Solved

Server 2003 Folder Redirection Policy Change

Posted on 2010-11-17
15
612 Views
Last Modified: 2012-05-10
Hi experts

We currently have folder redirection applied to all users using a gpo applied to the domain. However we need to change this as we now have users in satellite offices that are connecting to the domain over a vpn, this has proved to be unusably slow.

The Plan is to leave the main site on folder redirects and turn off redirects for users at the remote sites, is there an easy way to do this?

My best idea so far is to create new OU's and move the computers for each site into its own OU, then remove the domain redirect policy, leave it off for a few days to allow all users files to copy back to their local machines and then to create a new redirect policy applied only to the head office OU of computers.

However I can see a couple of issues with doing this, one if I move a computer from the default computer OU into a new OU I get an error about affecting over GP's, I’m sure this isn’t a problem but still a bit concerning. Secondly people who don’t login during this change won’t have their files moved back from the server to their local machines. This may be a problem when they come to login and the new policy is in place, I’m guessing their files wouldn’t be their too copy to the server.

Any advice or better solutions is greatly appreciated.
0
Comment
Question by:corecc
  • 5
  • 4
  • 3
  • +1
15 Comments
 
LVL 24

Expert Comment

by:Awinish
ID: 34154430
Folder redirection policy is located in user configuration & it will be applied to user not computer until & unless, loopback group policy policy in GPO has been configured.

Take a look to below article.
http://support.microsoft.com/kb/888203
0
 
LVL 10

Expert Comment

by:moon_blue69
ID: 34154442
Your concerns are right.  This is what you get the error message all about.

Now how many users you have.?

If not have them on instant messaging. If they have successfully logged on (you send them a script which will copy their home folder to their local disk or ask them to do it manually or give them remote support if your organisation has got a software to do it or team viewr, mikogo will do. . Ask for confirmation of that . Once done move that computer to the new OU with new settings applied. Run gpupdate /force on that client. Ne policy gets applied.

I can't think of any other solution at the moment. This is the only thing came to my mind to do it there might be better ways. This way we ensure the user has got all his files locally available before we disconnect from centre and new policy being applied.
0
 
LVL 1

Expert Comment

by:james-barr
ID: 34154547
Is the current redirection enforced by the Default Domain Policy or another GPO?

If Default Domain Policy_User Settings etc...  You won't be able to stop this applying to OU's lower in the heirarchy (inhertiance blocking of DefDom policy is not allowed and won't work even if you enable it) so you may need to move it to a new policy -HQ Computers for example- and then simply apply that policy to those machines only.

Better not to apply settings at all rather than apply, and then remove them through another policy as this will minimise logon-times at remote offices.

Additionally, make sure you disable the computer/user elements of your various policies as appropriate to prevent said elements from being processed even if empty.

James
0
 
LVL 1

Author Comment

by:corecc
ID: 34154767
The policy is under the default domain policy.

So I was going to remove it from there and then create a new gpo on a OU containing the HQ PC's, is this what you are recommending?

Also not sure what you mean by disable the computer/user elements of your various policies.

Thanks
0
 
LVL 10

Expert Comment

by:moon_blue69
ID: 34154870
Hi

If you remove the policy it will no longer point the user to their home folder. Then what you are going to make them available locally ?

Cheers
0
 
LVL 1

Expert Comment

by:james-barr
ID: 34154882
I am indeed.

Because you cannot block inheritance of DefDom policy at any level, it's good practice to only set those setting which should never be overridden (password policy for example).

Policies are applied in the following order:
Default Domain
Computer
User

Any policy applied to default computers OU should ideally only contain settings which will apply to ALL computers regardless of function/type/location.

Then you use further policies to apply only the desired settings, at the desired OU level.

That way, you're never processing the same policy settings more than once.
In some cases I've seen a setting applied by DefDom, removed by DefCom, re-applied by a GPO at another layer, and then finally changed by another policy using Security Group filtering - It only needed to be applied by the last GPO!

Each GPO has 2 elements; Computer settings, and User settings.
Each can be disabled so you can create policies containing settings for user only in the Catering team for instance.  (Such a policy may then be named; User_London_Function (IE settings for instance).

That prevents machines from processing both elements thereby reducing time taken to process.
(In GPMC, right-click. click; Disable Computer/User Settings (if I remember correctly).)

James
0
 
LVL 1

Author Comment

by:corecc
ID: 34154968
Ok, that all makes sense, so in my situatioin would you say my sugestion is the way forward?
0
 
LVL 1

Author Comment

by:corecc
ID: 34154989
Hi moon

the remote users wont have folder redirects enabled and the main office will. The issue is undoing the current domain policy and recreating a policy which only applies to the head office computers.
0
 
LVL 24

Expert Comment

by:Awinish
ID: 34155022
Remember no changes or modification is recommended in Default domain & Default domain controller policy & they should be left as it is.

Now you can remove those setting from default policy & create a new GPO w/o folder redirection setting & link to the user & give time to apply the GPO.

The GPO takes approx 90min to apply the policy from server to client.
0
 
LVL 1

Author Comment

by:corecc
ID: 34155083
thanks awinish, but not sure what you mean by create a new GPO w/o folder redirection setting & link to the user.

Also I thought it made more sense to apply the policy to computers not users as the remote offices will normally have the same computers but the staff turnover is quite high.
0
 
LVL 1

Expert Comment

by:james-barr
ID: 34155214
It is but, as said, the setting is user-specific and cannot be set on computers (computers have no MyDocuments etc)...

Just create an OU for the remote office with child OU's for:
Users
Computers

Cheers
James
0
 
LVL 1

Expert Comment

by:james-barr
ID: 34155258
Sorry - Omitted a couple steps (oops)...

After creating your OU structure:
1) Create a GPO containing only the user settings to be applied to remote location users
2) Link the GPO to the newly created user OU
3) Move existing remote users to said OU (Users child-OU)
4) Add new users to same to ensure settings apply
0
 
LVL 10

Expert Comment

by:moon_blue69
ID: 34155267
Hi

Am I not getting it rigt? Your remote users now have their home folder in central location at head office. When you disconnect (remove folder re-direction)  they do not have access to their home folder. Still their files are on central share you have to make them available locally at their site. Beg your pardon if I am not getting it
0
 
LVL 24

Accepted Solution

by:
Awinish earned 500 total points
ID: 34155278
Remove the folder redirection settings from default domain GPo which you have configured & applied at domain level.

Create a new GPO w/o folder redirection settings,means let it be not configured & apply on the computer,for this you will require loopback settings to be enabled which has to be replace mode.

Read the Ace blog.
http://msmvps.com/blogs/acefekay/archive/2009/09/08/folder-redirection.aspx

http://kudratsapaev.blogspot.com/2009/07/loopback-processing-of-group-policy.html
http://grouppolicy.editme.com/Loopback

0
 
LVL 1

Author Comment

by:corecc
ID: 34155747
Many thanks Awinish, theres alot to digest there, the plan is to just turn off desktop folder redirects on all sites and to leave mydocs redirects in place to see if this helps. If we still have a problem, then we will look to change the policy as talked about above.
0

Join & Write a Comment

Suggested Solutions

Starting in Windows Server 2008, Microsoft introduced the Group Policy Central Store. This automatically replicating location allows IT administrators to have the latest and greatest Group Policy (GP) configuration settings available. Let’s expl…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now