights.

    • Marked as answer by ITNERDMIAMI11 Tuesday, March 31, 2015 2:48 PM
    Tuesday, March 31, 2015 5:11 AM
  • Thank you for the feedback Steven! What is the advantage or disadvantage of yousing loopback GPO's? How does it work?

    Tuesday, March 31, 2015 1:43 PM
  • You can use WMI filtering and set the filter by OS version to exclude servers and memory form factor for laptops

    e.g.

    Only clients

    SELECT * FROM Win32_OperatingSystem WHERE ProductType="1" 

    Exclude laptops

    Select * from Win32_PhysicalMemory WHERE (FormFactor != 12)

    REF:http://www.discoposse.com/index.php/2012/04/05/group-policy-wmi-filter-laptop-or-desktop-hardware/



    You wouldn't demand your Doctor a therapy just because you told him "I don't feel very well"
    You wouldn't expect your accountant to know how much your taxes are just because you told him "I have earned some money"
    Do not expect any IT Pro to suggest you a solution just because you said "It doesn't work"


    • Edited by aperelli Tuesday, March 31, 2015 1:52 PM
    Tuesday, March 31, 2015 1:51 PM
  • This is a good overview of loopback processing https://technet.microsoft.com/en-us/library/cc782810(v=ws.10).aspx

    "Setting loopback causes the User Configuration settings in GPOs that apply to the computer to be applied to every user logging on to that computer, instead of (in replace mode) or in addition to (in merge mode) the User Configuration settings of the user."


    Steven Hodson | http://www.stevenhodson.com | @_hodders Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This posting is provided "AS IS" with no warranties, and confers no rights.

    Tuesday, March 31, 2015 2:01 PM
  • Thank you! Do you recommend using it?
    Tuesday, March 31, 2015 2:48 PM
  • No problem

    It really depends on whether you have any requirements to use loopbak - it tends only to be used on locked down computers - such as kiosk computers, so it doesn't matter who logs on, they all get a consistent (locked down) experience.


    Steven Hodson | http://www.stevenhodson.com | @_hodders Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This posting is provided "AS IS" with no warranties, and confers no rights.

    Tuesday, March 31, 2015 2:51 PM
  • > It really depends
     
    I second that :)
     
    For workstations, it is generally not neccessary (unless we are talking
    about kiosk computers, of course). For terminal servers, we use Loopback
    "Merge mode" to do things like remove "shutdown" and "restart". For all
    other servers, we use Loopback "Replace", because servers have a quite
    different user environment.
     
    Some more reading:
     
     
    I also agree with askds that in general, it is best to NOT use loopback.
    At least as long as you are unsure how it works and what issues it might
    impose.
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    • Marked as answer by ITNERDMIAMI11 Tuesday, March 31, 2015 4:48 PM
    Tuesday, March 31, 2015 3:32 PM