Re: Loopback processing, roaming profiles, folder redirection for domain-member laptops

Bruce Sanderson <bsanders@xxxxxxxxxxxxxxxxx> wrote:
Some opinions and comments.

....thanks, Bruce...

1. As a general rule, I suggest not mixing Computer Settings and User
Settings in the same GPO - this restricts your flexibility and can be
confusing

I've thought of that, but I've also heard that having a whole slew of
policies makes for a performance issue, no?
I don't really have that much stuff customized on the 'computer' side;
mostly on the user side.


2. Other's experiences may vary, but I've found the Folder
Redirection stuff in the GPOs to be problematic and have avoided it -

Really? I've been quite happy with it...

we use a Logon script to redirect the My Documents and Favorites
special folders to the a user specific share on a file server (no
"Home Directory" specified in the user account in AD)

I know home directories are old-school, but I still like 'em. What do you
put in your login script for this redirection, just out of curiosity?

3. if you put the laptops' user accounts into a seperate OU from the
desktops, then you can use loopback processing to apply different User
Configuration settings to the laptops and desktops if you also
seperate out the settings you want to be different into seperate GPOs

That's becoming clearer, thanks to you & Florian's reply.

4. we also encountered difficulties with Offline Files, but this was
mainly because "redirected" folders get automatically set to "Make
available offline" by default. e

I hate them. I have seen far too many people lose data. And if something
catastrophic happens at the source (hell, even if you just want to
reorganize files/servers) the destination/client often gets completely out
of whack. Using third party sync stuff (or even a little batch file
w/robocopy or similar) means the destination files are accessible just as
normal files - there's no inherent link to anything else. You could disjoin
the computer from the domain & still access them just fine.

Setting:
User Configuration, Network, Offline Files, "Do not
automatically make redirected folders available offline" prevents
that from happening BEFORE redirecting any folders - its not retro
active. Not sure how this interacts with redirecting via GPO - we
don't do that (see 2 above)

I've never been sure whether the user or computer "disable !@#$% offline
files crap" wins, so I have often done it in both places. And as mentioned,
I disable offline file caching when I set up a share (one of the first
things I do).

5. our users with laptops find the Offline Files feature works well
for them - they can select which network files they want to be
available offline - and they like it (assuming item 4 has been taken
care of)

Yep - until something goes wrong and the company owner loses a whole bunch
of files he's been working on while on vacation in the Bahamas and wants to
put your head on a plate :)

6. again, others may have different opinions, but I've found it
simpler to link the GPOs lower in the OU hierarchy - GPOs with
Computer settings to the "Computers" OU, or in some cases even lower
- different settings for servers (particularly Tereminal Servers)

Do you not use loopback processing for those? I specify a TS-specific
profile for the user in their ADUC Properties and that takes care of pretty
much everything I need them to have in a TS session (and keeps it separate
from their regular workstation profile).

than for desktops for example; GPOs with User settings to "Users",
again, sometimes lower - e.g. to apply different user settings to
administrative user accounts than to "normal" user accounts. Using
security or WMI filtering you can prevent GPOs from being applied
selectively, but I'm not aware of a way to selectively apply some
settings and not others from the same GPO

That's what I found, to my chagrin. Doesn't it seem like there ought to be a
"Don't apply the following policies" checkbox?

7. there's a trade off between flexibility and overhead. Its more
flexible to have several GPOs each with individual sets of related
settings rather than all of the settings in one GPO. Applying each
GPO (e.g. User settings at logon) involves a certain amount of
overhead - network traffic, AD accesses, processing on the target
computer. My experience tells me that this extra overhead is not
great and is quite a bit less than Roaming Profiles for example,
which can involve copying a lot of data to the workstation at logon
and back to the server at logoff.

Well, I try to keep the profiles miniscule and that helps. Folder
redirection is a godsend, and you can also choose what folders should and
should not be updated/included in the roaming, via GPO. I haven't played
with that bit much.

Thanks for your thoughtful reply and I have some more reading & testing to
do - glad I am on the right track here.


"Lanwench [MVP - Exchange]"
<lanwench@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:uKouKY%23dHHA.4136@xxxxxxxxxxxxxxxxxxxxxxx
Hi.
My name is Lanwench and I know just enough group policy to be
dangerous. [IIRC I posted a similar question a couple of years ago,
when I
knew even less, but didn't get too much in the way of useful advice
- so I hope this is at least a better-informed question now. ]

I support a number of small domains (predominantly W2003 AD with
WinXP Pro clients) and am learning a lot of cool group policy stuff
as I go along...it's helped me lock down and standardize a lot in my
various customer environments & I'm pleased with the results.
However, I have some annoying issues with laptop users and how I
handle folder redirection, profiles, and offline files. So many
settings seem to be per user, and not, "per user when user logs into
specific computers" - and I can't find a way to set pup an OU to
ignore or block specific inherited GPOs and yet still inherit *some*
of them. Ugh. I've figured out plenty of kluges to work around this
in the past, but they suck, frankly; I'm hoping I've missed
something. After lurking in here & doing more reading, I'm now wondering
whether
setting up a separate OU for laptops and somehow making use of this
loopback processing thing, is the answer....

************
Typical config
************

* Domain <---I never mess with the default domain policy, etc.,
except to set password policies
|
* Company Name <--- nothing blocked; my custom GPO linked here
|
* Computers <--- currently nothing linked; just
inheriting policies from above
|
* Users <--- currently nothing linked; just inheriting
policies from above

Pertinent bits from the custom GPO:

1. Folder redirection for My Documents (generally to the user's home
directory or a subfolder therein)

2. All Offline Files crap disabled (I have had tragic disasters in
the past; don't get me started. I even disable offline file caching
on my shares for good measure)

3. "Prohibit user from changing My Documents path" is enabled


Everything above works fine overall. [Note that I have been using
roaming profiles for years and nearly always implement them; I know
how to make them work, and they generally do.]


***********
Problem....
***********

When I've got users with laptops--who *also* use desktops,
note--much of my gorgeous setup falls apart---although the roaming
profiles work fine & get cached.

1. Their normal My Documents path will naturally be useless to them
when they are not on the network, as it's defined by the user bits
of the GPO, not the computer bits

2. Although I know plenty of third party sync software (current fave:
SecondCopy) that will sync whatever server files I wish to the
laptop, how do I get them to actually see/make use of the locally
sync'd data? 3. I could set up a desktop shortcut to a custom-created
local
folder, and populate/sync it however I wish, and show them how to
use that when on the laptops....but what a pain. [And even if I do
this, they will then wind up with this weird orphaned shortcut when
they log into their desktop PCs.] I'm a bit lost. And honestly, even if I
were to suck it up and say
"fine, I'll use !@#$%% offline files," I'd never want that
enabled/used when they logged in at their *desktops* ...only on
their laptops. And I'd *really* rather not use it anyway.


***********
Goals
***********

I just want some of the "user" level settings to be different when
the domain user is on a laptop. Can I do the following:

* Keep a single (remember: it's roaming) Windows profile for the user
* Set a *different* and local path for their My Documents data (e.g.,
c:\data\username) when they're on their laptop
* Handle the file syncing with third party software, scripting,
whatever....really not worried about this part
* Still prevent them from changing the My Documents path


***********
Questions
***********

1. As I understand it, enabling loopback processing in a GPO linked
to a OU allows one to set separate 'user'-ish settings based on a
computer/location, right?

2. If I'm even close with the above- at what level in the config
described above do I create the OU for the laptops?

3. What, if anything, in my custom GPO, should I break into different
GPOs - to make sure that the laptop users inherit the settings I
wish to apply to *all* users?

4. Can this even be *done* ?


I'd welcome any ideas (besides "use offline files" .... on that
subject I afraid I'm implacable). Any newbie-friendly
links/tutorials, whatnot. Thanks for your patience and understanding, and
yes, I'm aware that
I'm a bit long-winded, and you should feel exceptionally sorry for
whomever has the misfortune to date me. :)



.

Relevant Pages

  • Loopback processing, roaming profiles, folder redirection for domain-member laptops
    ... Pertinent bits from the custom GPO: ... All Offline Files crap disabled (I have had tragic disasters in the past; ... SecondCopy) that will sync whatever server files I wish to the laptop, ... I just want some of the "user" level settings to be different when the ...
    (microsoft.public.windows.group_policy)
  • Re: laptops connect at work but not at home?
    ... neither did we until I set up this GPO and included the laptops ... > doesnt include DNS settings. ... chance to run a Resulting Policy report thru GPMC on one of the affected ...
    (microsoft.public.win2000.dns)
  • Re: Loopback processing, roaming profiles, folder redirection for domain-member laptops
    ... I suggest not mixing Computer Settings and User Settings in the same GPO - this restricts your flexibility and can be confusing ... if you put the laptops' user accounts into a seperate OU from the desktops, then you can use loopback processing to apply different User Configuration settings to the laptops and desktops if you also seperate out the settings you want to be different into seperate GPOs ... User Configuration, Network, Offline Files, "Do not automatically make redirected folders available offline" prevents that from happening BEFORE redirecting any folders - its not retro active. ...
    (microsoft.public.windows.group_policy)
  • Re: Getting desperate: GPO applying incorrectly, PLEASE HELP ME!!
    ... User and Computer settings a single GPO,. ... OU with the Terminal Server computer accounts, ... See in particular the section called "Group Policy Loopback ...
    (microsoft.public.windows.group_policy)
  • Re: GPO not picking up computer settings
    ... to the domain container with the password/account settings you want. ... for password/account settings and from what GPO. ... buying any of the highly rated AD or Group Policy books you see at Amazon or ... I have changed all the passwords back to what they were so users are now ...
    (microsoft.public.windows.server.security)