VMware Horizon Community
Oneboss302
Enthusiast
Enthusiast
Jump to solution

Strange User Group Policy issue with UEM

I have a strange issue here. I Have a group Policy that contains several desktop shortcuts that is linked to my users OU and security filtered to a specific group of users. I am using GP to do this, because these shortcuts have to be applied to physical devices as well.

The issue is, the policy will NOT apply if my UEM policy is applied. If the UEM policy is NOT applied, the shortcuts gpo works. It is almost like the user policies are being "filtered out" by UEM.

I hope this made sense. Thanks. Really frustrated here.

EDIT: I should also note, that the user polices I am referring to, work 100% on physical devices where no UEM policy is being applied.

Message was edited by: Patrick Castafero

1 Solution

Accepted Solutions
Raymond_W
VMware Employee
VMware Employee
Jump to solution

Do you have loopback policy processing enabled on the UEM policy ?

If this has been set to replace, other user policies will not be applied.

Kind regards, Raymond Twitter: @raymond_himself

View solution in original post

15 Replies
DEMdev
VMware Employee
VMware Employee
Jump to solution

Hi Oneboss302,

UEM's only relation to Group Policy is that it gets its own configuration settings from a GPO, and that the Group Policy Client service hosts the UEM agent at logon – UEM has no way to influence other Group Policy activities.

If the UEM policy is in effect, does GPResult show that both GPOs are applied? Are you maybe redirecting the desktop folder using UEM?

Reply
0 Kudos
Oneboss302
Enthusiast
Enthusiast
Jump to solution

Thanks for the reply.

I am indeed redirecting the desktop via UEM. It was my understanding that the GPO that is adding the shortcuts to the users desktop would simply add them via the redirection. Is that not the case with UEM?

On my windows 7 environment I am not using UEM and using Folder Redirection via GPO. This seems to work properly and add the icons to the users redirected desktop there.

Reply
0 Kudos
DEMdev
VMware Employee
VMware Employee
Jump to solution

It was my understanding that the GPO that is adding the shortcuts to the users desktop would simply add them via the redirection. Is that not the case with UEM?

I suppose that depends on how and when those shortcuts are created. As a test, can you check whether those shortcuts end up in the non-directed C:\Users\username\Desktop folder?

On my windows 7 environment I am not using UEM and using Folder Redirection via GPO. This seems to work properly and add the icons to the users redirected desktop there.

It may or may not be relevant (depending on the timing of the shortcut creation), but one difference between UEM's folder redirection and the "Microsoft GPO" way, is that UEM does not copy or move any existing data. So, if those shortcuts were created before the folder redirection kicked in, and you configured Microsoft folder redirection to move existing folder content, that might explain why you'd see your shortcuts in the redirected folder in that case.

Reply
0 Kudos
Oneboss302
Enthusiast
Enthusiast
Jump to solution

Never thought to check the C:\Users\username\Desktop folder. Very good point. I am in the middle of rebuilding the master image and will test that when it's complete. thank you for adding that. I will update with results.

Oneboss302
Enthusiast
Enthusiast
Jump to solution

I have re-provisioned the pool from a new master image and having the same results. The GPO that is applied to the user group is not applying to the linked clone machines. I was able to get them to apply if I linked the GPO (all user settings) to the OU that contains the machines.

I have noted that I removed "Authenticated users" from the security filtering and replaced it with a Security group. I did add Authenticated users to the delegation with Read access.

Reply
0 Kudos
DEMdev
VMware Employee
VMware Employee
Jump to solution

The GPO that is applied to the user group is not applying to the linked clone machines.

What does GPResult show?

Reply
0 Kudos
Oneboss302
Enthusiast
Enthusiast
Jump to solution

It does not show the 2 GPO’s being applied at all. 

Reply
0 Kudos
DEMdev
VMware Employee
VMware Employee
Jump to solution

I'm afraid that's outside my scope of expertise... I know enough about Group Policy to configure it for my own UEM-related testing, but I have no experience in troubleshooting Group Policy issues...

You're logging on to a linked clone from your newly provisioned pool, with a user that's in an OU that your UEM GPO is linked to, but GPResult does not show that GPO as having been applied it all? Is there anything policy-related in the event log? DNS issues? Is the clock on the VM set to the correct date and time?

Reply
0 Kudos
Raymond_W
VMware Employee
VMware Employee
Jump to solution

Do you have loopback policy processing enabled on the UEM policy ?

If this has been set to replace, other user policies will not be applied.

Kind regards, Raymond Twitter: @raymond_himself
sjesse
Leadership
Leadership
Jump to solution

I think this is very important, not to get off topic, I had our security team applying hardning policies that broke everything. Making sure the loopback policy was implace solved alot of my problems, since that prevented the user policies from being applied. I now instead place those settings directly into the parent image for our desktops.

Reply
0 Kudos
Oneboss302
Enthusiast
Enthusiast
Jump to solution

Well, the Loopback was the issue. The document that I was following to create the UEM GPO has it listed as "REPLACE". Changing the setting to MERGE seems to have fixed it.

Much appreciate all the assistance.

sjesse
Leadership
Leadership
Jump to solution

The difference between the two are

  • Merge Mode
    In this mode, when the user logs on, the user's list of GPOs is typically gathered by using the GetGPOList function. The GetGPOList function is then called again by using the computer's location in Active Directory. The list of GPOs for the computer is then added to the end of the GPOs for the user. This causes the computer's GPOs to have higher precedence than the user's GPOs. In this example, the list of GPOs for the computer is added to the user's list.
  • Replace Mode
    In this mode, the user's list of GPOs is not gathered. Only the list of GPOs based on the computer object is used.

https://support.microsoft.com/en-us/help/231287/loopback-processing-of-group-policy

Replace is optimal with UEM in most cases because the GPOs are based of what machine you are logging into to, which for UEM in most cases I think are non persistent desktops. I have a strict policy in our enviornment to no have any GPOs applied to virtual desktop users because they effect login times. If these are physical machines then in may not apply as much.

Reply
0 Kudos
Raymond_W
VMware Employee
VMware Employee
Jump to solution

Do you happen to know if this was a VMware document ?

If so, we need to change this.

Thnanks

Kind regards, Raymond Twitter: @raymond_himself
Reply
0 Kudos
sjesse
Leadership
Leadership
Jump to solution

I don't think its spelled out which one to use in the latest vmware documenation, I've been enjoying the new techzone documents, and the one for UEM doesn't actually say which one to use either

Quick-Start Tutorial for User Environment Manager | VMware

it just says enable loopback processing, not which one to use. The admin guide only says

Through its integration into group policy, User Environment Manager allows separate configuration seĴings for application silos. You can do this by using the appropriate VMware User Environment Manager administrative template seĴingsǰ and combining them with the MIcrosoft Loopback processing of Group Policy solution.

but never talks about merge vs replace either.

jooji
Enthusiast
Enthusiast
Jump to solution

Hi,

sjesse​, I don't get how replace is optimal. I have my UEM policy which is only linked to the OU where my instant clones are set to merge because the configuration for the FlexEngine stuff is under User Configuration. So if i set it to replace surely those settings would be ignored and therefore UEM would not function?

Reply
0 Kudos