Disable folder redirection for specific users
-
I am trying to disable redirection of domain user Documents folder for specific users. I've got a document redirection group policy enabled for the root OU in our domain structure. Beneath that OU I've got two OUs, one for Users, and one for Computers. In the Computers OU I created an OU called "Disable Document Redirection" and linked a group policy to it that should specifically do that...
The policy is setup as follows:
- User Configuration > Policies > WIndows Settings > Folder Redirection { Documents: Setting-> Basic - Redirect everyone's folder to the same location, Target Folder Location: Redirect to the local userprofile location} (this is done for the Documents, Pictures, Videos, and Music folders)
- Computer Configuration > Policies > Administrative Templates > System > Group Policy { Configure user Group Policy loopback processing mode: Enabled, Mode: Replace }
I've got the Policy marked as Enabled and Enforced, and I've made sure it is replicated across both domain controllers. I place the laptop I am wanting to revoke document redirection on into the new OU and do a "gpupdate /force" on the client to push the changes. I reboot, login, and the document redirection is still in effect...
Any pointers on how to properly achieve what I'm trying to do?! From everything I have looked up on technet this should work and it isn't...
-
Is your user account linked to the User Config GPO? That will override the computer gpos.
-
That setting in Computers> Policy>Admin>System>Group Policy loopback processing mode seems... weird. You could probably just make 2 policies one with the redirection enabled, one with disabled, and apply one each to a different OU that you make.
-
A deny-rule should do:
https://support.microsoft.com/en-us/kb/816100 -
@momurda said in Disable folder redirection for specific users:
That setting in Computers> Policy>Admin>System>Group Policy loopback processing mode seems... weird. You could probably just make 2 policies one with the redirection enabled, one with disabled, and apply one each to a different OU that you make.
That's what I tried first... When that didn't work I dug a little deeper and found the loopback setting that is supposed to supercede the previous setting. That didn't work either...
-
@thwr said in Disable folder redirection for specific users:
A deny-rule should do:
https://support.microsoft.com/en-us/kb/816100Well, I want the folder direction to apply to everyone, just not people using this specific laptop (and possibily other laptops in the future). From what I understand I should be able to create a new OU nested within my Domain structure as described above, link the new group policy forcing folder redirection back to local directories, and then put any devices on the domain in that OU to make the changes effective.
-
@RamblingBiped said in Disable folder redirection for specific users:
@thwr said in Disable folder redirection for specific users:
A deny-rule should do:
https://support.microsoft.com/en-us/kb/816100Well, I want the folder direction to apply to everyone, just not people using this specific laptop (and possibily other laptops in the future). From what I understand I should be able to create a new OU nested within my Domain structure as described above, link the new group policy forcing folder redirection back to local directories, and then put any devices on the domain in that OU to make the changes effective.
The basic idea is that you just apply the rule to everyone (or everyone in a specific OU) and just deny execution / parsing of the rule for specific users or groups. Just see the security tab, you'll get the idea.
-
@thwr said in Disable folder redirection for specific users:
@RamblingBiped said in Disable folder redirection for specific users:
@thwr said in Disable folder redirection for specific users:
A deny-rule should do:
https://support.microsoft.com/en-us/kb/816100Well, I want the folder direction to apply to everyone, just not people using this specific laptop (and possibily other laptops in the future). From what I understand I should be able to create a new OU nested within my Domain structure as described above, link the new group policy forcing folder redirection back to local directories, and then put any devices on the domain in that OU to make the changes effective.
The basic idea is that you just apply the rule to everyone (or everyone in a specific OU) and just deny execution / parsing of the rule for specific users or groups. Just see the security tab, you'll get the idea.
But that will kill document redirection on other domian joined assets for the same user. I don't want to disable document redirection on his desktop, just on his laptop that will be leaving the building frequently.
-
@RamblingBiped said in Disable folder redirection for specific users:
@thwr said in Disable folder redirection for specific users:
@RamblingBiped said in Disable folder redirection for specific users:
@thwr said in Disable folder redirection for specific users:
A deny-rule should do:
https://support.microsoft.com/en-us/kb/816100Well, I want the folder direction to apply to everyone, just not people using this specific laptop (and possibily other laptops in the future). From what I understand I should be able to create a new OU nested within my Domain structure as described above, link the new group policy forcing folder redirection back to local directories, and then put any devices on the domain in that OU to make the changes effective.
The basic idea is that you just apply the rule to everyone (or everyone in a specific OU) and just deny execution / parsing of the rule for specific users or groups. Just see the security tab, you'll get the idea.
But that will kill document redirection on other domian joined assets for the same user. I don't want to disable document redirection on his desktop, just on his laptop that will be leaving the building frequently.
Create a deny rule for the computer object maybe? Not sure if that works.
-
Update: So I got sick of chasing my tail on the problem and blew the machine out of the water and did a fresh build. Upon finishing updates, re-joining the domain, and moving the laptop into the new OU to apply the new policy to squash document redirection and... it automagically works!
Upon further investigation, the user had tried to initially make changes to the registry to "fix/correct" document redirection that was put in place by default. Yes, I know, "USERS SHOULDN'T HAVE THE ABILITY TO EDIT THE REGISTRY!!!" Well, in my case and the use case for these devices they have to have that ability. The laptops are used for development and they need to have full control over the systems. Also, the user is the CEO.
Thank you for the help!
-
In my GP implementation of Folder Redirection, I have a User Group for Redirected Folders and my policy only applies to users in that group. In order to disable Redirection, I simply remove that user from the group. Just had to do this for a user today, which reminded me of this thread. Hope you found an elegant solution here!
-
@chrisnbrooks said in Disable folder redirection for specific users:
In my GP implementation of Folder Redirection, I have a User Group for Redirected Folders and my policy only applies to users in that group. In order to disable Redirection, I simply remove that user from the group. Just had to do this for a user today, which reminded me of this thread. Hope you found an elegant solution here!
Yeah, the functionality I needed was having users keep their folder redirection, but only removing it on specific devices. My problem ended up being my user turning their Windows registry into swiss cheese trying to "fix" the folder redirection themselves before coming to me. Once I did a rebuild and repeated the process I found the problem wasn't my group policy implementation.
Everything is now working as expected/desired.
-
@RamblingBiped Just read your preceding update, sorry to hear about the headache! (and for not reading the newest replies) Glad you got it sorted out.
-
If I should've just PM'd you on this, let me know: I know you already got this resolved, but I'm curious why you are wanting to block document redirection for laptops. Reason being is that you could consider leaving it on, but use offline files to enable access to the domain documents, as well as the ability to sync updates to the domain after changes have been made offline (which is where the combo really comes in handy - users would be ticked if they couldn't work on their files, and then couldn't update their network copies). I realize that there is some network overhead using this scenario, especially the very first time files are synced, but it's something to consider
-
@RamblingBiped said in Disable folder redirection for specific users:
The laptops are used for development and they need to have full control over the systems. Also, the user is the CEO.
even more reasons why he shouldn't have those rights. Dev's should be forced to program in a locked down environment to ensure they write code that WORKS in a locked down environment. LOL
Yeah I know.. it might not really work that way, I have no clue.. just sayin' is all.