The previous IT divided the users into OU's based on their position (for example: marketing, sales etc), there are 4 OU's in total. A group policy object is applied to all 4 OU's and one of the settings includes folder redirection.
I do not want folder redirection for any users that have laptops, but I would like to keep the rest of the settings that the GPO applies (don't want to delete it).
I believe that putting the computer objects of each laptop in a separate OU and then applying a GPO to deny folder redirection might be the right approach, or adding computer objects to a group and then applying a security filter to deny folder redirection may also work.
It's my first time really cleaning up a messy situation like this so any input would be appreciated, please let me know which method would work best. If you have a better method please share!
Best Answer
Folder Redirection is a User Configuration setting. You can't directly control it by simply moving the laptop computer objects into an OU and denying the GPO nor by filtering the GPO based on the computer objects, again, because Folder Redirection applies to users, not computers.
If you don't want to apply folder redirection to the users who use laptops then what you can do is to move the computer objects for the laptops to a separate OU and configuring Loopback Policy Processing in a GPO linked to that OU and configure Loopback Policy Processing to Replace mode. This tells Group Policy to apply the User Configuration settings in the GPO linked to the OU where the laptop computer objects are to the users logging onto those computers and it tells Loopback Policy processing to replace the users normal GPO settings (from the GPO's that are in the Scope of Management of the user object) with the User Configuration settings in the GPO linked to the OU where the computer objects are. Make sure you don't configure Folder Redirection in the GPO linked to the OU where the laptop computer objects are and then users logging onto those laptops won't have their folders redirected.
Also note that you'll need to configure all of the user settings that you DO want to apply to the users in this GPO because this GPO is going to replace all of the other User Configuration settings that would normally be applied to these users. These users won't get any settings from any other GPO's that would normally be applied to them. You're replacing all of those settings with the settings in this GPO.