Please Read: Significant Update Planned, Migrating Forum Software This Month

See more
See less

prevent Home based PCs from roaming profile GPO

  • Filter
  • Time
  • Show
Clear All
new posts

  • prevent Home based PCs from roaming profile GPO

    Hi guys, I've got a toughie here for anyone that is willing to help, I appreciate your help in advance. Thanks you very much. Now here goes...

    Our domain has predominantly Windows 7 desktop clients, We have windows Server 2008 DCs. For some users who are permanently based at home, they have Windows vista clients. The issue is roaming profiles, they work relatively well in the office Lan because of proximity to profile server blah blah blah, but for the users at home who are connecting via VPN, they also process the same GPO for roaming profiles and it applies to their windows Vista PC as well....the result? very slow logons! I would like that the Windows Vista PCs DO NOT PROCESS THIS PARTICULAR GPO, but how do I go about it???

    I have searched and searched for a solution to this problem but found none.

    Recently, I went on a course and learn about Group Policy Loopback processing, in itself, it sounds like the solution to my problem but it is so difficult to understand as a concept that I just give up in the end. So I'm throwing it out to anyone who can kindly unravel this mystery for me, I will be eternally grateful if ...only if...

  • #2
    Re: prevent Home based PCs from roaming profile GPO

    Roaming Profiles as applied with Group Policy is a Computer Configuration setting. It is applied to Computer objects and affects the users logging onto those computers.

    Loopback Policy Processing is a way to apply User Configuration settings in the GPO that is linked to your Computer objects (in an OU or at the domain level) to the users logging onto those computers, so Loopback Policy Processing is not what you need here.

    What you need is to use Security Filtering on the GPO that sets your Roaming Profiles so that it only applies to the group of computers (the office computers) that you want it to apply to.

    Create a Security group. Add the office computers to that group. Remove Authenticated Users from the Security Filtering of your Roaming Profiles GPO. Add the Security group to the Security Filtering of your Roaming Profiles GPO.

    Now when someone in the office logs onto a computer in the office they'll get a Roaming Profile and when someone at home logs onto a computer at home they will not get a Roaming Profile.


    • #3
      Re: prevent Home based PCs from roaming profile GPO

      Thanks for your reply, I really wish it was the case but it isn't and I have thought about this before because this is how I would have done it. However, I don't believe that roaming profile is entirely a computer configuration, there are settings which control roaming profile in both sections of the GPO, in Windows 2008, there are 4 gpo settings in the User Configuration section and 17 in the computer configuration section, at the moment, I've only configured 2 setttings out of the 4 in the user configuration section. These are "Exclude directories in roaming profile" and "Limit Profile size".

      My feeling is that these GPO settings only CONTROL Roaming profile behaviour rather than create it or make it happen, Roaming profile is enabled in the user account object in AD, once you've created the Profiles share and specified the servername etc. I might be barking up the wrong tree but I don't see how filtering the group will prevent the setting which 'follows' the user object around from applying when the user logs on with his/her domain account.


      • #4
        Re: prevent Home based PCs from roaming profile GPO

        This might be worth a read. Create Roaming Profile by GPO.
        1 1 was a racehorse.
        2 2 was 1 2.
        1 1 1 1 race 1 day,
        2 2 1 1 2


        • #5
          Re: prevent Home based PCs from roaming profile GPO

          If you have set the Roaming Profile at AD level and need to restrict, you would need to remove the AD setting for the roaming profile and use a GPO instead and restrict as recommended.