Solved

GPO Removal Question

Posted on 2010-08-17
17
919 Views
Last Modified: 2012-05-10
Windows Server 2008 R2 Active Directory Domain
Created GPO to enable Folder Redirection, linked it to "STAFF" organizational unit.  (Note Folder Redirection is a "USER" setting).  Option to "redirect folder back to local user location" is ENABLED in the GPO settings, as "ENFORCED" option.

  All is good except the 2 XP users I removed from the "STAFF" organizational unit earlier today are still having their MY DOCUMENTS synchronization occur when they log out, suggesting the GPO is still be applied (or at least the effect of the GPO has been retained for some reason).

I have tried to stop the GPO from applying to these users by:
MOVING them to a different O.U. in Active Directory
gpupdate /force on W2K8 R2 Domain Controller
gpupdate /force on W2K8 R2 File Server
gpupdate /force on XP computers the 2 users log on to.

Doesn't (shouldn't) removing these user accounts from the 'STAFF' Organizational Unit cause the GPO to be "removed" automatically? Is there a way to manually stop the GPO from applying?
0
Comment
Question by:dealvis
  • 6
  • 5
  • 2
  • +3
17 Comments
 
LVL 7

Expert Comment

by:grantsewell
ID: 33459062
User settings will be lost on GPO removal. Did you set the "Policy Removal Behavior" option?

Are you positive they are not inheriting fold synchronization policy from another location in AD?
0
 
LVL 1

Expert Comment

by:quinnjudge
ID: 33459069
Are you using multiple DCs at different sites?  If so, it is possible the other DC has not realized they have moved out of the OU because of replication.  You can either force a replication through Sites and Services, or go back into ADUC, but connect to the other DC and confirm whether or not the change has replicated to the other server.
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 33459096
What is the result of a GPRESULT /Z on these machines?
 
0
 

Author Comment

by:dealvis
ID: 33459195
Yes, Policy Removal Behaviour Option is set to: "redirect folder back to local user location" is ENABLED.

I am sure they are not inheriting Folder Redirect from another A.D. container because there is only one other O.U. with same policy & these 2 people aren't members.

We are single site with only two Domain controllers.

I will check the GP Result & report back... thx
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33459197
When it comes to folder redirection you need to have another GPO apply disabling the GPO. If you move the users back to the OU then run gpupdate does this fix the problem? If not run gpresults to see if the GPO even applies
0
 

Author Comment

by:dealvis
ID: 33459478
Examination of GPRESULTS /Z output indicates that the STAFF GROUP POLICY is NOT being applied to either of these user accounts during logon.

It appears that while the STAFF GPO is not being applied, XP has retained the Folder Redirection settings & is executing the file sync anyway... ?
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33459507
Again it must be applied to the systems so it can reverse the folder redirection policy by sending the folders back to the local computer
0
 

Author Comment

by:dealvis
ID: 33459578
Am I understanding You to say I should modify the STAFF GPO by changing it's Folder Redirect settings back to "NOT ENABLED" and then move the 2 user accounts back to the STAFF OU?

0
 
LVL 7

Expert Comment

by:grantsewell
ID: 33459681
Or just make a separate OU with Folder Redirection disabled for the new OU with the 2 accounts in it.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33459735
No you should change it to point back to the local computer.

http://support.microsoft.com/kb/888203

Move them back to the OU that had the GPO attached. Must be in the orginal OU.
0
 

Author Comment

by:dealvis
ID: 33459925
I understand what you are saying and don't think that will work.  Applying a GPO with Folder Redirect "NOT ENABLED" means the corrective option I need to "redirect folder back to local user location" will be greyed out. I will go back to GP Manager console on D.C. and verify this is the case - more later.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33459958
What I am saying is that you must enable then have the GPO redirect the folders back.

You can go through the registry and delete the links this way but this does not bring he folders back to the local computer
0
 

Author Comment

by:dealvis
ID: 33464725
[Here is the type of response I could accept as a solution]...

Removing users from an OU does not have the same effect as removing the Group Policy Object linked to that OU.

 That means moving a user to a different organizational unit DOES NOT invoke the  POLICY REMOVAL setting "Redirect the folder back to the local user profile location when the policy is removed".

Relocating users to a different OU WILL cease the application of the GPO linked to the previous OU, however, the EFFECT of the GPO ( in this case Folder Redirection), will remain until the application of a different GPO whose Folder Redirection settings are as follows:

[TARGET FOLDER LOCATION]
[X] Redirect to the local user profile location

NOTE the following:
1.  You can't remove the EFFECT of the first GPO's Folder Redirect setting by applying a different GPO whose Folder Redirect is simply set to "NOT CONFIGURE".  Must apply setting shown above to gain desired result (cessation of File Syncing).

2.  Successful application of a subsequent GPO to quell Folder Redirection ("Redirect to the local user profile location") DOES NOT remove the files from the file location they were previously redirected to.  The replicated copies of those files & folders will have to be deleted manually.
0
 
LVL 59

Accepted Solution

by:
Darius Ghassem earned 500 total points
ID: 33464844
That is correct. If you moved the users back then you would have the problem stop when the gpo was reactivated.
0
 
LVL 7

Expert Comment

by:ManicD
ID: 33476352
Assuming your taking about "My Documents"

1) Check where the folder is currently set to
Right click my documents link and select properties to check / edit the location

2) If its the correct location, the issue may only be off-line files
You may wish to disable off-line files  via GPO or local setting. This would stop the sync.
0
 
LVL 7

Expert Comment

by:ManicD
ID: 33476521
If your taking about profile redirection
start > run > cmd > echo %appdata%

will let you know the path to application data and thus the profile location.
0
 

Author Closing Comment

by:dealvis
ID: 33622185
No added comments.
0

Join & Write a Comment

Suggested Solutions

Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now