Server 2003 Folder Redirection Policy Change

Hi experts

We currently have folder redirection applied to all users using a gpo applied to the domain. However we need to change this as we now have users in satellite offices that are connecting to the domain over a vpn, this has proved to be unusably slow.

The Plan is to leave the main site on folder redirects and turn off redirects for users at the remote sites, is there an easy way to do this?

My best idea so far is to create new OU's and move the computers for each site into its own OU, then remove the domain redirect policy, leave it off for a few days to allow all users files to copy back to their local machines and then to create a new redirect policy applied only to the head office OU of computers.

However I can see a couple of issues with doing this, one if I move a computer from the default computer OU into a new OU I get an error about affecting over GP's, I’m sure this isn’t a problem but still a bit concerning. Secondly people who don’t login during this change won’t have their files moved back from the server to their local machines. This may be a problem when they come to login and the new policy is in place, I’m guessing their files wouldn’t be their too copy to the server.

Any advice or better solutions is greatly appreciated.
LVL 1
coreccAsked:
Who is Participating?
 
AwinishCommented:
Remove the folder redirection settings from default domain GPo which you have configured & applied at domain level.

Create a new GPO w/o folder redirection settings,means let it be not configured & apply on the computer,for this you will require loopback settings to be enabled which has to be replace mode.

Read the Ace blog.
http://msmvps.com/blogs/acefekay/archive/2009/09/08/folder-redirection.aspx

http://kudratsapaev.blogspot.com/2009/07/loopback-processing-of-group-policy.html
http://grouppolicy.editme.com/Loopback

0
 
AwinishCommented:
Folder redirection policy is located in user configuration & it will be applied to user not computer until & unless, loopback group policy policy in GPO has been configured.

Take a look to below article.
http://support.microsoft.com/kb/888203
0
 
moon_blue69Commented:
Your concerns are right.  This is what you get the error message all about.

Now how many users you have.?

If not have them on instant messaging. If they have successfully logged on (you send them a script which will copy their home folder to their local disk or ask them to do it manually or give them remote support if your organisation has got a software to do it or team viewr, mikogo will do. . Ask for confirmation of that . Once done move that computer to the new OU with new settings applied. Run gpupdate /force on that client. Ne policy gets applied.

I can't think of any other solution at the moment. This is the only thing came to my mind to do it there might be better ways. This way we ensure the user has got all his files locally available before we disconnect from centre and new policy being applied.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
james-barrCommented:
Is the current redirection enforced by the Default Domain Policy or another GPO?

If Default Domain Policy_User Settings etc...  You won't be able to stop this applying to OU's lower in the heirarchy (inhertiance blocking of DefDom policy is not allowed and won't work even if you enable it) so you may need to move it to a new policy -HQ Computers for example- and then simply apply that policy to those machines only.

Better not to apply settings at all rather than apply, and then remove them through another policy as this will minimise logon-times at remote offices.

Additionally, make sure you disable the computer/user elements of your various policies as appropriate to prevent said elements from being processed even if empty.

James
0
 
coreccAuthor Commented:
The policy is under the default domain policy.

So I was going to remove it from there and then create a new gpo on a OU containing the HQ PC's, is this what you are recommending?

Also not sure what you mean by disable the computer/user elements of your various policies.

Thanks
0
 
moon_blue69Commented:
Hi

If you remove the policy it will no longer point the user to their home folder. Then what you are going to make them available locally ?

Cheers
0
 
james-barrCommented:
I am indeed.

Because you cannot block inheritance of DefDom policy at any level, it's good practice to only set those setting which should never be overridden (password policy for example).

Policies are applied in the following order:
Default Domain
Computer
User

Any policy applied to default computers OU should ideally only contain settings which will apply to ALL computers regardless of function/type/location.

Then you use further policies to apply only the desired settings, at the desired OU level.

That way, you're never processing the same policy settings more than once.
In some cases I've seen a setting applied by DefDom, removed by DefCom, re-applied by a GPO at another layer, and then finally changed by another policy using Security Group filtering - It only needed to be applied by the last GPO!

Each GPO has 2 elements; Computer settings, and User settings.
Each can be disabled so you can create policies containing settings for user only in the Catering team for instance.  (Such a policy may then be named; User_London_Function (IE settings for instance).

That prevents machines from processing both elements thereby reducing time taken to process.
(In GPMC, right-click. click; Disable Computer/User Settings (if I remember correctly).)

James
0
 
coreccAuthor Commented:
Ok, that all makes sense, so in my situatioin would you say my sugestion is the way forward?
0
 
coreccAuthor Commented:
Hi moon

the remote users wont have folder redirects enabled and the main office will. The issue is undoing the current domain policy and recreating a policy which only applies to the head office computers.
0
 
AwinishCommented:
Remember no changes or modification is recommended in Default domain & Default domain controller policy & they should be left as it is.

Now you can remove those setting from default policy & create a new GPO w/o folder redirection setting & link to the user & give time to apply the GPO.

The GPO takes approx 90min to apply the policy from server to client.
0
 
coreccAuthor Commented:
thanks awinish, but not sure what you mean by create a new GPO w/o folder redirection setting & link to the user.

Also I thought it made more sense to apply the policy to computers not users as the remote offices will normally have the same computers but the staff turnover is quite high.
0
 
james-barrCommented:
It is but, as said, the setting is user-specific and cannot be set on computers (computers have no MyDocuments etc)...

Just create an OU for the remote office with child OU's for:
Users
Computers

Cheers
James
0
 
james-barrCommented:
Sorry - Omitted a couple steps (oops)...

After creating your OU structure:
1) Create a GPO containing only the user settings to be applied to remote location users
2) Link the GPO to the newly created user OU
3) Move existing remote users to said OU (Users child-OU)
4) Add new users to same to ensure settings apply
0
 
moon_blue69Commented:
Hi

Am I not getting it rigt? Your remote users now have their home folder in central location at head office. When you disconnect (remove folder re-direction)  they do not have access to their home folder. Still their files are on central share you have to make them available locally at their site. Beg your pardon if I am not getting it
0
 
coreccAuthor Commented:
Many thanks Awinish, theres alot to digest there, the plan is to just turn off desktop folder redirects on all sites and to leave mydocs redirects in place to see if this helps. If we still have a problem, then we will look to change the policy as talked about above.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.