Over the summer at work, we changed the way staff profiles are stored on the network. Having finally got around the “redirected Application Data breaks Internet Explorer” problem (see here for my fix) in Windows XP, we rolled it out to all users. And all was well.
Until they brought their laptops back from the break, and we found they then can’t run various programs or access certain things when not connected to the network. This is because the laptop needs access to the Application Data folder – which is no longer on the local machine.
So you’d think the fix would be to create a new group policy for the laptops where the folder isn’t redirected, right? Well, yes, of course you would. Unfortunately, that won’t work.
You see, the Folder Redirection settings are a User based setting, not a Machine based setting. So if you assign a Machine GP to not redirect, the User GP to redirect runs anyway and takes precedence. Looking around t’tinternets, there were a few solutions – including a second (local) logon for the laptops or nasty registry hacking – but nothing that actually fixes the the problem satisfactorily.
Until I read about Loopback Processing.
Microsoft’s help pages go into great detail about the technical aspects of what this involves, but the overall effect is simple to explain: instead of the User settings “overlaying” the Machine settings and taking precedence, the reverse happens – so the Machine settings dominate.
This worked well, but had a few side-effects. Some of the User GPs we’d set up didn’t “trigger” any more on the laptops. After some tracking, it seems that the “overlaid” Machine settings were wiping them out. Adding the same User GPs to the laptop OU fixed that. Phew!
Oh, and just one last thing – we also had to delete the user folder in c:\documents and settings on the laptops, before getting users to log in twice (once on the network, once off) to ensure all the group policies and everything were applying and being set up correctly.