Link to home
Start Free TrialLog in
Avatar of cestor
cestor

asked on

Folder redirection not working- may be GPO/AD ???

I have just built a new DC with win2k server 2003. Client machines that were on an old DC have now been added to the new domain. There are 2 relevant shares on the new DC-
documents
profiles
The contents of these are their My Documents and Roaming Profile respectively that were copied from the old DC. Permissions have been reset on them such that the users are now the owners on those folders and have Full Control.
In the profile tab on Active Directory Users & Computers, users have been given a profile path \\newserver\profiles\%username% and a local path for their home folder of c:\documents\%username%

When I switch on verbose logging I get the following in userenv.log on the local machine

USERENV(2c0.2c4) 11:32:14:799 ReconcileFile: Unable to open temporary file
USERENV(2c0.b50) 11:33:07:565 GetGPOInfo:  Local GPO's gpt.ini is not accessible, assuming default state.
USERENV(2c0.b50) 11:33:32:440 ProcessGPOs: Extension Folder Redirection ProcessGroupPolicy failed, status 0x4ee.

When the user logs on they get the following messages in the local machine event log- 16 Userenv Information messages culminating in

Event Type:      Information
Event Source:      Userenv
Event Category:      None
Event ID:      1031
Date:            18/09/2006
Time:            11:33:07
User:            NT AUTHORITY\SYSTEM
Computer:      BLAH
Description:
Group Policy objects to be applied: "Default Domain Policy" .

and I then have 16 Folder Redirection Information Event ID 401 messages as below:

Entering folder redirection extension
Flags = 0x40
Group Policy Object name = {31B2F340-016D-11D2-945F-00C04FB984F9}
File system path = \\newdomain.com\sysvol\newdomain.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\User
Directory path = LDAP://CN=User,CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=newdomain,DC=com
Display name = Default Domain Policy
Found folder redirection settings for policy Default Domain Policy.
The user was found to be a member of the group s-1-1-0. The corresponding path was \\newserver\Documents\%username%.
Successfully obtained redirection data for My Documents, (Flags: 0x11).
Successfully obtained redirection data for My Pictures, (Flags: 0x2).
Successfully gathered folder redirection settings for policy Default Domain Policy.
Redirecting folder My Documents to \\newserver\Documents\%username%.


 and then ending with

Event Type:      Error
Event Source:      Folder Redirection
Event Category:      None
Event ID:      106
Date:            18/09/2006
Time:            11:33:32
User:            NEWDOMAIN\fred
Computer:      BLAH
Description:
Failed to perform redirection of folder My Documents. The full source path was <\\oldserver\Documents\fred>. The full destination path was <\\newserver\Documents\fred>. At least one of the shares on which these paths lie is currently offline.



Event Type:      Error
Event Source:      Userenv
Event Category:      None
Event ID:      1085
Date:            18/09/2006
Time:            11:33:32
User:            NT AUTHORITY\SYSTEM
Computer:      BLAH
Description:
The Group Policy client-side extension Folder Redirection failed to execute. Please look for any errors reported earlier by that extension.


---
Note that I can browse the SYSVOL share from the client machine and see the contents of gpt.ini
I have the latest service packs on both client and server

I have tried deleting the local copy of the profile from the client machines but this has not fixed it.


Avatar of rgonser
rgonser

You dont have a GPO setting in your default domain policy trying to redirect My Doc's to the old share do you? If so, remove it. Then, go ahead and leave the User account properties set to default and make a GPO to do this redirection.

Make a GPO named USER_MyDoc_redir1

Under :User Configuration > Folder Redirection > My Documents
Create the settings you want (one share, folder for every use, DONT put \\new\documents\%USERNAME% in the field Windows will add that for you, just put "\\new\documents").

Apply this GPO to the domain or the OU containing your user acccounts.

Good luck!
Avatar of cestor

ASKER

No - the new DC did not copy over the old group policies. The root Path for Group Policy- Default Domain Policy -My Documents properties is \\newserver\documents
Then your GPO is being applied sucessfully, check your permissions, heres what I would do:

Share Permissions: FULL CONTROL.
NTFS Permissions: MODIFY (on their individual folders)
Avatar of cestor

ASKER

Yes,
NTFS Permissions are that the users are the owners on those folders and have Full Control.
Shares are set to Full Control
What happens when you do a GPO modeling on a user account? Or a gpresult. (note: you can do GPO modeling from the GPMC)
Avatar of cestor

ASKER

what should I be modelling or what should the command line be for gpresult?
Avatar of cestor

ASKER

sorry -= here is the output


Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 18/09/2006 at 14:35:11



RSOP results for NEWDOMAIN\micah on CLIENT: Logging Mode
------------------------------------------------------

OS Type:                     Microsoft Windows XP Professional
OS Configuration:            Member Workstation
OS Version:                  5.1.2600
Domain Name:                 NEWDOMAIN
Domain Type:                 Windows 2000
Site Name:                   Default-First-Site-Name
Roaming Profile:             \\hub\profiles\fred
Local Profile:               C:\Documents and Settings\fred.NEWDOMAIN.000
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
    CN=CLIENT,CN=Computers,DC=NEWDOMAIN,DC=com
    Last time Group Policy was applied: 18/09/2006 at 14:26:50
    Group Policy was applied from:      newserver.NEWDOMAIN.com
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups:
    --------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        SophosAdministrator
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        CLIENT$
        Domain Computers
       

USER SETTINGS
--------------
    CN=fred bloggs,CN=Users,DC=newdomain,DC=com
    Last time Group Policy was applied: 18/09/2006 at 13:31:33
    Group Policy was applied from:      newserver.newdomain.com
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups:
    ----------------------------------------------------
        Domain Users
        Everyone
        BUILTIN\Administrators
        BUILTIN\Users
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        LOCAL
Avatar of cestor

ASKER

ignore my last posting please- here is gpresult run on the client machine
--------------------------------------------------------------------------------------

Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 18/09/2006 at 14:35:11



RSOP results for NEWDOMAIN\fred on CLIENT: Logging Mode
------------------------------------------------------

OS Type:                     Microsoft Windows XP Professional
OS Configuration:            Member Workstation
OS Version:                  5.1.2600
Domain Name:                 NEWDOMAIN
Domain Type:                 Windows 2000
Site Name:                   Default-First-Site-Name
Roaming Profile:             \\hub\profiles\fred
Local Profile:               C:\Documents and Settings\fred.NEWDOMAIN.000
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
    CN=CLIENT,CN=Computers,DC=NEWDOMAIN,DC=com
    Last time Group Policy was applied: 18/09/2006 at 14:26:50
    Group Policy was applied from:      newserver.NEWDOMAIN.com
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups:
    --------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        SophosAdministrator
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        CLIENT$
        Domain Computers
       

USER SETTINGS
--------------
    CN=fred bloggs,CN=Users,DC=newdomain,DC=com
    Last time Group Policy was applied: 18/09/2006 at 13:31:33
    Group Policy was applied from:      newserver.newdomain.com
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups:
    ----------------------------------------------------
        Domain Users
        Everyone
        BUILTIN\Administrators
        BUILTIN\Users
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        LOCAL
ASKER CERTIFIED SOLUTION
Avatar of rgonser
rgonser

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of cestor

ASKER

hmm..not sure about that -the 1085 error is happening on the client-side, not the server. But I like your idea about the permissions so I will give it a try and then respond.
You might want to look at the Share permissions of the folder itself, Even although you may have set the permissions for the contents of c:\documents\ and UNC path to the owner. The Share Permissions may not be set, not allowing anyone to access the UNC path, Could explain as to why the SYSVOL can be accessed as its set up with the shared folder permissions when you set up the DC.

SO I would right click the shared folder itself c:\documents\ and go to properties then Sharing then view them permissions. And just test with everyone to see if they can redirect. The folder permissions (Not Share) will stop them accessing each others folders.

Just an idea
Steve
Avatar of cestor

ASKER

ok, I found the error. The cause, in case anyone else ever runs into the same problem was because the My Documents folder had been set for Offline Files in the old domain and was still trying to sync with the old server. This was overriding the group policy and causing the redirect to fail.
Points go to rgonser who steered me in that direction!
Glad to hear you got it fixed!