Re: Loopback processing, roaming profiles, folder redirection for domain-member laptops
- From: "Bruce Sanderson" <bsanders@xxxxxxxxxxxxxxxxx>
- Date: Mon, 9 Apr 2007 15:07:46 -0700
1. "performance" is relative. I've not noticed "performance issues" with multiple GPOs applied to a user or computer. If you have slow network connections or an overworked Domain Controller, you may see some slowdown at computer startup (or when the GPOs are automatically refreshed) or at user logon. My experience is that if there is a performance degradation with 10 GPOs as opposed to one, its not big enough for me or our users to notice it. Retrieving and processing 10 GPOs is bound to be more work than for 1 GPO, but it appears that the actual "work" is pretty small anyway, so one or 10 doesn't really make a noticeable difference for the users or the system/network load, at least in our environment - we have 24 different locations - some have T1 links some have fibre (100 Mb/s) depending essentially on where they are and how many people are at that location.
Being able to easily manage the settings to be applied to different objects by seperating them into related sets in different GPOs has business value as well. It simplifies administrative tasks, including the thinking and planning involved to keep it straight about which settings get applied to what. Assuming good discipline in naming and adding settings to GPOs, one knows what settings are being applied by looking at the names of the GPOs that are applied, either in gpmc or in the output from the gpresutlt command.
The OU contain the computer accounts for our Terminal Servers have 9 GPOs linked or inherited; normal user accounts have 6; workstation computers have 8.
2. Managing what happens when a user falls out of scope of GPO or if the target location ceases to exist for redirected folders (e.g. share moved to a different server) caused problems that required manual intervention on the client computer to fix. After that disappointing experience, I've avoided using folder redirection via GPO. If you find it works well for you - good; maybe we just didn't try hard enough (or had a good enough reason to at any rate).
The Logon Script is in a GPO applied to the user accounts. That GPO is not linked to the OU where the "administrative" user accounts live so administrators don't get the logon script applied.
We avoid specifying profiles in the user accounts because then you have a lot of places to change when circumstances change. It's possible to automate such changes, but that requires knowledge that not everyone has.
4. The setting to "Do not automatically make redirected folders available offline" is only effective if it is in place BEFORE the user whose folder is redirected (e.g. by logon script) actually logs on. When we first started using Windows XP and GPOs, not realizing this created some headaches! We now have that setting our "Basic All Users" GPO that we apply to all User accounts and this has not caused a problem since.
5. We use loopback processing for Terminal Servers to apply different user configuration settings on them than on workstations for the same user accounts - users only have one user account that they use for workstation and Terminal Server logon.
6. not really - I suspect a setting to selectively apply some settings in the same GPO would get to be very difficult to manage and understand exactly what is happening in a large environment. Some people have asked for the ability to have GPOs applied to Groups (or more specifically applied to members of a Group that is an object in an OU that has the GPO linked to it even though the user or computer accounts are elsewhere), but my opinion is that this would also be a bad idea - user accounts often get to be members of many groups and managing GPOs applied to groups could easily get to be a nightmare! If you want different computers or users to have different settings, create different GPOs - simple. When I find the need to apply only some of the settings from a GPO, I factor out the settings that are to be different into a separate GPO and link it only to the relevant OUs. There is no substitute for planning and careful thought leading to rational structuring of OUs and appropriate "rules" to keep things at least manageable!
I sometimes think though that it might be useful to be able to selectively suppress "inheritance" of GPOs as opposed to the "all or nothing" situation that exists now.
7. For TS Roamining Profiles, we specify that in a GPO - avoids having to change over 600 user accounts if we change the location of the TS Roaming Profile share; Computer Configuration, Administrative Tools, Windows Components, Terminal Server, Set path for TS Roaming Profiles. We don't use Roaming Profiles for workstations - can be problematic, especially when different Windows versions are used on the various computers.
There's lots of different ways to do things - what's "best" for us or anyone else is not necessarily what's "best" for you.
--
Bruce Sanderson MVP Printing
http://members.shaw.ca/bsanders
It is perfectly useless to know the right answer to the wrong question.
"Lanwench [MVP - Exchange]" <lanwench@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:%23H8B6aSeHHA.4872@xxxxxxxxxxxxxxxxxxxxxxx
Bruce Sanderson <bsanders@xxxxxxxxxxxxxxxxx> wrote:Some opinions and comments.
...thanks, Bruce...
1. As a general rule, I suggest not mixing Computer Settings and User
Settings in the same GPO - this restricts your flexibility and can be
confusing
I've thought of that, but I've also heard that having a whole slew of policies makes for a performance issue, no?
I don't really have that much stuff customized on the 'computer' side; mostly on the user side.
2. Other's experiences may vary, but I've found the Folder
Redirection stuff in the GPOs to be problematic and have avoided it -
Really? I've been quite happy with it...
we use a Logon script to redirect the My Documents and Favorites
special folders to the a user specific share on a file server (no
"Home Directory" specified in the user account in AD)
I know home directories are old-school, but I still like 'em. What do you put in your login script for this redirection, just out of curiosity?
3. if you put the laptops' user accounts into a seperate OU from the
desktops, then you can use loopback processing to apply different User
Configuration settings to the laptops and desktops if you also
seperate out the settings you want to be different into seperate GPOs
That's becoming clearer, thanks to you & Florian's reply.
4. we also encountered difficulties with Offline Files, but this was
mainly because "redirected" folders get automatically set to "Make
available offline" by default. e
I hate them. I have seen far too many people lose data. And if something catastrophic happens at the source (hell, even if you just want to reorganize files/servers) the destination/client often gets completely out of whack. Using third party sync stuff (or even a little batch file w/robocopy or similar) means the destination files are accessible just as normal files - there's no inherent link to anything else. You could disjoin the computer from the domain & still access them just fine.
Setting:
User Configuration, Network, Offline Files, "Do not
automatically make redirected folders available offline" prevents
that from happening BEFORE redirecting any folders - its not retro
active. Not sure how this interacts with redirecting via GPO - we
don't do that (see 2 above)
I've never been sure whether the user or computer "disable !@#$% offline files crap" wins, so I have often done it in both places. And as mentioned, I disable offline file caching when I set up a share (one of the first things I do).
5. our users with laptops find the Offline Files feature works well
for them - they can select which network files they want to be
available offline - and they like it (assuming item 4 has been taken
care of)
Yep - until something goes wrong and the company owner loses a whole bunch of files he's been working on while on vacation in the Bahamas and wants to put your head on a plate :)
6. again, others may have different opinions, but I've found it
simpler to link the GPOs lower in the OU hierarchy - GPOs with
Computer settings to the "Computers" OU, or in some cases even lower
- different settings for servers (particularly Tereminal Servers)
Do you not use loopback processing for those? I specify a TS-specific profile for the user in their ADUC Properties and that takes care of pretty much everything I need them to have in a TS session (and keeps it separate from their regular workstation profile).
> than for desktops for example; GPOs with User settings to "Users",
again, sometimes lower - e.g. to apply different user settings to
administrative user accounts than to "normal" user accounts. Using
security or WMI filtering you can prevent GPOs from being applied
selectively, but I'm not aware of a way to selectively apply some
settings and not others from the same GPO
That's what I found, to my chagrin. Doesn't it seem like there ought to be a "Don't apply the following policies" checkbox?
7. there's a trade off between flexibility and overhead. Its more
flexible to have several GPOs each with individual sets of related
settings rather than all of the settings in one GPO. Applying each
GPO (e.g. User settings at logon) involves a certain amount of
overhead - network traffic, AD accesses, processing on the target
computer. My experience tells me that this extra overhead is not
great and is quite a bit less than Roaming Profiles for example,
which can involve copying a lot of data to the workstation at logon
and back to the server at logoff.
Well, I try to keep the profiles miniscule and that helps. Folder redirection is a godsend, and you can also choose what folders should and should not be updated/included in the roaming, via GPO. I haven't played with that bit much.
Thanks for your thoughtful reply and I have some more reading & testing to do - glad I am on the right track here.
"Lanwench [MVP - Exchange]"
<lanwench@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:uKouKY%23dHHA.4136@xxxxxxxxxxxxxxxxxxxxxxx
Hi.
My name is Lanwench and I know just enough group policy to be
dangerous. [IIRC I posted a similar question a couple of years ago, when I
knew even less, but didn't get too much in the way of useful advice
- so I hope this is at least a better-informed question now. ]
I support a number of small domains (predominantly W2003 AD with
WinXP Pro clients) and am learning a lot of cool group policy stuff
as I go along...it's helped me lock down and standardize a lot in my
various customer environments & I'm pleased with the results.
However, I have some annoying issues with laptop users and how I
handle folder redirection, profiles, and offline files. So many
settings seem to be per user, and not, "per user when user logs into
specific computers" - and I can't find a way to set pup an OU to
ignore or block specific inherited GPOs and yet still inherit *some*
of them. Ugh. I've figured out plenty of kluges to work around this
in the past, but they suck, frankly; I'm hoping I've missed
something. After lurking in here & doing more reading, I'm now wondering whether
setting up a separate OU for laptops and somehow making use of this
loopback processing thing, is the answer....
************
Typical config
************
* Domain <---I never mess with the default domain policy, etc.,
except to set password policies
|
* Company Name <--- nothing blocked; my custom GPO linked here
|
* Computers <--- currently nothing linked; just
inheriting policies from above
|
* Users <--- currently nothing linked; just inheriting
policies from above
Pertinent bits from the custom GPO:
1. Folder redirection for My Documents (generally to the user's home
directory or a subfolder therein)
2. All Offline Files crap disabled (I have had tragic disasters in
the past; don't get me started. I even disable offline file caching
on my shares for good measure)
3. "Prohibit user from changing My Documents path" is enabled
Everything above works fine overall. [Note that I have been using
roaming profiles for years and nearly always implement them; I know
how to make them work, and they generally do.]
***********
Problem....
***********
When I've got users with laptops--who *also* use desktops,
note--much of my gorgeous setup falls apart---although the roaming
profiles work fine & get cached.
1. Their normal My Documents path will naturally be useless to them
when they are not on the network, as it's defined by the user bits
of the GPO, not the computer bits
2. Although I know plenty of third party sync software (current fave:
SecondCopy) that will sync whatever server files I wish to the
laptop, how do I get them to actually see/make use of the locally
sync'd data? 3. I could set up a desktop shortcut to a custom-created local
folder, and populate/sync it however I wish, and show them how to
use that when on the laptops....but what a pain. [And even if I do
this, they will then wind up with this weird orphaned shortcut when
they log into their desktop PCs.] I'm a bit lost. And honestly, even if I were to suck it up and say
"fine, I'll use !@#$%% offline files," I'd never want that
enabled/used when they logged in at their *desktops* ...only on
their laptops. And I'd *really* rather not use it anyway.
***********
Goals
***********
I just want some of the "user" level settings to be different when
the domain user is on a laptop. Can I do the following:
* Keep a single (remember: it's roaming) Windows profile for the user
* Set a *different* and local path for their My Documents data (e.g.,
c:\data\username) when they're on their laptop
* Handle the file syncing with third party software, scripting,
whatever....really not worried about this part
* Still prevent them from changing the My Documents path
***********
Questions
***********
1. As I understand it, enabling loopback processing in a GPO linked
to a OU allows one to set separate 'user'-ish settings based on a
computer/location, right?
2. If I'm even close with the above- at what level in the config
described above do I create the OU for the laptops?
3. What, if anything, in my custom GPO, should I break into different
GPOs - to make sure that the laptop users inherit the settings I
wish to apply to *all* users?
4. Can this even be *done* ?
I'd welcome any ideas (besides "use offline files" .... on that
subject I afraid I'm implacable). Any newbie-friendly
links/tutorials, whatnot. Thanks for your patience and understanding, and yes, I'm aware that
I'm a bit long-winded, and you should feel exceptionally sorry for
whomever has the misfortune to date me. :)
.
- References:
- Loopback processing, roaming profiles, folder redirection for domain-member laptops
- From: Lanwench [MVP - Exchange]
- Re: Loopback processing, roaming profiles, folder redirection for domain-member laptops
- From: Bruce Sanderson
- Re: Loopback processing, roaming profiles, folder redirection for domain-member laptops
- From: Lanwench [MVP - Exchange]
- Loopback processing, roaming profiles, folder redirection for domain-member laptops
- Prev by Date: Export gpo setting to adm file ?
- Next by Date: Re: help on GPO and group
- Previous by thread: Re: Loopback processing, roaming profiles, folder redirection for domain-member laptops
- Next by thread: Re: Loopback processing, roaming profiles, folder redirection for domain-member laptops
- Index(es):
Relevant Pages
|
