Can't get folder redirection working

Hey guys I am having trouble with folder redirection

Server is called test-server. Domain is called test.local.   In Active Directory Users I have a OU called Folder Redirected Users.  In that OU I have users test1, test2, test3.  In that OU I created a security group called "folder redirection"

I go into Group Policy Management and right click on the test.local and selected Create and Link GPO, calling it Test.  I did the group policy setting for My Documents redirection and selected \\test-server\Storage

For that folder i added the group "folder redirection" and gave full control to that.

In the group policy mangement when i click on the OU Folder Redirected Users, under Group Policy Inheritance, the Test GPO is listed as the last GP in the list.  

However I cannot get it working, tried restarting and doing gpupdate /force on clients and gpupdate on server.

No folder are created.

I then also tried to right click on the OU in Group Policy Management and did Link Existing GPO and I selected the Test GP and still no work.

What did I do wrong?

Fluid_ImageryAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

PlaceboC6Commented:
#1 Make sure all client machines are pointed to a DC/DNS server for DNS only.  No ISP or third party DNS even as an alternate.

#2 You will have to do a log off/log on to test in addition to the gpupdate /force

#3 Make sure the group that you put test users in have full control on the share and then at least "LIST" permissions on the folder permissions.  Without a minimum of list,  it will not auto-create the sub folders.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Fluid_ImageryAuthor Commented:
#1 did it =)  thought I had the DNS configured but the VMware machine is handing out IPs and isn't configured to give out the ip of the server.  all good now =)

Thats.

Just curious whats a better way to do it:
Create a group, add users to group, and apply GPO to group
or
Create a OU, add users to OU, apply GPO to OU.  

0
Brian PiercePhotographerCommented:
GPOs are NOT applied to security groups. If you create users and put the users in a group and then put the group in the OU the settings WILL NOT be applied - the user accounts themselves must be in the OU.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

tigermattCommented:
You would be much better setting the GPO to apply over the OU with security filetring for Authenticated Users.

As for configuring the Folder Redirection, you need to make sure you are redirecting the folders to a share which doesn't host any roaming profiles. The NTFS permissions on the shared folder should be as shown in the attached screenshots (this is what I use anyway and it always works).

Take care over getting the Scope of the permissions correct - as you can see in the first image some settings are applied over everything (This folder, subfolders and files) while others are just over Subfolders and Files. Also, the Domain Users group only has 3 permissions over This folder only - those permissions allow them to create their own folders where you specify %username% in the redirection path in the GPO settings.

I would strongly recommend against creating the folders beforehand - set up Redirection in GPO and then refresh group policy before logging on and off once or twice - the folders will be created automatically with the permissions shown below.

You may also want to remove the "Grant user exclusive rights over..." on the Settings tab of the redirection - this means it still inherits permissions from the parent so Domain Admins etc. can still access the users' redirected folders. I find this useful sometimes when a user calls having a problem with a document they've stored.
folder-redirect-NTFS-permissions.jpg
folder-redirect-domain-user-perm.jpg
folder-redirect-share-permission.jpg
0
PlaceboC6Commented:
Fluid,  glad I was able to help. :)
0
Fluid_ImageryAuthor Commented:
Thanks everyone for more posts.  Just another quick question so I know I am implementing correct

OU has 3 users(test1,test2,test3) and security group Folder Redirector Group with these 3 users as a member of.  

I right clicked on the domain.local and created a new GP, under Scope I removed Authenticated Users and added the security group Folder Redirector Group.  Is that correct?

So then If i click on the OU in GPMC, I see Default Group Policy listed first, then the new GP listed.  Under the OU I don't have a GP Object linked to it, only in the group policy inheritance tab.  Is this correct?

0
Fluid_ImageryAuthor Commented:
Now it's not working again.  

When I was looking I noticed that the new GP was listed like so: NewGP, Default GP, NewGP under Inheritance.  

So I removed the one that was as #1 and it removed the GP that was listed below the OU in Group Policy Management, then it stopped working.

however when I log off the test machines, it does a syncronization window =/

0
tigermattCommented:
I wouldn't be using that security group at all, and I recommend you delete that and restore the Authenticated Users group in the GPO before you continue. Then, right-click the GPO link in domain.local and press Delete. Then, go into your OU for Folder Redirected Users, right-click on it, Link an existing GPO, find your GPO in the list and press OK.

This is the recommended method for linking GPOs to objects in AD when the GPO settings should be shared by all objects in a particular OU. The only time you should use security filtering and link it to the root of the domain is if you have objects which are spread across multiple OUs and should have the same settings applied - i.e. Domain Admins.
0
tigermattCommented:
however when I log off the test machines, it does a syncronization window =/

This is performed by default, because all redirected folders are automatically synchronized from the server. In the case of fixed workstations whose users wouldn't need to access their files when disconnected from the network, then you can safely disable this by enabling the GPO to prevent use of the Offline Files feature.

I'm pretty sure its in User Config, Administrative Templates, Network, Offline Files, but I can't check at the minute.
0
Fluid_ImageryAuthor Commented:
Should I right click on the domain.local and create a new GPO in that list?

Or do I just right click on the OU and select "create and link a new GPO here"?

Because I did the first one and automatically the OU has default group policy listed first, then thew new group policy listed.
0
tigermattCommented:
Is this GPO one which will be disabling offline files? If so you could put the setting in with the existing GPO which is distributing the settings for Folder Redirection, no need for another object.
0
Fluid_ImageryAuthor Commented:
Okay so I deleted everything I did:
Deleted the Security Group
Deleted the linked GPO
Right clicked on the OU, and selected Create and Link GPO here, edit the GPO for My Desktop and My Documents folder redirected
Shared out folder (gotta work on permisions still).

Working fine now.  So thats the correct way?

One other question is the "administrator" account doesn't have access to the users folder, I tried adding administrator with full access and still doesn't work.  Any tip for that?
0
tigermattCommented:
Do you mean the Administrator doesn't have access to the subfolders for each user? In my above post I already covered this - "You may also want to remove the "Grant user exclusive rights over..." on the Settings tab of the redirection - this means it still inherits permissions from the parent so Domain Admins etc. can still access the users' redirected folders. I find this useful sometimes when a user calls having a problem with a document they've stored."

http:#a20860756
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.