Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 936
  • Last Modified:

GPO Removal Question

Windows Server 2008 R2 Active Directory Domain
Created GPO to enable Folder Redirection, linked it to "STAFF" organizational unit.  (Note Folder Redirection is a "USER" setting).  Option to "redirect folder back to local user location" is ENABLED in the GPO settings, as "ENFORCED" option.

  All is good except the 2 XP users I removed from the "STAFF" organizational unit earlier today are still having their MY DOCUMENTS synchronization occur when they log out, suggesting the GPO is still be applied (or at least the effect of the GPO has been retained for some reason).

I have tried to stop the GPO from applying to these users by:
MOVING them to a different O.U. in Active Directory
gpupdate /force on W2K8 R2 Domain Controller
gpupdate /force on W2K8 R2 File Server
gpupdate /force on XP computers the 2 users log on to.

Doesn't (shouldn't) removing these user accounts from the 'STAFF' Organizational Unit cause the GPO to be "removed" automatically? Is there a way to manually stop the GPO from applying?
0
dealvis
Asked:
dealvis
  • 6
  • 5
  • 2
  • +3
1 Solution
 
grantsewellCommented:
User settings will be lost on GPO removal. Did you set the "Policy Removal Behavior" option?

Are you positive they are not inheriting fold synchronization policy from another location in AD?
0
 
quinnjudgeCommented:
Are you using multiple DCs at different sites?  If so, it is possible the other DC has not realized they have moved out of the OU because of replication.  You can either force a replication through Sites and Services, or go back into ADUC, but connect to the other DC and confirm whether or not the change has replicated to the other server.
0
 
Neil RussellTechnical Development LeadCommented:
What is the result of a GPRESULT /Z on these machines?
 
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
dealvisAuthor Commented:
Yes, Policy Removal Behaviour Option is set to: "redirect folder back to local user location" is ENABLED.

I am sure they are not inheriting Folder Redirect from another A.D. container because there is only one other O.U. with same policy & these 2 people aren't members.

We are single site with only two Domain controllers.

I will check the GP Result & report back... thx
0
 
Darius GhassemCommented:
When it comes to folder redirection you need to have another GPO apply disabling the GPO. If you move the users back to the OU then run gpupdate does this fix the problem? If not run gpresults to see if the GPO even applies
0
 
dealvisAuthor Commented:
Examination of GPRESULTS /Z output indicates that the STAFF GROUP POLICY is NOT being applied to either of these user accounts during logon.

It appears that while the STAFF GPO is not being applied, XP has retained the Folder Redirection settings & is executing the file sync anyway... ?
0
 
Darius GhassemCommented:
Again it must be applied to the systems so it can reverse the folder redirection policy by sending the folders back to the local computer
0
 
dealvisAuthor Commented:
Am I understanding You to say I should modify the STAFF GPO by changing it's Folder Redirect settings back to "NOT ENABLED" and then move the 2 user accounts back to the STAFF OU?

0
 
grantsewellCommented:
Or just make a separate OU with Folder Redirection disabled for the new OU with the 2 accounts in it.
0
 
Darius GhassemCommented:
No you should change it to point back to the local computer.

http://support.microsoft.com/kb/888203

Move them back to the OU that had the GPO attached. Must be in the orginal OU.
0
 
dealvisAuthor Commented:
I understand what you are saying and don't think that will work.  Applying a GPO with Folder Redirect "NOT ENABLED" means the corrective option I need to "redirect folder back to local user location" will be greyed out. I will go back to GP Manager console on D.C. and verify this is the case - more later.
0
 
Darius GhassemCommented:
What I am saying is that you must enable then have the GPO redirect the folders back.

You can go through the registry and delete the links this way but this does not bring he folders back to the local computer
0
 
dealvisAuthor Commented:
[Here is the type of response I could accept as a solution]...

Removing users from an OU does not have the same effect as removing the Group Policy Object linked to that OU.

 That means moving a user to a different organizational unit DOES NOT invoke the  POLICY REMOVAL setting "Redirect the folder back to the local user profile location when the policy is removed".

Relocating users to a different OU WILL cease the application of the GPO linked to the previous OU, however, the EFFECT of the GPO ( in this case Folder Redirection), will remain until the application of a different GPO whose Folder Redirection settings are as follows:

[TARGET FOLDER LOCATION]
[X] Redirect to the local user profile location

NOTE the following:
1.  You can't remove the EFFECT of the first GPO's Folder Redirect setting by applying a different GPO whose Folder Redirect is simply set to "NOT CONFIGURE".  Must apply setting shown above to gain desired result (cessation of File Syncing).

2.  Successful application of a subsequent GPO to quell Folder Redirection ("Redirect to the local user profile location") DOES NOT remove the files from the file location they were previously redirected to.  The replicated copies of those files & folders will have to be deleted manually.
0
 
Darius GhassemCommented:
That is correct. If you moved the users back then you would have the problem stop when the gpo was reactivated.
0
 
ManicDCommented:
Assuming your taking about "My Documents"

1) Check where the folder is currently set to
Right click my documents link and select properties to check / edit the location

2) If its the correct location, the issue may only be off-line files
You may wish to disable off-line files  via GPO or local setting. This would stop the sync.
0
 
ManicDCommented:
If your taking about profile redirection
start > run > cmd > echo %appdata%

will let you know the path to application data and thus the profile location.
0
 
dealvisAuthor Commented:
No added comments.
0

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

  • 6
  • 5
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now