For some organizations there is a concern when that users will access corporate data from their personal computers. If the personal computers are not well secured, such as having encrypted drives and good antivirus software, or if the personal computers are shared with unauthorized people, then the corporate data could be exposed. To address those concerns it's possible to restrict OneDrive so that it only synchronizes files to domain-joined computers. The general idea is that a domain-joined computer that is within the control of corporate IT will be more secure than the average personal computer that staff own. OneDrive sync restrictions can be configured using the, or the. Before you can restrict OneDrive to domain joined computers, you first need to know the GUID of the Active Directory domains that will be allowed to sync. To retrieve the domain GUID, run the following command from a computer or server that has the Active Directory PowerShell module available. If you allow your users to sync personal OneDrive accounts, the update process described in this article and any settings you select apply to all instances of the sync client. The sync client installed from the Mac App Store follows a separate update process. DisableReportProblemDialog: False The sync policy change takes around an hour before it is effective. After the new configuration is in place, a user trying to add a OneDrive account to a computer that is not domain joined will receive an error message after they sign in and choose a location to sync to. Sorry, OneDrive can't add your folder at this time. ![]() Please contact support. Any existing sync relationships for computers that are not domain joined will begin showing a “sync blocked” message in the system tray, and when OneDrive is opened from the system tray will display a more detailed error message. Your IT Department requires that you use a computer that is joined to an approved domain to sync this folder. For assistance, contact your IT Department. When you restrict OneDrive sync to specific domains you should be aware of the following caveats: • Computers that already have files synced to their local hard drive will not have the files removed. • The domain join requirement does not apply to Macs, however you can enable or disable Mac sync as a separate restriction in the OneDrive admin portal (or via PowerShell). • The policy will not restrict sync to mobile devices. For that you should use a device access policy, or use Intune. Thanks for this write up. I’m having some difficulties however. I ran the Get-ADForest command as instructed in your example, from my local domain-joined system at my place of business and received 3 ObjectGUID’s. Euro truck simulator 2 mods download. I put all 3 GUID’s in the the “Allow box” and hit save. About 30 minutes later, my OneDrive Client (Which was previously syncing fine) showed the “Your IT Dept requires your machine be domain-joined” and OneDrive was blocked. I then turned off the block feature in the Portal, and within 10 minutes, I was able to sync again. In my specific example, the Object GUID’s that show up were: (names changed for privacy) apps (long GUID) Corporate (long GUID) Contosocompanies (long GUID) my machine is joined to a domain called corporate.contosocompanies.com Why does the Get-ADForest break up corporate and contosocompanies into two seperate GUID’s?
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |