1

The previous IT divided the users into OU's based on their position (for example: marketing, sales etc), there are 4 OU's in total. A group policy object is applied to all 4 OU's and one of the settings includes folder redirection.

I do not want folder redirection for any users that have laptops, but I would like to keep the rest of the settings that the GPO applies (don't want to delete it).
I believe that putting the computer objects of each laptop in a separate OU and then applying a GPO to deny folder redirection might be the right approach, or adding computer objects to a group and then applying a security filter to deny folder redirection may also work.

It's my first time really cleaning up a messy situation like this so any input would be appreciated, please let me know which method would work best. If you have a better method please share!

HBruijn
  • 77,029
  • 24
  • 135
  • 201
kyldu
  • 23
  • 1
  • 4

1 Answers1

2

Folder Redirection is a User Configuration setting. You can't directly control it by simply moving the laptop computer objects into an OU and denying the GPO nor by filtering the GPO based on the computer objects, again, because Folder Redirection applies to users, not computers.

If you don't want to apply folder redirection to the users who use laptops then what you can do is to move the computer objects for the laptops to a separate OU and configuring Loopback Policy Processing (Computer Configuration\ Administrative Templates\ System\ Group Policy\ Configure user Group Policy loopback processing mode - reference 1; ref 2) in a GPO linked to that OU and configure Loopback Policy Processing to Replace mode. This tells Group Policy to apply the User Configuration settings in the GPO linked to the OU where the laptop computer objects are to the users logging onto those computers and it tells Loopback Policy processing to replace the users normal GPO settings (from the GPO's that are in the Scope of Management of the user object) with the User Configuration settings in the GPO linked to the OU where the computer objects are. Make sure you don't configure Folder Redirection in the GPO linked to the OU where the laptop computer objects are and then users logging onto those laptops won't have their folders redirected.

Also note that you'll need to configure all of the user settings that you DO want to apply to the users in this GPO because this GPO is going to replace all of the other User Configuration settings that would normally be applied to these users. These users won't get any settings from any other GPO's that would normally be applied to them. You're replacing all of those settings with the settings in this GPO.

gregg
  • 629
  • 4
  • 11
  • 26
joeqwerty
  • 109,901
  • 6
  • 81
  • 172
  • I see, this sounds like a route I could take. I was also thinking that there are a select number of users that have laptops, since folder redirection is a user configuration setting would another solution be to add the laptop users to a group, and then apply a security filter on that group to deny folder redirection? I say this because the only issue I have with the solution you provided above is that some users that typically work in the office might use the laptop one day and their data will be stored locally when the rest of their data from working in the office is on the server. Thanks! – kyldu Sep 08 '16 at 05:09
  • You could use a security group to filter the GPO so that it doesn't apply to laptop users, but that will deny the entire GPO and all of it's settings to the laptop users, so you would need another GPO that sets all of the other settings, which is now making things more complex and messy. . You may be better of creating a separate GPO for only Folder Redirection that you can apply to all but the laptop users. May I ask why you don't want to use Folder Redirection for the laptop users? – joeqwerty Sep 08 '16 at 14:03
  • Hmm I see, I'm going to just side aside some time and make a new policy designated just to folder redirection, I think that may be best in the long run rather than taking shortcuts right now. I want to disable folder redirection for Laptop users because they have complained about not having access to any of their data when out of office. We've set them up with the VPN but some of the users also work offline (places where they might not have internet), the rest of the remote users are technically challenged and they just have trouble using the VPN at times. I appreciate your help! – kyldu Sep 09 '16 at 02:46
  • You can use Folder Redirection and Offline Files together to allow laptop users to work with their redirected folders while they're offline. That's how many companies implement Folder Redirection for roaming/travelling users. – joeqwerty Sep 09 '16 at 02:58
  • Awesome, I just read into this and it seems like the perfect fix, I appreciate your help! I think offline files is the way to go. – kyldu Sep 11 '16 at 02:24