So we have a GPO setup to redirect "My Documents" to a server location for all users in the domain (it's linked to the root "Users" OU). This works just fine, but we have 2 special workstations that numerous users login to which need to NOT inherit this policy. I understand that the folder redirection policies are user-based but I don't understand how we'd go about denying this user policy for specific computer objects in AD. As these users are moving back and forth between these "special" systems and regular systems on the network, we cannot simply exclude specific users from the root policy.
I created a loopback processing policy (set to "replace") for the OU these 2 systems reside in and linked a separate "Disable My Documents redirection" GPO to this OU, but the root-level user-based redirection policy still wins (or causes my test user account login to hang forever on "applying personal settings"). Is there a way I can override this?
Best Answer
Not exactly sure whose answer is right at this point, as it was my own fault for having a User policy in the root OU applying to all users and computer objects. I think a smart combination of Security Filtering and Inheritance/Precedence configuration could have worked around this if I had more time to test but the real fix was to move the GPO out of the root so that it no longer interferes with the policies and loopback processing on the special computers OU.