Loopback processing, roaming profiles, folder redirection for domain-member laptops
![Lanwench [MVP - Exchange]'s profile photo](https://lh3.googleusercontent.com/a/default-user=s40-c)
Lanwench [MVP - Exchange]
My name is Lanwench and I know just enough group policy to be dangerous.
[IIRC I posted a similar question a couple of years ago, when I knew even
less, but didn't get too much in the way of useful advice - so I hope this
is at least a better-informed question now. ]
I support a number of small domains (predominantly W2003 AD with WinXP Pro
clients) and am learning a lot of cool group policy stuff as I go
along...it's helped me lock down and standardize a lot in my various
customer environments & I'm pleased with the results. However, I have some
annoying issues with laptop users and how I handle folder redirection,
profiles, and offline files. So many settings seem to be per user, and not,
"per user when user logs into specific computers" - and I can't find a way
to set pup an OU to ignore or block specific inherited GPOs and yet still
inherit *some* of them. Ugh. I've figured out plenty of kluges to work
around this in the past, but they suck, frankly; I'm hoping I've missed
something.
After lurking in here & doing more reading, I'm now wondering whether
setting up a separate OU for laptops and somehow making use of this loopback
processing thing, is the answer....
************
Typical config
************
* Domain <---I never mess with the default domain policy, etc., except to
set password policies
|
* Company Name <--- nothing blocked; my custom GPO linked here
|
* Computers <--- currently nothing linked; just inheriting
policies from above
|
* Users <--- currently nothing linked; just inheriting policies
from above
Pertinent bits from the custom GPO:
1. Folder redirection for My Documents (generally to the user's home
directory or a subfolder therein)
2. All Offline Files crap disabled (I have had tragic disasters in the past;
don't get me started. I even disable offline file caching on my shares for
good measure)
3. "Prohibit user from changing My Documents path" is enabled
Everything above works fine overall. [Note that I have been using roaming
profiles for years and nearly always implement them; I know how to make them
work, and they generally do.]
***********
Problem....
***********
When I've got users with laptops--who *also* use desktops, note--much of my
gorgeous setup falls apart---although the roaming profiles work fine & get
cached.
1. Their normal My Documents path will naturally be useless to them when
they are not on the network, as it's defined by the user bits of the GPO,
not the computer bits
2. Although I know plenty of third party sync software (current fave:
SecondCopy) that will sync whatever server files I wish to the laptop, how
do I get them to actually see/make use of the locally sync'd data?
3. I could set up a desktop shortcut to a custom-created local folder, and
populate/sync it however I wish, and show them how to use that when on the
laptops....but what a pain. [And even if I do this, they will then wind up
with this weird orphaned shortcut when they log into their desktop PCs.]
I'm a bit lost. And honestly, even if I were to suck it up and say "fine,
I'll use !@#$%% offline files," I'd never want that enabled/used when they
logged in at their *desktops* ...only on their laptops. And I'd *really*
rather not use it anyway.
***********
Goals
***********
I just want some of the "user" level settings to be different when the
domain user is on a laptop. Can I do the following:
* Keep a single (remember: it's roaming) Windows profile for the user
* Set a *different* and local path for their My Documents data (e.g.,
c:\data\username) when they're on their laptop
* Handle the file syncing with third party software, scripting,
whatever....really not worried about this part
* Still prevent them from changing the My Documents path
***********
Questions
***********
1. As I understand it, enabling loopback processing in a GPO linked to a OU
allows one to set separate 'user'-ish settings based on a computer/location,
right?
2. If I'm even close with the above- at what level in the config described
above do I create the OU for the laptops?
3. What, if anything, in my custom GPO, should I break into different GPOs -
to make sure that the laptop users inherit the settings I wish to apply to
*all* users?
4. Can this even be *done* ?
I'd welcome any ideas (besides "use offline files" .... on that subject I
afraid I'm implacable). Any newbie-friendly links/tutorials, whatnot.
Thanks for your patience and understanding, and yes, I'm aware that I'm a
bit long-winded, and you should feel exceptionally sorry for whomever has
the misfortune to date me. :)
Bruce Sanderson
1. As a general rule, I suggest not mixing Computer Settings and User
Settings in the same GPO - this restricts your flexibility and can be
confusing
2. Other's experiences may vary, but I've found the Folder Redirection stuff
in the GPOs to be problematic and have avoided it - we use a Logon script to
redirect the My Documents and Favorites special folders to the a user
specific share on a file server (no "Home Directory" specified in the user
account in AD)
3. if you put the laptops' user accounts into a seperate OU from the
desktops, then you can use loopback processing to apply different User
Configuration settings to the laptops and desktops if you also seperate out
the settings you want to be different into seperate GPOs
4. we also encountered difficulties with Offline Files, but this was mainly
because "redirected" folders get automatically set to "Make available
offline" by default. Setting:
User Configuration, Network, Offline Files, "Do not automatically make
redirected folders available offline" prevents that from happening BEFORE
redirecting any folders - its not retro active. Not sure how this interacts
with redirecting via GPO - we don't do that (see 2 above)
5. our users with laptops find the Offline Files feature works well for
them - they can select which network files they want to be available
offline - and they like it (assuming item 4 has been taken care of)
6. again, others may have different opinions, but I've found it simpler to
link the GPOs lower in the OU hierarchy - GPOs with Computer settings to the
"Computers" OU, or in some cases even lower - different settings for servers
(particularly Tereminal Servers) than for desktops for example; GPOs with
User settings to "Users", again, sometimes lower - e.g. to apply different
user settings to administrative user accounts than to "normal" user
accounts. Using security or WMI filtering you can prevent GPOs from being
applied selectively, but I'm not aware of a way to selectively apply some
settings and not others from the same GPO
7. there's a trade off between flexibility and overhead. Its more flexible
to have several GPOs each with individual sets of related settings rather
than all of the settings in one GPO. Applying each GPO (e.g. User settings
at logon) involves a certain amount of overhead - network traffic, AD
accesses, processing on the target computer. My experience tells me that
this extra overhead is not great and is quite a bit less than Roaming
Profiles for example, which can involve copying a lot of data to the
workstation at logon and back to the server at logoff.
--
Bruce Sanderson MVP Printing
http://members.shaw.ca/bsanders
It is perfectly useless to know the right answer to the wrong question.
"Lanwench [MVP - Exchange]"
<lanw...@heybuddy.donotsendme.unsolicitedmail.atyahoo.com> wrote in message
news:uKouKY%23dHH...@TK2MSFTNGP02.phx.gbl...
Florian Frommherz
I'll post my feelings about this inline - although I've read the whole
posting of yours, I'll cut it to the questions-section.
Lanwench [MVP - Exchange] wrote:
> ***********
> Questions
> ***********
> 1. As I understand it, enabling loopback processing in a GPO linked to a OU
> allows one to set separate 'user'-ish settings based on a computer/location,
> right?
That's right. Loopback makes the computers look at the user
configuration settings that are defined. As of my understanding of your
issue, Loopback should work pretty well.
> 2. If I'm even close with the above- at what level in the config described
> above do I create the OU for the laptops?
I'd create an OU containing the laptops at the same level as the "User"
OU. By doing that, you can simply amke your settings at "Laptops"-level
and leave previously made settings alone. At Laptops level, you define
all the user settings that shall be _mandatory_ to the users -
everything that's in your "Goals" section.
> 3. What, if anything, in my custom GPO, should I break into different GPOs -
> to make sure that the laptop users inherit the settings I wish to apply to
> *all* users?
Leave the current GPOs alone. If you choose "merge mode" when enabling
loopback, it will simply overwrite the user's settings with the user
settings that the computer applies. As long as you have your settings
defined at "Laptops"-level, that should be working fine.
You could test that pretty easy by putting a laptop into a OU and
linking a policy with loopback and your settings there. Concerning your
sync-tool, you'll still have to sync it with it as there is no other
method or trick I know of...
I have these links for you, but you may have come across them by yourself:
http://technet2.microsoft.com/WindowsServer/en/library/33a8ff54-151a-47b7-a6c3-92aab07c2d131033.mspx?mfr=true
http://support.microsoft.com/kb/231287
http://www.frickelsoft.net/blog/?p=22
cheers,
Florian
--
Nachwuchsadmin aus dem Süddeutschen/Germany.
eMail: Vorname [bei] frickelsoft [Punkt] net.
blog: http://www.frickelsoft.net/blog.
Lanwench [MVP - Exchange]
> I'll post my feelings about this inline - although I've read the whole
> posting of yours, I'll cut it to the questions-section.
>
> Lanwench [MVP - Exchange] wrote:
>> ***********
>> Questions
>> ***********
>> 1. As I understand it, enabling loopback processing in a GPO linked
>> to a OU allows one to set separate 'user'-ish settings based on a
>> computer/location, right?
>
> That's right. Loopback makes the computers look at the user
> configuration settings that are defined. As of my understanding of
> your issue, Loopback should work pretty well.
Cool. I know it's used in Terminal Services environments, but in TS I'm
using a different profile defined in the ADUC properties anyway, so I've
never worried about it.
>
>> 2. If I'm even close with the above- at what level in the config
>> described above do I create the OU for the laptops?
>
> I'd create an OU containing the laptops at the same level as the
> "User" OU.
So, "Users" "Computers" and "Laptops" are at the same level, then, right?
>By doing that, you can simply amke your settings at
> "Laptops"-level and leave previously made settings alone. At Laptops
> level, you define all the user settings that shall be _mandatory_ to
> the users - everything that's in your "Goals" section.
What do you think of separating *all* computer-specific and user-specific
policy settings into separate GPOs, as Bruce's reply suggests?
>
>> 3. What, if anything, in my custom GPO, should I break into
>> different GPOs - to make sure that the laptop users inherit the
>> settings I wish to apply to *all* users?
>
> Leave the current GPOs alone. If you choose "merge mode" when enabling
> loopback, it will simply overwrite the user's settings with the user
> settings that the computer applies. As long as you have your settings
> defined at "Laptops"-level, that should be working fine.
OK - that's where I was getting confused. So, merge mode means,
apply/inherit all settings defined in the GPOs above, but then anything
that conflicts/changes in the "laptop" OU-linked GPO will wins & be the
effective policy for the user?
>
> You could test that pretty easy by putting a laptop into a OU and
> linking a policy with loopback and your settings there. Concerning
> your sync-tool, you'll still have to sync it with it as there is no
> other method or trick I know of...
>
> I have these links for you, but you may have come across them by
> yourself:
> http://technet2.microsoft.com/WindowsServer/en/library/33a8ff54-151a-47b7-a6c3-92aab07c2d131033.mspx?mfr=true
> http://support.microsoft.com/kb/231287
> http://www.frickelsoft.net/blog/?p=22
I hadn't seen them & they look useful- especially the page on your blog
(it's bookmarked). And thanks for your reply ....I have some reading &
testing to do. Feeling optimistic that this could work! Vielen Dank :)
> cheers,
>
> Florian
Lanwench [MVP - Exchange]
> Some opinions and comments.
...thanks, Bruce...
>
> 1. As a general rule, I suggest not mixing Computer Settings and User
> Settings in the same GPO - this restricts your flexibility and can be
> confusing
I've thought of that, but I've also heard that having a whole slew of
policies makes for a performance issue, no?
I don't really have that much stuff customized on the 'computer' side;
mostly on the user side.
>
> 2. Other's experiences may vary, but I've found the Folder
> Redirection stuff in the GPOs to be problematic and have avoided it -
Really? I've been quite happy with it...
> we use a Logon script to redirect the My Documents and Favorites
> special folders to the a user specific share on a file server (no
> "Home Directory" specified in the user account in AD)
I know home directories are old-school, but I still like 'em. What do you
put in your login script for this redirection, just out of curiosity?
>
> 3. if you put the laptops' user accounts into a seperate OU from the
> desktops, then you can use loopback processing to apply different User
> Configuration settings to the laptops and desktops if you also
> seperate out the settings you want to be different into seperate GPOs
That's becoming clearer, thanks to you & Florian's reply.
>
> 4. we also encountered difficulties with Offline Files, but this was
> mainly because "redirected" folders get automatically set to "Make
> available offline" by default. e
I hate them. I have seen far too many people lose data. And if something
catastrophic happens at the source (hell, even if you just want to
reorganize files/servers) the destination/client often gets completely out
of whack. Using third party sync stuff (or even a little batch file
w/robocopy or similar) means the destination files are accessible just as
normal files - there's no inherent link to anything else. You could disjoin
the computer from the domain & still access them just fine.
> Setting:
> User Configuration, Network, Offline Files, "Do not
> automatically make redirected folders available offline" prevents
> that from happening BEFORE redirecting any folders - its not retro
> active. Not sure how this interacts with redirecting via GPO - we
> don't do that (see 2 above)
I've never been sure whether the user or computer "disable !@#$% offline
files crap" wins, so I have often done it in both places. And as mentioned,
I disable offline file caching when I set up a share (one of the first
things I do).
>
> 5. our users with laptops find the Offline Files feature works well
> for them - they can select which network files they want to be
> available offline - and they like it (assuming item 4 has been taken
> care of)
Yep - until something goes wrong and the company owner loses a whole bunch
of files he's been working on while on vacation in the Bahamas and wants to
put your head on a plate :)
>
> 6. again, others may have different opinions, but I've found it
> simpler to link the GPOs lower in the OU hierarchy - GPOs with
> Computer settings to the "Computers" OU, or in some cases even lower
> - different settings for servers (particularly Tereminal Servers)
Do you not use loopback processing for those? I specify a TS-specific
profile for the user in their ADUC Properties and that takes care of pretty
much everything I need them to have in a TS session (and keeps it separate
from their regular workstation profile).
> > than for desktops for example; GPOs with User settings to "Users",
> again, sometimes lower - e.g. to apply different user settings to
> administrative user accounts than to "normal" user accounts. Using
> security or WMI filtering you can prevent GPOs from being applied
> selectively, but I'm not aware of a way to selectively apply some
> settings and not others from the same GPO
That's what I found, to my chagrin. Doesn't it seem like there ought to be a
"Don't apply the following policies" checkbox?
>
> 7. there's a trade off between flexibility and overhead. Its more
> flexible to have several GPOs each with individual sets of related
> settings rather than all of the settings in one GPO. Applying each
> GPO (e.g. User settings at logon) involves a certain amount of
> overhead - network traffic, AD accesses, processing on the target
> computer. My experience tells me that this extra overhead is not
> great and is quite a bit less than Roaming Profiles for example,
> which can involve copying a lot of data to the workstation at logon
> and back to the server at logoff.
Well, I try to keep the profiles miniscule and that helps. Folder
redirection is a godsend, and you can also choose what folders should and
should not be updated/included in the roaming, via GPO. I haven't played
with that bit much.
Thanks for your thoughtful reply and I have some more reading & testing to
do - glad I am on the right track here.
Mark Heitbrink [MVP]
Lanwench [MVP - Exchange] schrieb:
> [...] 1. As I understand it, enabling loopback processing in a GPO linked
> to a OU allows one to set separate 'user'-ish settings based on a
> computer/location, right?
Absolutly.
Loopback is a "flag" applied to the computer, which needed to be set
only once, not per GPO, that should be "looped back".
Once defined it愀 effecting all GPOs from the scope on the computer
account.
I like to have s singel GPO, where only Loopbnack is enabled and
I link it to the desired OU. Aswell, I like to prefer replace instead
of merge, because of the singlepoint of (failure) administration :-)
> 2. If I'm even close with the above- at what level in the config described
> above do I create the OU for the laptops?
I would create it direct beneeth the OU "Company Name", because it愀 like
a server, TS Server or computer a total different security setting.
I sort OUs usually by settings/function not organisational aspects.
> 3. What, if anything, in my custom GPO, should I break into different GPOs -
> to make sure that the laptop users inherit the settings I wish to apply to
> *all* users?
Then you can work with the authenticated users and not a specific security
group.
> 4. Can this even be *done* ?
Yes. :-)
Mark
--
Mark Heitbrink - MVP Windows Server - Group Policy
Homepage: www.gruppenrichtlinien.de - deutsch
Blog: gpupdate.spaces.live.com - english
Bruce Sanderson
multiple GPOs applied to a user or computer. If you have slow network
connections or an overworked Domain Controller, you may see some slowdown at
computer startup (or when the GPOs are automatically refreshed) or at user
logon. My experience is that if there is a performance degradation with 10
GPOs as opposed to one, its not big enough for me or our users to notice it.
Retrieving and processing 10 GPOs is bound to be more work than for 1 GPO,
but it appears that the actual "work" is pretty small anyway, so one or 10
doesn't really make a noticeable difference for the users or the
system/network load, at least in our environment - we have 24 different
locations - some have T1 links some have fibre (100 Mb/s) depending
essentially on where they are and how many people are at that location.
Being able to easily manage the settings to be applied to different objects
by seperating them into related sets in different GPOs has business value as
well. It simplifies administrative tasks, including the thinking and
planning involved to keep it straight about which settings get applied to
what. Assuming good discipline in naming and adding settings to GPOs, one
knows what settings are being applied by looking at the names of the GPOs
that are applied, either in gpmc or in the output from the gpresutlt
command.
The OU contain the computer accounts for our Terminal Servers have 9 GPOs
linked or inherited; normal user accounts have 6; workstation computers have
8.
2. Managing what happens when a user falls out of scope of GPO or if the
target location ceases to exist for redirected folders (e.g. share moved to
a different server) caused problems that required manual intervention on the
client computer to fix. After that disappointing experience, I've avoided
using folder redirection via GPO. If you find it works well for you - good;
maybe we just didn't try hard enough (or had a good enough reason to at any
rate).
The Logon Script is in a GPO applied to the user accounts. That GPO is not
linked to the OU where the "administrative" user accounts live so
administrators don't get the logon script applied.
We avoid specifying profiles in the user accounts because then you have a
lot of places to change when circumstances change. It's possible to
automate such changes, but that requires knowledge that not everyone has.
4. The setting to "Do not automatically make redirected folders available
offline" is only effective if it is in place BEFORE the user whose folder is
redirected (e.g. by logon script) actually logs on. When we first started
using Windows XP and GPOs, not realizing this created some headaches! We
now have that setting our "Basic All Users" GPO that we apply to all User
accounts and this has not caused a problem since.
5. We use loopback processing for Terminal Servers to apply different user
configuration settings on them than on workstations for the same user
accounts - users only have one user account that they use for workstation
and Terminal Server logon.
6. not really - I suspect a setting to selectively apply some settings in
the same GPO would get to be very difficult to manage and understand exactly
what is happening in a large environment. Some people have asked for the
ability to have GPOs applied to Groups (or more specifically applied to
members of a Group that is an object in an OU that has the GPO linked to it
even though the user or computer accounts are elsewhere), but my opinion is
that this would also be a bad idea - user accounts often get to be members
of many groups and managing GPOs applied to groups could easily get to be a
nightmare! If you want different computers or users to have different
settings, create different GPOs - simple. When I find the need to apply
only some of the settings from a GPO, I factor out the settings that are to
be different into a separate GPO and link it only to the relevant OUs.
There is no substitute for planning and careful thought leading to rational
structuring of OUs and appropriate "rules" to keep things at least
manageable!
I sometimes think though that it might be useful to be able to selectively
suppress "inheritance" of GPOs as opposed to the "all or nothing" situation
that exists now.
7. For TS Roamining Profiles, we specify that in a GPO - avoids having to
change over 600 user accounts if we change the location of the TS Roaming
Profile share; Computer Configuration, Administrative Tools, Windows
Components, Terminal Server, Set path for TS Roaming Profiles. We don't use
Roaming Profiles for workstations - can be problematic, especially when
different Windows versions are used on the various computers.
There's lots of different ways to do things - what's "best" for us or anyone
else is not necessarily what's "best" for you.
--
Bruce Sanderson MVP Printing
http://members.shaw.ca/bsanders
It is perfectly useless to know the right answer to the wrong question.
"Lanwench [MVP - Exchange]"
<lanw...@heybuddy.donotsendme.unsolicitedmail.atyahoo.com> wrote in message
news:%23H8B6aS...@TK2MSFTNGP03.phx.gbl...
Lanwench [MVP - Exchange]
> Hi,
...Hi, Mark - wanted to thank you, as well. I've got a lot to digest, but
you all have given me much food for thought.
(hmmm - metaphors seem to indicate I'm a bit hungry right now!)