The way i have done it is to put the computer account in to my Staff Laptops OU, Block Policy Inheritance, Make it no overide, And add all the settings i want to the new policy,
Great i thought, Now i will test this with an account i made that just so happens to be in the same Staff Laptops OU. Logon and its perfect, Everything the way i want it.
Now to try with an RM account that sits in the Teachers area of the Active Directory. RM GPO's are following the user account, User Type, Station setting which are chucking out some horrid messages.
My partner in crime sugested we Add the deny permission to the establishments OU for the computer account in our Staff Laptops OU. This works great for blocking computer settings but not great for User Seetings. Is there anyway that i can leave the accounts in the Establishments OU and not make it so that the RM GPO's follow them out side the Establishemtns GPO?
I have turned on Allow Local Profiles Only as well and still no joy.
OK looked into this further. For some reason if you add a script to logon it hangs (not sure why will look at this for you)
The error message to do with shared desktop is that rm cc3 uses desktop agent not folder redirection. edit the user type in ad so that it has folder redirection for the desktop and start menu. In both set redirection as basic. Also you will need to create a folder on H drive is probably best called policies or settings or something like that. Share it with a $ and ensure all users have read access. Create a folder within it called Desktop and StartMenu. Within the GPO relocate to these folders. Also on the setting tab untick Grant the user exclusive rights to Desktop/Start Menu and Move content of Desktop/Start Menu to the new location.
You can now control what they have in the sart menu and on the desktop the same like rm's Desktop Agent does.
Like i said earlier all security setting and even internet setting should be set by the user and the only things computers should be assigned are packages.
Note: Folder redirection is ignore/overrided by desktop agent so it works fine when logging on to CC3 network.
Note 2: within start menu create a folder called programs and put all icons/folders in that.
Thanks for all your hard work guys, Spent most of my morning thinking about this and played further with Group Policy Loopback and blocking, In the end turned the above feature on, then Denied Access to the RM OU for the computer accounts that i don't want RM on,
Works perfect, Just got to sort out some Sync stuff along with Shared desktops, Start menu then im going to present it as an idea for more secure, Easier to manage and use laptops for teachers.
For my own reasons i thought it would be better to put all NON RM stuff on its own logical drive, This works well as you can play with permissions until heart is content along with AD and it feels like your administering a real network for a just a few minutes.
Even though its all done and WORKING they will still say no. Seems to be all my hard work is for nothing at the moment...
@barryfl: I'd lead with "I've come up with a way of saving ¬£10K on licenses for these new licenses..." followed by "... I've configured a couple and will ask a couple of staff to try them out for a week or so to see if they notice any difference in how they work" so that it looks like you are considering the teachers and the ¬£10K bit will stop them saying no before you can draw breath.
... when they notice no difference you will be well on your way to ditching CC3 :P