dealvis
asked on
GPO Removal Question
Windows Server 2008 R2 Active Directory Domain
Created GPO to enable Folder Redirection, linked it to "STAFF" organizational unit. (Note Folder Redirection is a "USER" setting). Option to "redirect folder back to local user location" is ENABLED in the GPO settings, as "ENFORCED" option.
All is good except the 2 XP users I removed from the "STAFF" organizational unit earlier today are still having their MY DOCUMENTS synchronization occur when they log out, suggesting the GPO is still be applied (or at least the effect of the GPO has been retained for some reason).
I have tried to stop the GPO from applying to these users by:
MOVING them to a different O.U. in Active Directory
gpupdate /force on W2K8 R2 Domain Controller
gpupdate /force on W2K8 R2 File Server
gpupdate /force on XP computers the 2 users log on to.
Doesn't (shouldn't) removing these user accounts from the 'STAFF' Organizational Unit cause the GPO to be "removed" automatically? Is there a way to manually stop the GPO from applying?
Created GPO to enable Folder Redirection, linked it to "STAFF" organizational unit. (Note Folder Redirection is a "USER" setting). Option to "redirect folder back to local user location" is ENABLED in the GPO settings, as "ENFORCED" option.
All is good except the 2 XP users I removed from the "STAFF" organizational unit earlier today are still having their MY DOCUMENTS synchronization occur when they log out, suggesting the GPO is still be applied (or at least the effect of the GPO has been retained for some reason).
I have tried to stop the GPO from applying to these users by:
MOVING them to a different O.U. in Active Directory
gpupdate /force on W2K8 R2 Domain Controller
gpupdate /force on W2K8 R2 File Server
gpupdate /force on XP computers the 2 users log on to.
Doesn't (shouldn't) removing these user accounts from the 'STAFF' Organizational Unit cause the GPO to be "removed" automatically? Is there a way to manually stop the GPO from applying?
Are you using multiple DCs at different sites? If so, it is possible the other DC has not realized they have moved out of the OU because of replication. You can either force a replication through Sites and Services, or go back into ADUC, but connect to the other DC and confirm whether or not the change has replicated to the other server.
What is the result of a GPRESULT /Z on these machines?
ASKER
Yes, Policy Removal Behaviour Option is set to: "redirect folder back to local user location" is ENABLED.
I am sure they are not inheriting Folder Redirect from another A.D. container because there is only one other O.U. with same policy & these 2 people aren't members.
We are single site with only two Domain controllers.
I will check the GP Result & report back... thx
I am sure they are not inheriting Folder Redirect from another A.D. container because there is only one other O.U. with same policy & these 2 people aren't members.
We are single site with only two Domain controllers.
I will check the GP Result & report back... thx
When it comes to folder redirection you need to have another GPO apply disabling the GPO. If you move the users back to the OU then run gpupdate does this fix the problem? If not run gpresults to see if the GPO even applies
ASKER
Examination of GPRESULTS /Z output indicates that the STAFF GROUP POLICY is NOT being applied to either of these user accounts during logon.
It appears that while the STAFF GPO is not being applied, XP has retained the Folder Redirection settings & is executing the file sync anyway... ?
It appears that while the STAFF GPO is not being applied, XP has retained the Folder Redirection settings & is executing the file sync anyway... ?
Again it must be applied to the systems so it can reverse the folder redirection policy by sending the folders back to the local computer
ASKER
Am I understanding You to say I should modify the STAFF GPO by changing it's Folder Redirect settings back to "NOT ENABLED" and then move the 2 user accounts back to the STAFF OU?
Or just make a separate OU with Folder Redirection disabled for the new OU with the 2 accounts in it.
No you should change it to point back to the local computer.
http://support.microsoft.com/kb/888203
Move them back to the OU that had the GPO attached. Must be in the orginal OU.
http://support.microsoft.com/kb/888203
Move them back to the OU that had the GPO attached. Must be in the orginal OU.
ASKER
I understand what you are saying and don't think that will work. Applying a GPO with Folder Redirect "NOT ENABLED" means the corrective option I need to "redirect folder back to local user location" will be greyed out. I will go back to GP Manager console on D.C. and verify this is the case - more later.
What I am saying is that you must enable then have the GPO redirect the folders back.
You can go through the registry and delete the links this way but this does not bring he folders back to the local computer
You can go through the registry and delete the links this way but this does not bring he folders back to the local computer
ASKER
[Here is the type of response I could accept as a solution]...
Removing users from an OU does not have the same effect as removing the Group Policy Object linked to that OU.
That means moving a user to a different organizational unit DOES NOT invoke the POLICY REMOVAL setting "Redirect the folder back to the local user profile location when the policy is removed".
Relocating users to a different OU WILL cease the application of the GPO linked to the previous OU, however, the EFFECT of the GPO ( in this case Folder Redirection), will remain until the application of a different GPO whose Folder Redirection settings are as follows:
[TARGET FOLDER LOCATION]
[X] Redirect to the local user profile location
NOTE the following:
1. You can't remove the EFFECT of the first GPO's Folder Redirect setting by applying a different GPO whose Folder Redirect is simply set to "NOT CONFIGURE". Must apply setting shown above to gain desired result (cessation of File Syncing).
2. Successful application of a subsequent GPO to quell Folder Redirection ("Redirect to the local user profile location") DOES NOT remove the files from the file location they were previously redirected to. The replicated copies of those files & folders will have to be deleted manually.
Removing users from an OU does not have the same effect as removing the Group Policy Object linked to that OU.
That means moving a user to a different organizational unit DOES NOT invoke the POLICY REMOVAL setting "Redirect the folder back to the local user profile location when the policy is removed".
Relocating users to a different OU WILL cease the application of the GPO linked to the previous OU, however, the EFFECT of the GPO ( in this case Folder Redirection), will remain until the application of a different GPO whose Folder Redirection settings are as follows:
[TARGET FOLDER LOCATION]
[X] Redirect to the local user profile location
NOTE the following:
1. You can't remove the EFFECT of the first GPO's Folder Redirect setting by applying a different GPO whose Folder Redirect is simply set to "NOT CONFIGURE". Must apply setting shown above to gain desired result (cessation of File Syncing).
2. Successful application of a subsequent GPO to quell Folder Redirection ("Redirect to the local user profile location") DOES NOT remove the files from the file location they were previously redirected to. The replicated copies of those files & folders will have to be deleted manually.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Assuming your taking about "My Documents"
1) Check where the folder is currently set to
Right click my documents link and select properties to check / edit the location
2) If its the correct location, the issue may only be off-line files
You may wish to disable off-line files via GPO or local setting. This would stop the sync.
1) Check where the folder is currently set to
Right click my documents link and select properties to check / edit the location
2) If its the correct location, the issue may only be off-line files
You may wish to disable off-line files via GPO or local setting. This would stop the sync.
If your taking about profile redirection
start > run > cmd > echo %appdata%
will let you know the path to application data and thus the profile location.
start > run > cmd > echo %appdata%
will let you know the path to application data and thus the profile location.
ASKER
No added comments.
Are you positive they are not inheriting fold synchronization policy from another location in AD?