Today I decided to change the way that my folder redirection policy was applied to my workstations.
Previously, it was the stock-standard folder redirection policy that was targeted to the OU containing my user accounts, however I wanted to have the ability to exclude some machines from this (I build a lot of virtual machines and don’t want folder redirection applying to these).
In order to achieve this, you’ll need to use loopback policy processing so you can apply the user configuration based on computer rather than user.
The two main ways of achieving this are by employing multiple OU’s (my least favourite) or by using security groups. I prefer security groups, because it means you can have one group that contains all of the machines to which folder redirection should be applied, without needing to create a seperate OU in every location/office/branch you may have.
The OU method
1. Generally, you’d want to create a sub-OU under the OU that contains your computer accounts. You might want to call this something like “Folder Redirection Enabled Computers” or whatever makes you happy.
2. Create a policy, and configure your folder redirection settings to your liking, and then under Computer\Administrative Templates\System\Group Policy, enable the setting “User Group Policy loopback processing mode” and set it to “Merge”
3. Now add the machines that you want to apply the folder redirection to, to the OU you created with the policy linked
The security group filtering method
1. Create a security group called something like “Folder Redirection Enabled Computers” and add all of your required machines to this group
2. Create a new policy, and remove Authenticated Users under the Security Filtering tab, then add Domain Users and the group you created in the above step
3. Edit the policy configuring your folder redirection settings to your liking, and then under Computer\Administrative Templates\System\Group Policy, enable the setting “User Group Policy loopback processing mode” and set it to “Merge”
4. Link the policy to the OU that contains your computer accounts
As I mentioned, I prefer the use of security group filtering for this purpose, because I find it more scalable – You just link the policy to the OU(s) that contain your computer accounts, and add the computers to actually apply folder redirection settings to your custom group.
Note that you do need to ensure that the user account can read the policy as well, even though with loopback policy processing, it will be applied based on the computer account. This is because the policy passes through the user security filter to, so if you don’t have Domain Users added to the security filter (or at least a group that will contain the user(s) logging on to your desired machines) then the policy won’t apply.
In Windows 7, there is a fair level of detail in both the Application event log, as well as the dedicated Folder Redirection event log, so I recommend watching these logs remotely during a logon to make sure everything is behaving the way you expect it to.