[gptalk] Re: GPO Isolation / Folder Redirection Help...

  • From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Wed, 1 Nov 2006 14:46:09 -0800

A few comments. See inline below:


From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of HBooGz
Sent: Wednesday, November 01, 2006 8:14 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GPO Isolation / Folder Redirection Help...

Darren -

Thanks for taking the time and answering. I do appreciate it and you've
defintely cleared up my initial question about security groups and GPO's.

My concern with regard to folder redirection, especially in my Citrix/TS
environment, is within office applications when a user
accidentally/purposely wants to save to the "desktop" or "my documents"
these everyday folders are redirected to a share where i've assigned -
That's what i would like accomplished. 
[Darren] That's what Folder Redirection gives you--the ability to redirect,
for example, Desktop and My Documents so that a user, wherever they are
logged in at, will always store documents directed at those locations to a
server share outside of their profiles. You don't even need loopback to
accomplish that on TS boxes.
I still like roaming profiles but sometimes their my documents folder could
accumulate over 100 MB, and i wouldn't want that profile to be carried
everywhere. How can i combat this and implement a logically roaming profile
with folder redirection scenario. 
[Darren] Right, that is where you implement a roaming profile and then use
Folder Redirection against those users to redirect their My Documents
folder--meaning that My Documents no longer resides in their profile. 
With regard to loopback processing, i would set it to replace within the
Citrix/TS GPO policy and make sure that policy has NO OVERRIDE enabled. If i
just want that policy applied to whoever logs into the Citrix/TS
box...correct ? 

[Darren] It really depends upon what you are trying to accomplish. If your
users normally get folder redirection, for example, from their "home" GPOs,
then you probably don't want to set loopback to replace, unless you also
implement folder redirection there. Also, setting no override on the TS OU
is somewhat redundant so normally it would not be required unless you really
need to block upstream GPOs.
Do you recommend applying both user and computer GPO's in one GPO for this
scenario ?
[Darren] It really gets down to what is easier to manage--one GPO that
handles all loopback settings is a nice neat package, but not required.

Thanks again,

On 11/1/06, Darren Mar-Elia <darren@xxxxxxxxxx> wrote: 

Most often what people do in Citrix/TS environment is use "loopback" policy
processing to ensure that user settings are different for users logging into
those TS boxes. As for your question about apply a GPO to an OU that
contains security groups with a few users--GP is not processed by security
groups--only by user and computer objects. You can filter application to
these user and computer objects using sec. groups, but when you link a GPO,
you need to link it somewhere that contains user and computer objects, not
just groups.
Roaming Profiles and folder redirection are complimentary. Typically you set
up a roaming profile to have a user's documents and settings follow them
from machine to machine. This is ok if they don't have a lot of data in, for
example, their My Documents folder. However, if they do and they move around
to a lot of different machines, the downloading and uploading of this data
from/to their roaming profiles can take time. In those cases, its useful to
combine the roaming profile with Folder Redirection. This basically takes
the data out of the profile and puts it on a server share somewhere. If you
also let the user cached their redirected folders for offline use, then they
have full availability to their data if, for example, they are on a laptop
and are offline.
Let us know what other specific info you need. 


From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of HBooGz
Sent: Wednesday, November 01, 2006 7:11 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] GPO Isolation / Folder Redirection Help...

I'm currently running Windows 2003 R2 AD

I would like to implement folder redirection(excluding app data) i've read
and heard that regardless of the environment it isn't a good idea to
redirect app data.

In the past, i've applied the User and Computer settings of the GPO within
one GPO and applied that to an OU that only contains the Citrix Server. I've
done this because i don't want GPO settings applied to a TS/Citrix server to
be applied elsewhere.

Is this a methodology that is commonly used ?

I've had issues in the past applying a GPO to an OU that only contained a
security group with a few users -- is that supported ? 

I also could use some pointers on roaming profile setup and
configuration..As i've never implemented folder redirection.




Other related posts: