1 2 Previous Next 15 Replies Latest reply on Feb 6, 2020 10:40 AM by jooji

    Strange User Group Policy issue with UEM

    Oneboss302 Enthusiast

      I have a strange issue here. I Have a group Policy that contains several desktop shortcuts that is linked to my users OU and security filtered to a specific group of users. I am using GP to do this, because these shortcuts have to be applied to physical devices as well.

       

      The issue is, the policy will NOT apply if my UEM policy is applied. If the UEM policy is NOT applied, the shortcuts gpo works. It is almost like the user policies are being "filtered out" by UEM.

       

      I hope this made sense. Thanks. Really frustrated here.

       

       

       

      EDIT: I should also note, that the user polices I am referring to, work 100% on physical devices where no UEM policy is being applied.

       

      Message was edited by: Patrick Castafero

        • 1. Re: Strange User Group Policy issue with UEM
          DEMdev Master
          VMware Employees

          Hi Oneboss302,

           

          UEM's only relation to Group Policy is that it gets its own configuration settings from a GPO, and that the Group Policy Client service hosts the UEM agent at logon – UEM has no way to influence other Group Policy activities.

           

          If the UEM policy is in effect, does GPResult show that both GPOs are applied? Are you maybe redirecting the desktop folder using UEM?

          • 2. Re: Strange User Group Policy issue with UEM
            Oneboss302 Enthusiast

            Thanks for the reply.

             

            I am indeed redirecting the desktop via UEM. It was my understanding that the GPO that is adding the shortcuts to the users desktop would simply add them via the redirection. Is that not the case with UEM?

             

            On my windows 7 environment I am not using UEM and using Folder Redirection via GPO. This seems to work properly and add the icons to the users redirected desktop there.

            • 3. Re: Strange User Group Policy issue with UEM
              DEMdev Master
              VMware Employees

              It was my understanding that the GPO that is adding the shortcuts to the users desktop would simply add them via the redirection. Is that not the case with UEM?

              I suppose that depends on how and when those shortcuts are created. As a test, can you check whether those shortcuts end up in the non-directed C:\Users\username\Desktop folder?

              On my windows 7 environment I am not using UEM and using Folder Redirection via GPO. This seems to work properly and add the icons to the users redirected desktop there.

              It may or may not be relevant (depending on the timing of the shortcut creation), but one difference between UEM's folder redirection and the "Microsoft GPO" way, is that UEM does not copy or move any existing data. So, if those shortcuts were created before the folder redirection kicked in, and you configured Microsoft folder redirection to move existing folder content, that might explain why you'd see your shortcuts in the redirected folder in that case.

              • 4. Re: Strange User Group Policy issue with UEM
                Oneboss302 Enthusiast

                Never thought to check the C:\Users\username\Desktop folder. Very good point. I am in the middle of rebuilding the master image and will test that when it's complete. thank you for adding that. I will update with results.

                 

                 

                • 5. Re: Strange User Group Policy issue with UEM
                  Oneboss302 Enthusiast

                  I have re-provisioned the pool from a new master image and having the same results. The GPO that is applied to the user group is not applying to the linked clone machines. I was able to get them to apply if I linked the GPO (all user settings) to the OU that contains the machines.

                   

                  I have noted that I removed "Authenticated users" from the security filtering and replaced it with a Security group. I did add Authenticated users to the delegation with Read access.

                  • 6. Re: Strange User Group Policy issue with UEM
                    DEMdev Master
                    VMware Employees

                    The GPO that is applied to the user group is not applying to the linked clone machines.

                    What does GPResult show?

                    • 7. Re: Strange User Group Policy issue with UEM
                      Oneboss302 Enthusiast

                      It does not show the 2 GPO’s being applied at all. 

                      • 8. Re: Strange User Group Policy issue with UEM
                        DEMdev Master
                        VMware Employees

                        I'm afraid that's outside my scope of expertise... I know enough about Group Policy to configure it for my own UEM-related testing, but I have no experience in troubleshooting Group Policy issues...

                         

                        You're logging on to a linked clone from your newly provisioned pool, with a user that's in an OU that your UEM GPO is linked to, but GPResult does not show that GPO as having been applied it all? Is there anything policy-related in the event log? DNS issues? Is the clock on the VM set to the correct date and time?

                        • 9. Re: Strange User Group Policy issue with UEM
                          Raymond_W Hot Shot
                          vExpertVMware Employees

                          Do you have loopback policy processing enabled on the UEM policy ?

                           

                          If this has been set to replace, other user policies will not be applied.

                          • 10. Re: Strange User Group Policy issue with UEM
                            sjesse Master
                            vExpert

                            I think this is very important, not to get off topic, I had our security team applying hardning policies that broke everything. Making sure the loopback policy was implace solved alot of my problems, since that prevented the user policies from being applied. I now instead place those settings directly into the parent image for our desktops.

                            • 11. Re: Strange User Group Policy issue with UEM
                              Oneboss302 Enthusiast

                              Well, the Loopback was the issue. The document that I was following to create the UEM GPO has it listed as "REPLACE". Changing the setting to MERGE seems to have fixed it.

                               

                              Much appreciate all the assistance.

                              • 12. Re: Strange User Group Policy issue with UEM
                                sjesse Master
                                vExpert

                                The difference between the two are

                                 

                                • Merge Mode
                                  In this mode, when the user logs on, the user's list of GPOs is typically gathered by using the GetGPOList function. The GetGPOList function is then called again by using the computer's location in Active Directory. The list of GPOs for the computer is then added to the end of the GPOs for the user. This causes the computer's GPOs to have higher precedence than the user's GPOs. In this example, the list of GPOs for the computer is added to the user's list.
                                • Replace Mode
                                  In this mode, the user's list of GPOs is not gathered. Only the list of GPOs based on the computer object is used.

                                 

                                https://support.microsoft.com/en-us/help/231287/loopback-processing-of-group-policy

                                 

                                Replace is optimal with UEM in most cases because the GPOs are based of what machine you are logging into to, which for UEM in most cases I think are non persistent desktops. I have a strict policy in our enviornment to no have any GPOs applied to virtual desktop users because they effect login times. If these are physical machines then in may not apply as much.

                                • 13. Re: Strange User Group Policy issue with UEM
                                  Raymond_W Hot Shot
                                  VMware EmployeesvExpert

                                  Do you happen to know if this was a VMware document ?

                                   

                                  If so, we need to change this.

                                   

                                  Thnanks

                                  • 14. Re: Strange User Group Policy issue with UEM
                                    sjesse Master
                                    vExpert

                                    I don't think its spelled out which one to use in the latest vmware documenation, I've been enjoying the new techzone documents, and the one for UEM doesn't actually say which one to use either

                                     

                                    Quick-Start Tutorial for User Environment Manager | VMware

                                     

                                    it just says enable loopback processing, not which one to use. The admin guide only says

                                     

                                    Through its integration into group policy, User Environment Manager allows separate configuration seĴings for application silos. You can do this by using the appropriate VMware User Environment Manager administrative template seĴingsǰ and combining them with the MIcrosoft Loopback processing of Group Policy solution.

                                     

                                    but never talks about merge vs replace either.

                                    1 person found this helpful
                                    1 2 Previous Next