Today I decided to change the way that my folder redirection policy was applied to my workstations.
Previously, it was the stock-standard folder redirection policy that was targeted to the OU containing my user accounts, however I wanted to have the ability to exclude some machines from this (I build a lot of virtual machines and don’t want folder redirection applying to these).
In order to achieve this, you’ll need to use loopback policy processing so you can apply the user configuration based on computer rather than user.
The two main ways of achieving this are by employing multiple OU’s (my least favourite) or by using security groups. I prefer security groups, because it means you can have one group that contains all of the machines to which folder redirection should be applied, without needing to create a seperate OU in every location/office/branch you may have.
The OU method
1. Generally, you’d want to create a sub-OU under the OU that contains your computer accounts. You might want to call this something like “Folder Redirection Enabled Computers” or whatever makes you happy.
2. Create a policy, and configure your folder redirection settings to your liking, and then under Computer\Administrative Templates\System\Group Policy, enable the setting “User Group Policy loopback processing mode” and set it to “Merge”
3. Now add the machines that you want to apply the folder redirection to, to the OU you created with the policy linked
The security group filtering method
1. Create a security group called something like “Folder Redirection Enabled Computers” and add all of your required machines to this group
2. Create a new policy, and remove Authenticated Users under the Security Filtering tab, then add Domain Users and the group you created in the above step
3. Edit the policy configuring your folder redirection settings to your liking, and then under Computer\Administrative Templates\System\Group Policy, enable the setting “User Group Policy loopback processing mode” and set it to “Merge”
4. Link the policy to the OU that contains your computer accounts
As I mentioned, I prefer the use of security group filtering for this purpose, because I find it more scalable – You just link the policy to the OU(s) that contain your computer accounts, and add the computers to actually apply folder redirection settings to your custom group.
Note that you do need to ensure that the user account can read the policy as well, even though with loopback policy processing, it will be applied based on the computer account. This is because the policy passes through the user security filter to, so if you don’t have Domain Users added to the security filter (or at least a group that will contain the user(s) logging on to your desired machines) then the policy won’t apply.
In Windows 7, there is a fair level of detail in both the Application event log, as well as the dedicated Folder Redirection event log, so I recommend watching these logs remotely during a logon to make sure everything is behaving the way you expect it to.
3 thoughts on “Applying folder redirection policies on a per-machine basis”
I’ve followed the steps for security group filtering.
did everything you stated, but the folder redirection still seems to be applying to the computer that is NOT in the security group.
i have forced update on this machine, but still a no-go.
Perfect solution…! I opted for the Security Group solution as well and it just works.
I had the standard solution with a GPO attached to the OU where the users was located and I didn’t understand why this solution didn’t work to begin with, but I just had to remove the GPO from the OU of the users and only have it on the OU where the computers are located.
My only question is for clarification on step 4. You say to link the GPO to the “OU” that contains your computers. However these steps don’t include the creation of an OU only a security group. Do you mean, link the GPO to the OU that your computers already exist in prior to any of these steps?