GPO Removal Question

Windows Server 2008 R2 Active Directory Domain
Created GPO to enable Folder Redirection, linked it to "STAFF" organizational unit.  (Note Folder Redirection is a "USER" setting).  Option to "redirect folder back to local user location" is ENABLED in the GPO settings, as "ENFORCED" option.

  All is good except the 2 XP users I removed from the "STAFF" organizational unit earlier today are still having their MY DOCUMENTS synchronization occur when they log out, suggesting the GPO is still be applied (or at least the effect of the GPO has been retained for some reason).

I have tried to stop the GPO from applying to these users by:
MOVING them to a different O.U. in Active Directory
gpupdate /force on W2K8 R2 Domain Controller
gpupdate /force on W2K8 R2 File Server
gpupdate /force on XP computers the 2 users log on to.

Doesn't (shouldn't) removing these user accounts from the 'STAFF' Organizational Unit cause the GPO to be "removed" automatically? Is there a way to manually stop the GPO from applying?
dealvisAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

grantsewellCommented:
User settings will be lost on GPO removal. Did you set the "Policy Removal Behavior" option?

Are you positive they are not inheriting fold synchronization policy from another location in AD?
0
quinnjudgeCommented:
Are you using multiple DCs at different sites?  If so, it is possible the other DC has not realized they have moved out of the OU because of replication.  You can either force a replication through Sites and Services, or go back into ADUC, but connect to the other DC and confirm whether or not the change has replicated to the other server.
0
Neil RussellTechnical Development LeadCommented:
What is the result of a GPRESULT /Z on these machines?
 
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

dealvisAuthor Commented:
Yes, Policy Removal Behaviour Option is set to: "redirect folder back to local user location" is ENABLED.

I am sure they are not inheriting Folder Redirect from another A.D. container because there is only one other O.U. with same policy & these 2 people aren't members.

We are single site with only two Domain controllers.

I will check the GP Result & report back... thx
0
Darius GhassemCommented:
When it comes to folder redirection you need to have another GPO apply disabling the GPO. If you move the users back to the OU then run gpupdate does this fix the problem? If not run gpresults to see if the GPO even applies
0
dealvisAuthor Commented:
Examination of GPRESULTS /Z output indicates that the STAFF GROUP POLICY is NOT being applied to either of these user accounts during logon.

It appears that while the STAFF GPO is not being applied, XP has retained the Folder Redirection settings & is executing the file sync anyway... ?
0
Darius GhassemCommented:
Again it must be applied to the systems so it can reverse the folder redirection policy by sending the folders back to the local computer
0
dealvisAuthor Commented:
Am I understanding You to say I should modify the STAFF GPO by changing it's Folder Redirect settings back to "NOT ENABLED" and then move the 2 user accounts back to the STAFF OU?

0
grantsewellCommented:
Or just make a separate OU with Folder Redirection disabled for the new OU with the 2 accounts in it.
0
Darius GhassemCommented:
No you should change it to point back to the local computer.

http://support.microsoft.com/kb/888203

Move them back to the OU that had the GPO attached. Must be in the orginal OU.
0
dealvisAuthor Commented:
I understand what you are saying and don't think that will work.  Applying a GPO with Folder Redirect "NOT ENABLED" means the corrective option I need to "redirect folder back to local user location" will be greyed out. I will go back to GP Manager console on D.C. and verify this is the case - more later.
0
Darius GhassemCommented:
What I am saying is that you must enable then have the GPO redirect the folders back.

You can go through the registry and delete the links this way but this does not bring he folders back to the local computer
0
dealvisAuthor Commented:
[Here is the type of response I could accept as a solution]...

Removing users from an OU does not have the same effect as removing the Group Policy Object linked to that OU.

 That means moving a user to a different organizational unit DOES NOT invoke the  POLICY REMOVAL setting "Redirect the folder back to the local user profile location when the policy is removed".

Relocating users to a different OU WILL cease the application of the GPO linked to the previous OU, however, the EFFECT of the GPO ( in this case Folder Redirection), will remain until the application of a different GPO whose Folder Redirection settings are as follows:

[TARGET FOLDER LOCATION]
[X] Redirect to the local user profile location

NOTE the following:
1.  You can't remove the EFFECT of the first GPO's Folder Redirect setting by applying a different GPO whose Folder Redirect is simply set to "NOT CONFIGURE".  Must apply setting shown above to gain desired result (cessation of File Syncing).

2.  Successful application of a subsequent GPO to quell Folder Redirection ("Redirect to the local user profile location") DOES NOT remove the files from the file location they were previously redirected to.  The replicated copies of those files & folders will have to be deleted manually.
0
Darius GhassemCommented:
That is correct. If you moved the users back then you would have the problem stop when the gpo was reactivated.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ManicDCommented:
Assuming your taking about "My Documents"

1) Check where the folder is currently set to
Right click my documents link and select properties to check / edit the location

2) If its the correct location, the issue may only be off-line files
You may wish to disable off-line files  via GPO or local setting. This would stop the sync.
0
ManicDCommented:
If your taking about profile redirection
start > run > cmd > echo %appdata%

will let you know the path to application data and thus the profile location.
0
dealvisAuthor Commented:
No added comments.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.