Re: Loopback processing, roaming profiles, folder redirection for domain-member laptops

---

• From: "Bruce Sanderson" <bsanders@xxxxxxxxxxxxxxxxx>
• Date: Thu, 5 Apr 2007 22:48:19 -0700

---

Some opinions and comments.

1. As a general rule, I suggest not mixing Computer Settings and User Settings in the same GPO - this restricts your flexibility and can be confusing

2. Other's experiences may vary, but I've found the Folder Redirection stuff in the GPOs to be problematic and have avoided it - we use a Logon script to redirect the My Documents and Favorites special folders to the a user specific share on a file server (no "Home Directory" specified in the user account in AD)

3. if you put the laptops' user accounts into a seperate OU from the desktops, then you can use loopback processing to apply different User Configuration settings to the laptops and desktops if you also seperate out the settings you want to be different into seperate GPOs

4. we also encountered difficulties with Offline Files, but this was mainly because "redirected" folders get automatically set to "Make available offline" by default. Setting:
User Configuration, Network, Offline Files, "Do not automatically make redirected folders available offline" prevents that from happening BEFORE redirecting any folders - its not retro active. Not sure how this interacts with redirecting via GPO - we don't do that (see 2 above)

5. our users with laptops find the Offline Files feature works well for them - they can select which network files they want to be available offline - and they like it (assuming item 4 has been taken care of)

6. again, others may have different opinions, but I've found it simpler to link the GPOs lower in the OU hierarchy - GPOs with Computer settings to the "Computers" OU, or in some cases even lower - different settings for servers (particularly Tereminal Servers) than for desktops for example; GPOs with User settings to "Users", again, sometimes lower - e.g. to apply different user settings to administrative user accounts than to "normal" user accounts. Using security or WMI filtering you can prevent GPOs from being applied selectively, but I'm not aware of a way to selectively apply some settings and not others from the same GPO

7. there's a trade off between flexibility and overhead. Its more flexible to have several GPOs each with individual sets of related settings rather than all of the settings in one GPO. Applying each GPO (e.g. User settings at logon) involves a certain amount of overhead - network traffic, AD accesses, processing on the target computer. My experience tells me that this extra overhead is not great and is quite a bit less than Roaming Profiles for example, which can involve copying a lot of data to the workstation at logon and back to the server at logoff.

--
Bruce Sanderson MVP Printing
http://members.shaw.ca/bsanders

It is perfectly useless to know the right answer to the wrong question.



"Lanwench [MVP - Exchange]" <lanwench@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:uKouKY%23dHHA.4136@xxxxxxxxxxxxxxxxxxxxxxx

Hi.
My name is Lanwench and I know just enough group policy to be dangerous.

[IIRC I posted a similar question a couple of years ago, when I knew even less, but didn't get too much in the way of useful advice - so I hope this is at least a better-informed question now. ]

I support a number of small domains (predominantly W2003 AD with WinXP Pro clients) and am learning a lot of cool group policy stuff as I go along...it's helped me lock down and standardize a lot in my various customer environments & I'm pleased with the results. However, I have some annoying issues with laptop users and how I handle folder redirection, profiles, and offline files. So many settings seem to be per user, and not, "per user when user logs into specific computers" - and I can't find a way to set pup an OU to ignore or block specific inherited GPOs and yet still inherit *some* of them. Ugh. I've figured out plenty of kluges to work around this in the past, but they suck, frankly; I'm hoping I've missed something.

After lurking in here & doing more reading, I'm now wondering whether setting up a separate OU for laptops and somehow making use of this loopback processing thing, is the answer....

************
Typical config
************

* Domain <---I never mess with the default domain policy, etc., except to set password policies
|
* Company Name <--- nothing blocked; my custom GPO linked here
|
* Computers <--- currently nothing linked; just inheriting policies from above
|
* Users <--- currently nothing linked; just inheriting policies from above

Pertinent bits from the custom GPO:

1. Folder redirection for My Documents (generally to the user's home directory or a subfolder therein)

2. All Offline Files crap disabled (I have had tragic disasters in the past; don't get me started. I even disable offline file caching on my shares for good measure)

3. "Prohibit user from changing My Documents path" is enabled


Everything above works fine overall. [Note that I have been using roaming profiles for years and nearly always implement them; I know how to make them work, and they generally do.]


***********
Problem....
***********

When I've got users with laptops--who *also* use desktops, note--much of my gorgeous setup falls apart---although the roaming profiles work fine & get cached.

1. Their normal My Documents path will naturally be useless to them when they are not on the network, as it's defined by the user bits of the GPO, not the computer bits

2. Although I know plenty of third party sync software (current fave: SecondCopy) that will sync whatever server files I wish to the laptop, how do I get them to actually see/make use of the locally sync'd data?

3. I could set up a desktop shortcut to a custom-created local folder, and populate/sync it however I wish, and show them how to use that when on the laptops....but what a pain. [And even if I do this, they will then wind up with this weird orphaned shortcut when they log into their desktop PCs.]

I'm a bit lost. And honestly, even if I were to suck it up and say "fine, I'll use !@#$%% offline files," I'd never want that enabled/used when they logged in at their *desktops* ...only on their laptops. And I'd *really* rather not use it anyway.


***********
Goals
***********

I just want some of the "user" level settings to be different when the domain user is on a laptop. Can I do the following:

* Keep a single (remember: it's roaming) Windows profile for the user
* Set a *different* and local path for their My Documents data (e.g., c:\data\username) when they're on their laptop
* Handle the file syncing with third party software, scripting, whatever....really not worried about this part
* Still prevent them from changing the My Documents path


***********
Questions
***********

1. As I understand it, enabling loopback processing in a GPO linked to a OU allows one to set separate 'user'-ish settings based on a computer/location, right?

2. If I'm even close with the above- at what level in the config described above do I create the OU for the laptops?

3. What, if anything, in my custom GPO, should I break into different GPOs - to make sure that the laptop users inherit the settings I wish to apply to *all* users?

4. Can this even be *done* ?


I'd welcome any ideas (besides "use offline files" .... on that subject I afraid I'm implacable). Any newbie-friendly links/tutorials, whatnot.

Thanks for your patience and understanding, and yes, I'm aware that I'm a bit long-winded, and you should feel exceptionally sorry for whomever has the misfortune to date me. :)

.

---

• Follow-Ups:
  • Re: Loopback processing, roaming profiles, folder redirection for domain-member laptops
    • From: Lanwench [MVP - Exchange]

• References:
  • Loopback processing, roaming profiles, folder redirection for domain-member laptops
    • From: Lanwench [MVP - Exchange]

• Prev by Date: Re: Can I apply group policies and have them not apply to everyone
• Next by Date: Re: GPO verification question
• Previous by thread: Loopback processing, roaming profiles, folder redirection for domain-member laptops
• Next by thread: Re: Loopback processing, roaming profiles, folder redirection for domain-member laptops
• Index(es):
  • Date
  • Thread

---

Relevant Pages Loopback processing, roaming profiles, folder redirection for domain-member laptops ... Pertinent bits from the custom GPO: ... All Offline Files crap disabled (I have had tragic disasters in the past; ... SecondCopy) that will sync whatever server files I wish to the laptop, ... I just want some of the "user" level settings to be different when the ... (microsoft.public.windows.group_policy) Re: laptops connect at work but not at home? ... neither did we until I set up this GPO and included the laptops ... > doesnt include DNS settings. ... chance to run a Resulting Policy report thru GPMC on one of the affected ... (microsoft.public.win2000.dns) Re: Loopback processing, roaming profiles, folder redirection for domain-member laptops ... I suggest not mixing Computer Settings and User ... Settings in the same GPO - this restricts your flexibility and can be ... Configuration settings to the laptops and desktops if you also ... User Configuration, Network, Offline Files, "Do not ... (microsoft.public.windows.group_policy) Re: Getting desperate: GPO applying incorrectly, PLEASE HELP ME!! ... User and Computer settings a single GPO,. ... OU with the Terminal Server computer accounts, ... See in particular the section called "Group Policy Loopback ... (microsoft.public.windows.group_policy) Re: GPO not picking up computer settings ... to the domain container with the password/account settings you want. ... for password/account settings and from what GPO. ... buying any of the highly rated AD or Group Policy books you see at Amazon or ... I have changed all the passwords back to what they were so users are now ... (microsoft.public.windows.server.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(15)