none
Group Policies on OneDrive for Business

    Question

  • Hi,

    I was hoping someone could help me out regarding Group Policies on OneDrive for Business.

    Is it possible to implement AD Group Policies to OneDrive for Business, if so, how?? A step by step guide would be very helpful.

    Thanks!

    Thursday, March 10, 2016 2:05 AM

Answers

  • 1. Ok, so I understood that the GPOs that can be implemented to OneDrive for Business through AD (via GPMC) are very very limited. This is very inconvenient and I wish Microsoft could explain me why.

    MSFT have continued development and evolution of OneDrive and OneDriveForBusiness over several years.
    Basically there was Windows Live Mesh -> SkyDrive -> OneDrive.
    And then there was Groove -> SharepointWorkspace -> SkyDrivePro -> OneDriveForBusiness.

    OD is the "consumer" (not business) product solution.
    ODfB is the "business" product solution.
    Both of these web/cloud solutions offer a web-browser-based user experience, but also both offer a "synchronisation client application" which performs file upload/download/sync so that your web-storage and local-computer-storage is synchronised/aligned.

    Recently, MSFT have "merged" the OD + ODfB sync client into a single NGSC which can sync both consumer+business contents (although there are some features not-yet-available)

    Because the NGSC is really quite new, Group Policy manageability is still limited. But, Group Policy for this product, over history, has been quite limited, so the GP features you wish for NGSC *might* never be offered.

    2. The 3 templates that I can see on the GPMC say that they are for "SkyDrive". Since SkyDrive is supposed to be the same as OneDrive, I think there is no problem there. However, if I implement these policies (templates), would they work for OneDrive for Business?

    As I read the details and description of these 3 templates, it looks like it is meant for OneDrive and not especifically for OneDrive for Business. Are there any templates that appear on GPMC that are for OneDrive for Business?

    In general, any policy settings you can see for SkyDrive, would apply to OneDrive. And any policy settings you can see for SkyDrivePro would apply to OneDriveForBusiness. This applies to the older sync client software, not necessarily applicable for the NGSC.


    3. Could you explain (in a very easy to undersand way) to me what is and how to use OneDrive.exe? I asked the Microsoft forum and they couldnt do anything more than just send me a link to their website. And I still dont get it.

    OneDrive.exe (assuming we are talking about the NGSC) is included within Windows10 but is available to install on Windows7, it is not yet available for Windows8.1.
    If you have files (documents, pictures, etc) on your computer or business fileserver, you can place these files into your OneDrive/OneDriveForBusiness folder on your computer, or place them into your OD/ODfB web storage. The NGSC will perform sync, so that the web-storage and local storage is synchronised/aligned. This means that you can access the files from any device connected to the web and when your computer is used offline you have a local copy there. If you are working offline, editing documents etc, and then you some-time-later connect your computer to the network, your changed documents are synchronised between web & local, so that everything is again aligned.

    There is no critical need to have a sync client e.g. OneDrive.exe - you can work within your web browser if you wish - but the sync client can make things simpler/easier to use and it means that your work is stored in two (or more) places automatically for you.

    4. So, if I am not mistaken, it looks like I can use GPMC to implement Group Policies through AD on OneDrive (not OneDrive for Business) by using the 3 templates shown. But the only way to implement Group Policies on OneDrive for Business is through OneDrive.exe (using the Global and Tenant Registry Keys)? Is that right?

    Group Polices for OneDrive can be implemented with your Active Directory/GPMC, which is limited to the available settings/templates. (You can also implement Group Policy without Active Directory but it is quite a laborious effort).

    Depending upon the settings/controls you are wanting, eg you wish to forbid your employees sharing their ODfB content via web, you may be able to apply security settings controls within the O365 tenant admin portal.

    So, the settings/controls/security, may be possible via either GP or tenant, it depends upon what you want to do.

    So, my friend, what is it that you want to do?

    Do you want to forbid/prevent something? What is that thing that you want to do?

    :)


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Thursday, March 17, 2016 8:38 PM

All replies

  • Hi,

    I was hoping someone could help me out regarding Group Policies on OneDrive for Business.

    Is it possible to implement AD Group Policies to OneDrive for Business, if so, how?? A step by step guide would be very helpful.

    Thanks!

    It depends on what you are willing to do. Not everything can be done. Here are some examples:


    Mahdi Tehrani   |     |   www.mahditehrani.ir
    Please click on Propose As Answer or to mark this post as and helpful for other people.
    This posting is provided AS-IS with no warranties, and confers no rights.

    Thursday, March 10, 2016 4:12 AM
  • I saw these links before. But I am wondering if I can implement other group policies besides the ones mentioned in both links.

    It says that I can implement policies through ADMX, but can I implement group policies through AD??

    Hope you caan help me out

    Thursday, March 10, 2016 4:32 AM
  • It says that I can implement policies through ADMX, but can I implement group policies through AD??

    Hope you caan help me out

    Of course you can implement Group Policy settings via "AD".
     
    I think there is a conceptual confusion here. ADMX files only provide an XML-based structure for defining the display of the Administrative Template policy settings in the Group Policy tools. The Group Policy tools will recognize ADMX files.
     
    To configure Group Policy through your AD, you will need to do it via GPMC:
     
    https://technet.microsoft.com/en-us/library/cc753298.aspx
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Thursday, March 10, 2016 6:47 AM
    Moderator
  • Hi Ethan,

    Thank you so much for clearing things out for me. However I'm still struggling a bit.

    Can you please give me a step by step guide to implement group policies through AD via GPMC?? I tried to follow what the link says but I got confused and wasnt able to do it. It would really help if you could give me a step by step guide that I could easily follow. (Sorry, I'm not a techy person and do not understand these kinds of things easily)

    Thanks!

    Thursday, March 10, 2016 7:12 AM
  • I saw these links before. But I am wondering if I can implement other group policies besides the ones mentioned in both links.

    It says that I can implement policies through ADMX, but can I implement group policies through AD??

    Hope you caan help me out

    There are currently no ADMX files (administrative templates) available for OneDriveForBusiness Sync Client (neither the old Groove client, nor for the NGSC).

    The documentation links suggested by Mahdi Tehrani, explain how you can create an ADMX file, and, how you can use other methods to populate the registry keys.

    But, this is limited to a very few functions - this is because the ODfB sync client does not have the controllability included within the ODfB sync client software.

    Software cannot be controlled by Group Policy, nor by registry settings, unless the software itself has been written by the developer to do it.

    At the current time, ODfB sync client, does not offer very much manageability, so Group Policy can't do much at all :(


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Thursday, March 10, 2016 7:36 AM
  • Hi,

    I was hoping someone could help me out regarding Group Policies on OneDrive for Business.

    Is it possible to implement AD Group Policies to OneDrive for Business, if so, how?? A step by step guide would be very helpful.

    Thanks!

    What is it, that you would like to do?

    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Thursday, March 10, 2016 7:37 AM
  • Hi Ethan,

    Thank you so much for clearing things out for me. However I'm still struggling a bit.

    Can you please give me a step by step guide to implement group policies through AD via GPMC?? I tried to follow what the link says but I got confused and wasnt able to do it. It would really help if you could give me a step by step guide that I could easily follow. (Sorry, I'm not a techy person and do not understand these kinds of things easily)

    Thanks!

    Hi helpakari,
     
    As mentioned by Don above, no existing ADMX files available for OneDrive for Business, so Group Policy can't do much at all.
     
    It will be great if you can elaborate a bit on what you are trying to achieve, we will then evaluate if it's possible to make it via Group Policy.
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Monday, March 14, 2016 2:00 AM
    Moderator
  • Hi Ethan,

    So....this is the situation.

    We are trying to implement OneDrive for Business at the office, but some bosses are not convinced about it and have asked me to research some things about it.

    1. I understood that it is possible to implement Group Policies through AD right?

    2. In order to do so, I have to implement them through GPMC right?

    3. What kind of control items can I implement as Group Policy through AD via GPMC?

    • This is what some bosses asked me, they just want like a list of possible control items that can be implemented as group policies through AD via GPMC
    • I just need some examples on what kind of policies could I implement through this (other than the ones explained on the links that were provided before)

    I hope you can help me out

    Thanks

    Tuesday, March 15, 2016 7:56 AM
  • There are very few settings/controls provided by Microsoft which pertain to the Sync Client.
    (although Group Policy is a method which offers control of settings for many thousands of features across Windows and Office, GP cannot control settings for a product feature unless the product itself [Sync Client] provides the capability)

    GP can be used with, or without AD. (when used without AD, it cannot be centrally configured/controlled).
    GPMC is the management console for AD-based GP.
    GPedit is the local GP editor, for an individual computer.
    ADMX defines a template, which GPedit or GPMC use, for choosing which settings you want to "author" into a Group Policy (i.e. which settings you want to deploy to users/computers).

    Deploying the OneDrive for Business Next Generation Sync Client in an enterprise environment

    https://support.office.com/en-us/article/Deploying-the-OneDrive-for-Business-Next-Generation-Sync-Client-in-an-enterprise-environment-3f3a511c-30c6-404a-98bf-76f95c519668

    The OneDrive Deployment Package

    The OneDrive Deployment Package contains the registry key files (.reg) discussed in this article that are used to control how and when your users set up OneDrive for their business accounts on their computers. It also contains links resources that will help IT administrators deploy OneDrive.exe and the registry keys to users in their enterprise environment through deployment tools such as System Center Configuration Manager 2012 or Group Policy.

    The OneDrive Deployment Package contains:

    • DefaultToBusinessFRE.reg file

    • EnableAddAccounts.reg file

    • ADMX templates

    • URL files pointing to deployment and administration documentation

    You can download the OneDrive Deployment Package for Windows from here. Download the file titled
    OneDrive for Business Next Generation Sync Client Documentation and Administrative Template Files (ADMX/ADML/REG) for Windows.


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Tuesday, March 15, 2016 8:25 PM
  • So does that mean that I can only implement the Group Policies that are explained in that website and are in the Deployment Package?

    Meaning, that even though there are tons of possible GPOs that could be implemented, OneDrive for Business only allows me to implement the ones explained as being part of OneDrive.exe??

    Thursday, March 17, 2016 1:21 AM
  • I just learned how to use the GPMC.

    I saw the GPO templates that are available for OneDrive, and saw that there are only 3 templates:

    -Save documents to OneDrive by default

    -Prevent the usage of OneDrive for file storage

    -Prevent OneDrive files from syncing over metered connections

    Does this mean that there are ONLY 3 possible GPOs that can be implemented to OneDrive through GPMC?

    If I create new templates on Powershell and I import them to GPMC, would I be able to implement these templates (policies) on OneDrive as well?

    Please help!

    Thursday, March 17, 2016 5:15 AM
  • So does that mean that I can only implement the Group Policies that are explained in that website and are in the Deployment Package?

    Meaning, that even though there are tons of possible GPOs that could be implemented, OneDrive for Business only allows me to implement the ones explained as being part of OneDrive.exe??

    Yes, and Yes.

    There are thousands of possible GPO settings across the entire range of Microsoft products (Windows, Office, etc), but at this time (maybe forever) the NGSC OneDrive does not offer any more beyond those few documented in that deployment package.

    (the previous version of OneDrive offered basically no GPO settings at all, if memory serves)


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Thursday, March 17, 2016 5:35 AM
  • I just learned how to use the GPMC.

    I saw the GPO templates that are available for OneDrive, and saw that there are only 3 templates:

    -Save documents to OneDrive by default

    -Prevent the usage of OneDrive for file storage

    -Prevent OneDrive files from syncing over metered connections

    Does this mean that there are ONLY 3 possible GPOs that can be implemented to OneDrive through GPMC?

    If I create new templates on Powershell and I import them to GPMC, would I be able to implement these templates (policies) on OneDrive as well?

    Please help!

    For OneDrive NGSC to be configurable by Group Policy, the OneDrive NGSC software itself must be developed/written to do so.
    At this time, OneDrive NGSC has only been developed/written to have those 5 settings. (three via template, two via registry keys).

    Although there *may* be other registry settings used/honoured by the OneDrive NGSC software application, nothing else is documented nor discussed anywhere so far.

    * what sort of settings/controls would you want? Depending upon your wants/needs, there may be something you can do within your O365 tenant, as Global Admin can disable certain features eg Sharing with external parties etc.


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Thursday, March 17, 2016 5:42 AM
  • Thanks for all your help Don!! You are very very helpful!!

    Please keep helping me a little bit more.

    1. Ok, so I understood that the GPOs that can be implemented to OneDrive for Business through AD (via GPMC) are very very limited. This is very inconvenient and I wish Microsoft could explain me why.

    2. The 3 templates that I can see on the GPMC say that they are for "SkyDrive". Since SkyDrive is supposed to be the same as OneDrive, I think there is no problem there. However, if I implement these policies (templates), would they work for OneDrive for Business?

    As I read the details and description of these 3 templates, it looks like it is meant for OneDrive and not especifically for OneDrive for Business. Are there any templates that appear on GPMC that are for OneDrive for Business?

    3. Could you explain (in a very easy to undersand way) to me what is and how to use OneDrive.exe? I asked the Microsoft forum and they couldnt do anything more than just send me a link to their website. And I still dont get it.

    4. So, if I am not mistaken, it looks like I can use GPMC to implement Group Policies through AD on OneDrive (not OneDrive for Business) by using the 3 templates shown. But the only way to implement Group Policies on OneDrive for Business is through OneDrive.exe (using the Global and Tenant Registry Keys)? Is that right?

    Hope you can help me out as always!

    Thanks!

    Thursday, March 17, 2016 6:33 AM
  • 1. Ok, so I understood that the GPOs that can be implemented to OneDrive for Business through AD (via GPMC) are very very limited. This is very inconvenient and I wish Microsoft could explain me why.

    MSFT have continued development and evolution of OneDrive and OneDriveForBusiness over several years.
    Basically there was Windows Live Mesh -> SkyDrive -> OneDrive.
    And then there was Groove -> SharepointWorkspace -> SkyDrivePro -> OneDriveForBusiness.

    OD is the "consumer" (not business) product solution.
    ODfB is the "business" product solution.
    Both of these web/cloud solutions offer a web-browser-based user experience, but also both offer a "synchronisation client application" which performs file upload/download/sync so that your web-storage and local-computer-storage is synchronised/aligned.

    Recently, MSFT have "merged" the OD + ODfB sync client into a single NGSC which can sync both consumer+business contents (although there are some features not-yet-available)

    Because the NGSC is really quite new, Group Policy manageability is still limited. But, Group Policy for this product, over history, has been quite limited, so the GP features you wish for NGSC *might* never be offered.

    2. The 3 templates that I can see on the GPMC say that they are for "SkyDrive". Since SkyDrive is supposed to be the same as OneDrive, I think there is no problem there. However, if I implement these policies (templates), would they work for OneDrive for Business?

    As I read the details and description of these 3 templates, it looks like it is meant for OneDrive and not especifically for OneDrive for Business. Are there any templates that appear on GPMC that are for OneDrive for Business?

    In general, any policy settings you can see for SkyDrive, would apply to OneDrive. And any policy settings you can see for SkyDrivePro would apply to OneDriveForBusiness. This applies to the older sync client software, not necessarily applicable for the NGSC.


    3. Could you explain (in a very easy to undersand way) to me what is and how to use OneDrive.exe? I asked the Microsoft forum and they couldnt do anything more than just send me a link to their website. And I still dont get it.

    OneDrive.exe (assuming we are talking about the NGSC) is included within Windows10 but is available to install on Windows7, it is not yet available for Windows8.1.
    If you have files (documents, pictures, etc) on your computer or business fileserver, you can place these files into your OneDrive/OneDriveForBusiness folder on your computer, or place them into your OD/ODfB web storage. The NGSC will perform sync, so that the web-storage and local storage is synchronised/aligned. This means that you can access the files from any device connected to the web and when your computer is used offline you have a local copy there. If you are working offline, editing documents etc, and then you some-time-later connect your computer to the network, your changed documents are synchronised between web & local, so that everything is again aligned.

    There is no critical need to have a sync client e.g. OneDrive.exe - you can work within your web browser if you wish - but the sync client can make things simpler/easier to use and it means that your work is stored in two (or more) places automatically for you.

    4. So, if I am not mistaken, it looks like I can use GPMC to implement Group Policies through AD on OneDrive (not OneDrive for Business) by using the 3 templates shown. But the only way to implement Group Policies on OneDrive for Business is through OneDrive.exe (using the Global and Tenant Registry Keys)? Is that right?

    Group Polices for OneDrive can be implemented with your Active Directory/GPMC, which is limited to the available settings/templates. (You can also implement Group Policy without Active Directory but it is quite a laborious effort).

    Depending upon the settings/controls you are wanting, eg you wish to forbid your employees sharing their ODfB content via web, you may be able to apply security settings controls within the O365 tenant admin portal.

    So, the settings/controls/security, may be possible via either GP or tenant, it depends upon what you want to do.

    So, my friend, what is it that you want to do?

    Do you want to forbid/prevent something? What is that thing that you want to do?

    :)


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Thursday, March 17, 2016 8:38 PM
  • Thank you so much for al your help!! You are wonderful!

    So I think what my bosses are looking for is regarding the security of sharing files when using OneDrive for business.

    For example, trying to control/limit/forbid the ability to share(internally and externally) for certain users, but not lower their permission levels (since if we apply a Read or lower permission, users will not be able to upload or sync files to OneDrive for business).

    Or make it so that every time the users share a file or send an invitation link, an email is sent to the site owner or administrator to either approve the sharing or not.

    Like you said, since the Next Generation Sync client allows you to sync both OneDrive for business and OneDrive consumer accounts, they are worried about the security of the work files and the security when it comes to the sharing feature.

    Also, on my GPMC I dont see SkyDrive Pro.... What does that mean?? Does that mean that I cant apply GPO for OneDrive for Business?? And just to make sure, the 3 templates that I see in the SkyDrive folder are only for OneDRive (consumer) and NOT for OneDrive for business right?

     

    Friday, March 18, 2016 1:19 AM
  • Btw, I am currently using a Virtual machine to test these group policies on OneDrive for Business. I am using a Windows Server 2012 R2 to set the GPO through AD/GPMC. Does this have anything to do with why I cant see a Skydrive Pro folder on GPMC??
    How can I get the GPO templates that can be implemented on OneDrive for Business through AD/GPMC?
    Friday, March 18, 2016 1:33 AM
  • Sorry just one more thing,

    How can I open OneDrive.exe? I have Windows10, I already synced the computer to my OneDrive for Business account and my O365 is all updated. But I cannot find where OneDrive.exe is....

    I want to open OneDrive.exe to see how can I apply the Global and Tenant registry keys and see how can I apply them through group policies but I just dont understand how to access or apply OneDrive.exe.

    Please help??

    Friday, March 18, 2016 2:15 AM
  • So I think what my bosses are looking for is regarding the security of sharing files when using OneDrive for business.

    For example, trying to control/limit/forbid the ability to share(internally and externally) for certain users, but not lower their permission levels (since if we apply a Read or lower permission, users will not be able to upload or sync files to OneDrive for business).

    Or make it so that every time the users share a file or send an invitation link, an email is sent to the site owner or administrator to either approve the sharing or not.

    Like you said, since the Next Generation Sync client allows you to sync both OneDrive for business and OneDrive consumer accounts, they are worried about the security of the work files and the security when it comes to the sharing feature.

    Also, on my GPMC I dont see SkyDrive Pro.... What does that mean?? Does that mean that I cant apply GPO for OneDrive for Business?? And just to make sure, the 3 templates that I see in the SkyDrive folder are only for OneDRive (consumer) and NOT for OneDrive for business right? 

    If you want to control the ability for a user to share their ODfB content, you need to look at the controls available within your O365 tenant admin settings. ODfB is a feature of your O365 tenant (specifically it's a feature of your SharePointOnline). The NGSC (onedrive.exe) doesn't have too much control over that aspect. The NGSC *might* offer the user to share a document but ultimately the tenant control settings will not allow the sharing attempt to succeed, if you have disabled/forbidden that within the tenant admin settings. (or so I am told. I'm not a tenant admin myself)

    You can set the setting for NGSC/Windows so that the "consumer" OD features are not available, but, that won't stop the user from using their web-browser to access their personal/consumer OD website and putting content in there.
    (so, you can prevent NGSC from sync'ing to/from OD but the web-browser doesn't honour those settings)
    This is s similar problem for other external/cloud document sharing/collaboration solutions eg Box/DropBox/GoogleDrive/etc - these are browser-based, and requires your organisation to consider the implications of those also.

    For your GPMC/templates issue, have you downloaded & copied the Office2013/2016 ADMX templates into the c:\windows\policydefinitions\ folder?

    There are some settings relating to SkyDrive/OneDrive which are considered "Windows" settings and so those will be in the ADMX templates relating to Windows. You may need to get the latest ADMX templates download (for Win10/WinSrv2016) since I can't recall if the SD/OD settings were available when WS2012R2 was released.

    You should also download/copy the Office2013/2016 ADMX templates, so that you can find/use the (few) settings available for Office. This is in addition to the ADMX templates provided for the NGSC package.

    You can use the gpsearch website for finding general Windows+Office template settings:

    http://gpsearch.azurewebsites.net

    e.g. open the gpsearch website, and type in the searchbox: sky

    This shows me some SD/OD related settings, and, it shows me which ADMX file that setting is provided by

    The templates offered by the NGSC deployment package, allow some control over the NGSC, and the NGSC pertains to both ODfB & OD. (the NGSC is a strange/new kind of hybrid solution, the lines between ODfB and OD have blurred a lot)


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Friday, March 18, 2016 8:33 AM
  • Btw, I am currently using a Virtual machine to test these group policies on OneDrive for Business. I am using a Windows Server 2012 R2 to set the GPO through AD/GPMC. Does this have anything to do with why I cant see a Skydrive Pro folder on GPMC??
    How can I get the GPO templates that can be implemented on OneDrive for Business through AD/GPMC?

    I think I've answered this, in my above reply?

    To be able to "see" the settings for a product/feature in GPMC, you need to make sure that the relevant ADMX/ADML files for that product/feature, are copied into your \PolicyDefinitions\ folder (so that GPMC can find the templates).

    If you have created a Central Store (CS) to admin templates for your domain, all domain member computers which have GPMC installed will connect to your CS and obtain the templates from that location.

    If you haven't implemented a CS, the default location is used, and that is c:\windows\policydefinitions\


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Friday, March 18, 2016 8:36 AM
  • Sorry just one more thing,

    How can I open OneDrive.exe? I have Windows10, I already synced the computer to my OneDrive for Business account and my O365 is all updated. But I cannot find where OneDrive.exe is....

    I want to open OneDrive.exe to see how can I apply the Global and Tenant registry keys and see how can I apply them through group policies but I just dont understand how to access or apply OneDrive.exe.

    Please help??

    Windows10 includes OneDrive.exe by default. Assuming that you are regularly applying Windows Updates to your Win10 computer, it should already have the latest NGSC available. You should be able to see the cloud icon in the systemtray/notification area (near the clock, bottom right hand corner)

    In Win10, OneDrive.exe is a per-user application. On my laptop, it's located at:
    C:\Users\Don\AppData\Local\Microsoft\OneDrive\OneDrive.exe

    If you have installed Office2013/2016, and all relevant updates for Office, and you've signed-in to your O365 tenant, you should be able to see something like mine:


    Don [doesn't work for MSFT, and they're probably glad about that ;]


    • Edited by DonPick Friday, March 18, 2016 8:53 AM
    Friday, March 18, 2016 8:52 AM
  • Hi Don,

    you are so helpful as always and I really appreciate it!

    So I was able to open OneDrive.exe (the ODfB NGSC Documentation for Windows) but the only 2 administrative settings that I can find were: DefaultToBusinessFRE and EnableAddAccounts.

    But I want to apply the other adminsitrative settings like DisablePersonalSync, GPOEnabled, etc....

    How do I do this?? I tried following what is said on the website but didnt understand a thing and was not successful.

    Hope you can help me out as always

    Tuesday, March 22, 2016 1:51 AM
  • Hi Don,

    you are so helpful as always and I really appreciate it!

    So I was able to open OneDrive.exe (the ODfB NGSC Documentation for Windows) but the only 2 administrative settings that I can find were: DefaultToBusinessFRE and EnableAddAccounts.

    But I want to apply the other adminsitrative settings like DisablePersonalSync, GPOEnabled, etc....

    How do I do this?? I tried following what is said on the website but didnt understand a thing and was not successful.

    Hope you can help me out as always


    The Deployment Package for NGSC includes some ADMX and ADML files.

    To be able to "see" the settings for a product/feature in GPMC, you need to make sure that the relevant ADMX/ADML files for that product/feature, are copied into your \PolicyDefinitions\ folder (so that GPMC can find the templates).

    If you have created a Central Store (CS) to admin templates for your domain, all domain member computers which have GPMC installed will connect to your CS and obtain the templates from that location.

    If you haven't implemented a CS, the default location is used, and that is c:\windows\policydefinitions\
    So, copy the OneDrive.ADMX to c:\windows\policydefinitions\
    And copy the OneDrive.ADML to c:\windows\policydefinitions\en-us\
    (assuming your culture is en-us :)

    Now open GPMC, you should be able to now see the settings you have interest in, under Admin Templates.


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Tuesday, March 22, 2016 6:07 AM
  • Hi Don,

    Sorry for all the troubles.... I really feel bad that I cant get this straight...but Im still having troubles

    I did as you said but got an error. Is says that "we couldnt find the resource file for C:\Windows\PolicyDefinitions\OneDrive_MultiTenant.admx" (error = 2: couldnt find the file you were looking for)

    Why is this? I dowloaded the files to the client computer (windows 10) and copied the files to the policydefinitions folder. I am using the windows server 2012 R2 to control the GPMC. I added the client computer into my domain so they should be connected right?? Why isnt this working?? Should I download the ADML and ADMX files to the windows server 2012 R2?

    What should I do??

    Wednesday, March 23, 2016 1:21 AM
  • Also, this might be another topic but since you know everything, I thought you could help me out with this too. I have been asking the Microsoft support people but no one is able to give me an answer.

     What does the "Limiting file sync to domain joined PCs" feature, mean and how does it do this? (in a more detailed way than explained on the website)
    • I understood that it is possible to limit the syncing ability to PCs that have the domains that I allowed when applying the Powershell command "Set-SPOTenantSyncClientRestriction" right? But, how does OneDrive know which domain does the PC belong to?  
    • How is it that OneDrive can know(judge) which PCs belong to "CompanyX"'s domain?
    • What information is OneDrive taking or using to know the domain that computer belongs to?

    And also, does this feature work only for the OneDrive for Business Desktop Application or does it also apply when using the OneDrive for Business plattform on a website?

    I hope you can help me out with this

    Thanks


    • Edited by helpakari Wednesday, March 23, 2016 2:18 AM
    Wednesday, March 23, 2016 1:49 AM
  • Hi Don,

    Sorry for all the troubles.... I really feel bad that I cant get this straight...but Im still having troubles

    I did as you said but got an error. Is says that "we couldnt find the resource file for C:\Windows\PolicyDefinitions\OneDrive_MultiTenant.admx" (error = 2: couldnt find the file you were looking for)

    Why is this? I dowloaded the files to the client computer (windows 10) and copied the files to the policydefinitions folder. I am using the windows server 2012 R2 to control the GPMC. I added the client computer into my domain so they should be connected right?? Why isnt this working?? Should I download the ADML and ADMX files to the windows server 2012 R2?

    What should I do??

    :)
    MSFT have included two ADMX files but only included one ADML file.
    The information published here https://support.office.com/en-us/article/Administrative-settings-for-the-OneDrive-for-Business-Next-Generation-Sync-Client-0ecb2cf5-8882-42b3-a6e9-be6bda30899c?ui=en-US&rs=en-AU&ad=AU 
    suggests the use of "OneDrive_MultiTenant.admx" only if you have more than one O365 tenant in use, and, if you do have more than one tenant you must do some file renaming/editing to avoid this error you are seeing. If you only have one O365 tenant (e.g. yourcompany.onmicrosoft.com) you don't need the multitenant admx file at all.

    The ADMX/ADML files you probably need only the OneDrive.ADMX + OneDrive.ADML.
    These are only needed at c:\windows\policydefinitions\ on the computer where you use GPMC.
    You can copy them to the Win10 PC and also the WS2012R2 DC - it's fine to do both - but it's really only needed on the machine where you use GPMC.


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Wednesday, March 23, 2016 8:16 AM
  • Also, this might be another topic but since you know everything, I thought you could help me out with this too. I have been asking the Microsoft support people but no one is able to give me an answer.

     What does the "Limiting file sync to domain joined PCs" feature, mean and how does it do this? (in a more detailed way than explained on the website)
    • I understood that it is possible to limit the syncing ability to PCs that have the domains that I allowed when applying the Powershell command "Set-SPOTenantSyncClientRestriction" right? But, how does OneDrive know which domain does the PC belong to?  
    • How is it that OneDrive can know(judge) which PCs belong to "CompanyX"'s domain?
    • What information is OneDrive taking or using to know the domain that computer belongs to?

    And also, does this feature work only for the OneDrive for Business Desktop Application or does it also apply when using the OneDrive for Business plattform on a website?

    I hope you can help me out with this

    Thanks


    This feature is designed for the scenario where you have a mixture of users/computers, some users/computers will use only domain-joined computers/devices, some users might use non-domain-joined computers/devices.
    So, if you establish a security decision which only wants domain-joined-computers/devices to have sync access features, you would probably like to forbid/block any sync for a non-domain-joined computer/device.
    But SPO and ODfB only care about the userid/password. So a user who chooses to ignore your security decision, could sync content onto a non-domain-joined computer/device (which is a bad thing).
    So to control this breach, you can enforce the setting/requirement by use of the SyncClientRestriction method.
    This means that your users can only sync content by OneDrive.exe if they do so using a domain-joined computer/device. If a user tries to sync content to a non-domain-joined computer/device via OneDrive.exe it will be blocked.

    To use this feature, you must identify the domains you wish to allow, and so that a device which is not domain-joined to the listed/permitted domain will be blocked from sync.

    You must use the methods described, to identify the GUID of the desired domain, and input the GUID into the SyncClientRestriction method. This configures your O365tenant/SPO to only permit sync via OneDrive with computers/devices joined to that domain GUID.
    These links should help to explain the feature and how to use it :)


    How to enumerate a domain GUID in an Active Directory forest
    https://technet.microsoft.com/en-us/library/dn938435.aspx


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Wednesday, March 23, 2016 8:34 AM
  • And also, does this feature work only for the OneDrive for Business Desktop Application or does it also apply when using the OneDrive for Business plattform on a website?

    The SyncClientRestriction feature/method, only restricts Sync Clients like OneDrive.exe - it does not restrict web-browser access.

    It is possible to implement additional/alternative security controls/restrictions, but you will find those to be very complex and will add costs for your solution, e.g. Multi-Factor-Authentication, device compliance/posture, MDM, etc, etc.

    This is a deeply complex topic and is outside my personal expertise. I know just a little bit about it, we have a large team of O365 experts in my organisation, lots of consultants and lots of MSFT engineers working with our O365 project team.
    I just do the workstation/client bits (like GPO) :)


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Wednesday, March 23, 2016 8:41 AM
  • Okay, so I tried to download the files on the computer where I am using the GMPC but it wont allow me to download them due to security reasons. The virtual machine where I am using the GPMC (windows server 2012 R2) has very strict security measures. Is there a work aorund this??

    However, since I added the other computer (Windows 10) to my Domain (the one I created on the Server Manager on the computer where I have the GPMC), if I add the ADML and ADMX files to the PolicyDefinitions folder on the Windows 10 computer, the other computer (win2012serverR2)should be able to get those templates as well right?? But its not working.... why???

    Or how should I approach this?


    • Edited by helpakari Thursday, March 24, 2016 2:39 AM
    Thursday, March 24, 2016 2:06 AM
  • Don you are so awesome as always!!! You made me understand and gave me an answer to something I have been asking the Microsoft people for such a long time (and they were NOT able to help me)!! Thank you very very much for all your help and pacience with me! :)
    Thursday, March 24, 2016 2:06 AM
  • Okay, so I tried to download the files on the computer where I am using the GMPC but it wont allow me to download them due to security reasons. The virtual machine where I am using the GPMC (windows server 2012 R2) has very strict security measures. Is there a work aorund this??

    However, since I added the other computer (Windows 10) to my Domain (the one I created on the Server Manager on the computer where I have the GPMC), if I add the ADML and ADMX files to the PolicyDefinitions folder on the Windows 10 computer, the other computer (win2012serverR2)should be able to get those templates as well right?? But its not working.... why???

    Or how should I approach this?


    the computer where you use GPMC is the WS2012R2 Domain Controller?
    if so, you will need permissions on the WS2012R2 machine so that you can place the ADMX/ADML files onto the c:\windows\policydefinitions\ folder.
    If the filenames you need to place there, already exist there, you *may* need to "take ownership" of those existing files and also grant yourself full control permissions to those files, so that you can replace/delete those files with the new version files.

    If you place the ADMX/ADML files onto the Win10 computer, that does not make them available to the WS2012R2 computer.
    If it is simpler for you, you can download and install the RSAT for Win10 onto the Win10 computer. You can then place the ADMX/ADML files on the c:\windows\policydefinitions\ folder on the Win10 computer.
    You can then use GPMC, with the needed ADMX/ADML files on the Win10 computer.
    To administer domain GPO, you would need to logon to the Win10 computer using your Domain Admin user account.


    Don [doesn't work for MSFT, and they're probably glad about that ;]


    • Edited by DonPick Thursday, March 24, 2016 8:09 AM
    Thursday, March 24, 2016 8:09 AM
  • If I dowload the RSAT on the Win10 computer (using my Domain Admin user account), it seems like I have to set up everything again (AD and DNS server). Is the RSAT on the Win10 the same as the server manager on my WS2012R2 Domain controller (like does one belong to the other or are they connected, or are they 2 separate things)?

    Friday, March 25, 2016 1:38 AM
  • If I dowload the RSAT on the Win10 computer (using my Domain Admin user account), it seems like I have to set up everything again (AD and DNS server). Is the RSAT on the Win10 the same as the server manager on my WS2012R2 Domain controller (like does one belong to the other or are they connected, or are they 2 separate things)?

    RSAT is basically the utilities tools package. When you install RSAT on a workstation, you can then use the utilities/tools on/from that workstation to administer the services/features of "remote" servers.
    You don't set up the AD, DNS etc all over again - you are just installing the tools/utilities on that workstation.
    RSAT on the workstation is essentially the same as Server Manager on the DC.

    eg, on your Win10 workstation, install RSAT and you can then use GPMC on the workstation to administer the Group Policy objects of your domain.

    You would logon to the workstation using a domain user account which has the necessary permissions within the domain, e.g. the account you use at the workstation could be a member of Domain Administrators group.

    When you install/create a Domain Controller, the AD and GP utilities are automatically installed on the Domain Controller computer. You can logon to the Domain Controller to use the utilities/tools, or, you can use a workstation, install RSAT on the workstation, and do the Domain administration from the workstation.

    They both equate to the same thing, i.e. have the same outcomes, but it's sometimes easy to use a workstation for some tasks.

    If your lab/evaluation environment is totally under your own control, you would likely have no permission issues directly logging on to the Domain Controller to use the tools (server manager) on the DC.
    In some organisations, the domain admins team are very reluctant to allow other people to directly logon to a domain controller. (which is a good security decision for production environments but it makes things difficult when you have to get things done)

    As an example, if you have some Word documents stored on a server shared drive, you might have word.exe installed on the server and also installed on workstations. You could logon to the server and launch word.exe to edit the documents, but it's more likely that you would launch word.exe on your workstations and remotely connect to the server shared drive to edit the documents.

    In both cases, you are using word.exe to edit exactly the same document file - just doing the same thing in two different ways.


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    • Marked as answer by helpakari Monday, March 28, 2016 1:08 AM
    • Unmarked as answer by helpakari Monday, March 28, 2016 1:09 AM
    Friday, March 25, 2016 8:43 AM
  • Oooooh, Ok I am starting to get this.

    Thank you so very much for all your patience with me Don! You have been so helpful and I really appreciate it.

    Thank you!

    Monday, March 28, 2016 1:08 AM
  • Oooooh, Ok I am starting to get this.

    Thank you so very much for all your patience with me Don! You have been so helpful and I really appreciate it.

    Thank you!

    Hi helpakari,

    did you ever get this implemented? I too am going down the same route and it doesn't seem clear how to implement? Ive added the adml\admx files and can configure the policies but it states to

    **DO THE FOLLOWING BEFORE TURNING ON THIS SETTING**
    Please update the default ADMX file template to use your tenant's ID and string for the default OneDrive folder path that you want to use

    Which I don't fully understand...

    Monday, June 05, 2017 12:26 PM