Announcement

Collapse
No announcement yet.

Policy for computer

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Policy for computer

    Hello all,

    I need some help / advices.

    We are using Windows 2003 as AD / DC / DNS / DHCP server.

    We have 3 types of computer in the company, old computer, laptop and desktop. Thew laptop and desktop comes with 2 hard disks :

    C : 010 GB
    D : 250 GB

    Thus we redirect thru a policy C:\Documents and Settings\ to -> D:\DATA\DS\%username% and we do this with a policy applied on users OU, this works fine for desktop and laptop, but not for old computers.

    Old computers only have a plain C drive. We have made sub-OU's for old computers and removed the inheritance, so it doesn't try to put those stuffs on the D drive.

    I find this way really ugly and wish to be able to apply this "user policy" to a "computer policy".

    Is there anyway ? How would you manage this ?

    Thank you.

    Greg

  • #2
    Re: Policy for computer

    What you're looking for is called loopback processing - http://support.microsoft.com/kb/231287

    Comment


    • #3
      Re: Policy for computer

      Originally posted by Bryan G View Post
      What you're looking for is called loopback processing - http://support.microsoft.com/kb/231287
      Unless I'm mistaken, loopback processing is the opposite of what Gregory wants. LP applies Computer Settings to the User Settings side of the GPO not vice versa.

      Gregory: It's possible that you have one of the better solutions already implemented. Has the OU scheme that you set up caused problems in any other ways? If you're users don't change computers often, you could create an "Old Computer Users" group and add the appropriate users to that group. Then deny that group the "Apply Policy" permission on the folder redirection GPO. That would allow you to do away with confusing sub OUs for computers.

      Does that make sense?
      Wesley David
      LinkedIn | Careers 2.0
      -------------------------------
      Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
      Vendor Neutral Certifications: CWNA
      Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
      Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

      Comment


      • #4
        Re: Policy for computer

        actually it is loopback processing that would be needed here.


        Loopback processing allows user settings to be applied by filtering on the computer side or rather vary the user policy based on the computer

        Example:

        You want to set the users homepage to your company intranet on office machines, but on public access machines you want to have your companies external website set as the home page regardless of who logs in.

        You would specify the company intranet as the home page in a default policy on the user side and have the filtering set to "authenticated users"

        then for your public machines you would create a GPO with the filtering set to your public access computer accounts. You would enable loopback processing on the computer configuration portion (Administrative Templates > System > Group Policy > Loopback Policy option) select the mode you would like to use.
        Last edited by wiredteknologies; 25th July 2008, 21:18.
        Technology is only as good as those who use it

        My tech blog - wiredtek.wordpress.com

        Comment


        • #5
          Re: Policy for computer

          Originally posted by Nonapeptide View Post
          Unless I'm mistaken, loopback processing is the opposite of what Gregory wants. LP applies Computer Settings to the User Settings side of the GPO not vice versa.
          I'm mistaken. Thanks for the clarification wiredteknologies. Sorry for the confusion Gregory.

          I read and re-read my post and was nearly sure that my understanding was correct. Something in the back of my mind kept saying "Yes... but are you sure you're sure?"

          To reiterate what wiredteknologies said, loopback processing takes the settings that were modified in the "User Configuration" portion of a GPO that is applied to a computer, and then applies those user settings back onto whichever user logs onto the computer. Thus the term "Loopback Processing" because GPOs get processed first by computer, and then by user, but with loopback processing the GPO "loops back" and applies the computer's user settings on top of the user's user settings. Confused? Excellent!

          Let us know how it goes.
          Wesley David
          LinkedIn | Careers 2.0
          -------------------------------
          Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
          Vendor Neutral Certifications: CWNA
          Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
          Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

          Comment


          • #6
            Re: Policy for computer

            Hello all,

            No problem, I am not really confused, it's really clear

            I just wonder if I keep my policy set as it is now and create a loopback to exclude some computers from this policy, would be like a conditional policy.

            Am I right ?

            Do I keep my policy with C / D redirection and create the loopback to exclude my old computers which comes only with plain C drive or is it the opposite ?

            Thank you all for your time and help !

            Comment


            • #7
              Re: Policy for computer

              In the policy with the loopback enabled you will need to specify the location "C:\documents and settings\%username%\xxx" ETA you can choose "Redirect to the local user profile directory" option.




              non it is alright loopback processing is confusing because of the way it is typically worded to describe it.
              Last edited by wiredteknologies; 25th July 2008, 21:32.
              Technology is only as good as those who use it

              My tech blog - wiredtek.wordpress.com

              Comment


              • #8
                Re: Policy for computer

                Originally posted by wiredteknologies View Post
                In the policy with the loopback enabled you will need to specify the location "C:\documents and settings\%username%\xxx"




                non it is alright loopback processing is confusing because of the way it is typically worded to describe it.
                I am not in front of my AD unfortunately.. but do I keep one single policy (with loopback processing enabled and configured) for dealing with this, or will I have two policies to setup this (like the current and a new for the loopback processing) ?

                Comment


                • #9
                  Re: Policy for computer

                  you will only need to create one policy (the one with the loopback enabled and the local userprofile selected for redirection) you will apply this policy to the "old computers"

                  And you will leave your other policies as they are.
                  Technology is only as good as those who use it

                  My tech blog - wiredtek.wordpress.com

                  Comment


                  • #10
                    Re: Policy for computer

                    What is (are) the client OS?

                    You could also try setting a filter on your original GPO that is linked to the domain users OU that does the redirecting for the user folders.

                    WMI filter:
                    Root\CimV2
                    Select * from Win32_LogicalDisk where DeviceID = "D:" and MediaType = 12


                    \Rems

                    -Edit-
                    you could even add additional conditions to that filter:
                    Select * from Win32_LogicalDisk where DeviceID = "D:" and MediaType = 12 and FreeSpace > 629145600

                    629145600 byte = 600 MB (calculator: http://webdeveloper.earthweb.com/rep...econverter.htm)

                    Other properties of the Win32_LogicalDisk Class can be found here:
                    http://msdn.microsoft.com/en-us/library/aa394173.aspx

                    More about WMI-filters: google
                    Last edited by Rems; 25th July 2008, 22:49. Reason: 'mediatype=12' (=Fixed hard disk media)

                    This posting is provided "AS IS" with no warranties, and confers no rights.

                    __________________

                    ** Remember to give credit where credit's due **
                    and leave Reputation Points for meaningful posts

                    Comment


                    • #11
                      Re: Policy for computer

                      Thank you all for your replies.

                      The client OS is 98% Windows XP Pro SP3 and 2% are Vista (and wish we will take the 2% to 0% soon).

                      I will give it a try as soon as I am in and will provide a feedback here.

                      Thank you all once again.

                      Comment

                      Working...
                      X