I am going to setup another test using 2 GPO's on the computer OU, plus filtering and being more careful to make sure I have a valid test.

What seemed to happen with my first round of testing using filtering was the GPO never applied.

This is where all the semantics come in - to use filtering you have to delete the Authenticated user account from the GPO - Computers and users are considered authenticated users so with Authenticated user permissions set, by default,  the GPO's will apply in order of precedence based on the Computer authenticating. (I can test this more carefully too)

So now - the VM boots up - neither GPO is applied because Authenticated users do not have rights to either GPO - this makes sense -  later a user logs in - I do not think the GPO is reapplied because it is on the Computer OU and not the user OU - things never get to the point where the filtering based on user account is in play.

This is the Catch-22 I am trying to figure out and where I could use some more insight- I have to learn the sequence of when and why the GPO(s) are applied and whether or not that same GPO is reapplied.  I looked into loopback processing but that appears to only effect the user hive.  I keep thinking a solution should be simpler than what I am finding....

Can't you use Item Level Targeting instead of security filtering?

Wow Seb,  this was an oldie.

I ended up finding a simple solution by configuring GPO's for Folder Redirection and gave up on Persona Management.  This had a few unanticipated benefits and has worked out really well for us.

The GPO is assigned to the users OU and the user hive so it has the same effect on physical and VM computers.  I redirect the desktop, My Documents, Favorites, Music, Video and Pictures to a network share.  As a test you can apply the GPO then login as the same user to a physical and VM machine.  Create desktop shortcuts or Favorites on one and see them appear immediately on the other machine.

The redirect works like a shared folder instead of like a roaming profile so it doesn't download/upload on login/logoff.  This helps reduce whatever happens during login storms and there is no roaming profile/PM to corrupt and cause users to lose data.  The redirected files live on a single network share so they are always synced.

I don't sync appdata. In our environment this turned out to be acceptable.  Without roaming profiles or PM, users are creating local profiles.  Our users login to the same 1-3 physical machines every time so after their first logins the first time user stuff goes away.  They login to random VM's so they create a new local profile/appdata every time.  We decided the extra 10 seconds it took for Word to open every time was an acceptable tradeoff for never, ever seeing a corrupted roaming profile/PM and a user never, ever losing something saved to their desktop or my documents folders. The VM's are faster so the impact of creating a local profile is much less than on our slower physical machines.

Before VM's we always had trouble with corrupted roaming profiles and I am not trashing PM but we saw a little of the same corruption in testing.  Folder redirection removed that from our daily tech lives and removed a source of great frustration from our users tech lives.

There are a lot of conditions here so I hope I explained it in a way that makes some sense.

Bruce