GPO for TS drive redirection

[PreviousPoster]

Hola,

Scenerio:
We have a "Security" domain GPO in place which includes settings to disable Terminal Services Client drive redirection. However, we have one remote user who needs that feature enabled on two domain computers (one XP, one 2003 server).

Proposed Solution:
I created a GPO to enable this redirection and applied it to the parent OU for the OUs containing both his user account and the two computer objects. I created a Domain Local security group and populated it with the two computer accounts and his domain account. I then added a Security Filter for the GPO, using that security group only (Authenticated Users was removed). This enabling GPO has a higher Precedence than the disabling GPO.

Problem:
The GPO works as desired, except it still allows any domain account connecting via Remote Desktop to redirect drives for the two computers defined via security filter. Adding the user account to the domain local security group (and thus the Security Filter) has no apparent effect. I know the policy itself only applies to the Computer Settings, but I had hoped I could filter the application of the policy using the combination of domain user and domain computer account. Is this not possible?

TIA,

M

[PreviousPoster]

Hi,

GP processing reacts exactly as it should. Basically you have placed a GPO on your COMPUTERS ACCOUNTS - you have limited this by using a security group (which is great) - adding the USER to this group makes no sense at all, as the policy hits the COMPUTER CONFIGURATION. The computer doesn't care WHO logs on when applying computer policies - as that's done long before users even start loggin on. And as you know - computer policies will apply to ALL users logging on... So, if you want "something else" to happen for a specific user, you need to find a User Policy Setting for that!

A) You cannot say (unfortunately):
On this COMPUTER, if this USER logs on, put on this COMPUTER GPO

B) However, by using Loopback Processing, you can say:
On this COMPUTER, if any USER logs on, put on this USER GPO

As I read you post, you want A) to work, am I right?

[PreviousPoster]

Thanks Jakob...yes, I was hoping for "A". MS needs to add a Boolean logic filter for GPOs. :wink:

[fzanes]

Hello,

We are trying to implement folder redirection on a few machines in our domain. We only want it to apply when a user logs on to certain servers. We know folder redirection is a USER policy, so we are thinking we will have to use loopback processing in some way. Your answer below suggests that this is the case:

However, by using Loopback Processing, you can say:
On this COMPUTER, if any USER logs on, put on this USER GPO

Could you please elaborate on that? How loopback processing would help get us what we need.

Appreciate it!

Frank

Hi,

GP processing reacts exactly as it should. Basically you have placed a GPO on your COMPUTERS ACCOUNTS - you have limited this by using a security group (which is great) - adding the USER to this group makes no sense at all, as the policy hits the COMPUTER CONFIGURATION. The computer doesn't care WHO logs on when applying computer policies - as that's done long before users even start loggin on. And as you know - computer policies will apply to ALL users logging on... So, if you want "something else" to happen for a specific user, you need to find a User Policy Setting for that!

A) You cannot say (unfortunately):
On this COMPUTER, if this USER logs on, put on this COMPUTER GPO

B) However, by using Loopback Processing, you can say:
On this COMPUTER, if any USER logs on, put on this USER GPO

As I read you post, you want A) to work, am I right?