[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

GPO is applied, according to gpresult, but folders aren't redirecting

Posted on 2011-10-05
19
Medium Priority
?
987 Views
Last Modified: 2012-05-12
As the title says, GPOs on Server 2008 R2 are applied on Win 7 x86 machines according to gpresult, but the folders are not being redirected.

Help appreciated.
0
Comment
Question by:Vampireofdarkness
  • 12
  • 3
  • 2
17 Comments
 
LVL 9

Author Comment

by:Vampireofdarkness
ID: 36916541
To clarify, SOME users on the Win 7 machines are receiving the GPO fine. Some are not. All are set in the scope.
0
 
LVL 3

Expert Comment

by:ncollings
ID: 36916600
Folder redirection posts very informative entries in the event log on the client machine. Please could you see if anything is logged and post the event
0
 
LVL 9

Author Comment

by:Vampireofdarkness
ID: 36916665
Failed to apply policy and redirect folder "Documents" to "\\server\User Profiles$\sfranklin\My Documents".
Redirection options=0x80009231.
The following error occurred: "Can not create folder "\\server\User Profiles$\sfranklin\My Documents"".
Error details: "Access is denied.
".

Share Permissions: Everyone (Change, Read)
Security Permissions: Everyone (Full), SYSTEM (Full), Administrator (Full), Administrators (Full), CREATOR OWNER (Full)
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 3

Expert Comment

by:ncollings
ID: 36916679
Are these the permissions on the Profiles$ folder?
Did the sfranklin folder already exist?
0
 
LVL 9

Author Comment

by:Vampireofdarkness
ID: 36916732
Those permissions are on the User Profiles$ folder. sfranklin does already exist (folders created by policy!), but the redirection is only working on some of the machines and not all machines.

Some documents locations are \\server\...\, others are C:\Users\sfranklin

All users in ADUC have a folder under User Profiles$ share, all created by policy, which says the policy is working fine... but it isn't!
0
 
LVL 9

Author Comment

by:Vampireofdarkness
ID: 36916755
The same thing is happening for a proxy settings GPO. Gpresult shows the policy has been applied, but the proxy settings aren't there.

Again, scope has authenticated users. Tried with domain users and all security groups associated with the account.
0
 
LVL 3

Expert Comment

by:ncollings
ID: 36916790
So is this problem with specific machines or specific users?
0
 
LVL 9

Author Comment

by:Vampireofdarkness
ID: 36916845
I am assuming machines are the cause.

I can log on to one machine and the policies are applied. I then log on to another and the policies are not applied (in the case of proxy at least).

The computer to my left has not received proxy settings. The computer to my right has received proxy settings. Neither have received folder redirection.

Owner of \\server\User Profiles$\sfranklin\ is sfranklin@domain.local. Everyone has Full NTFS Permissions on folder and all subfolders. Same permissions apply to My Documents and Desktop folders within.
0
 
LVL 9

Author Comment

by:Vampireofdarkness
ID: 36916955
I have six machines in a row. 4 have applied folder redirection for the Desktop, 2 have not. Same user on all machines. All logged on sequentially after the last had finished logging in. Numbers that failed are 3 and 6.
0
 
LVL 9

Author Comment

by:Vampireofdarkness
ID: 36916983
Logged onto another 7, without waiting between logons and machines 1, 3, 4, 5, 6, 7 all had the desktop redirection policy applied. Machine 2 did not.
0
 
LVL 9

Author Comment

by:Vampireofdarkness
ID: 36917016
Out of all 13, none applied the documents redirect. All but 1 applied the proxy settings (no. 2 of the original 6)
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 36945765
Ok, so same user fails on 1 machine but he succeeds on another... Rules out permissions....

Least I think they do....

I was goi to suggest to grant ownership of this user's folder on the server, but shouldn't matter in this case.

Might need to look at Process Monitor's Boot Logging to see if we can capture EXACTLY where the denial is coming from....

Http://live.sysinternals.com/procmon.exe

Options/Enable Boot Loging, then reboot, and launch it again to process the logs...

Additionally, gpo debug logging might shed some light..... Need a link to enable it though for you...
0
 
LVL 9

Author Comment

by:Vampireofdarkness
ID: 36984233
I will be at this site again either tomorrow, Thursday or Friday so will check then. In addition, I'll be using the steps from a combination of these:

  1. http://www.windows7library.com/blog/problems/troubleshooting-group-policy/
  2. http://social.technet.microsoft.com/Forums/en/winserverGP/thread/a9b36648-aa9f-4ff7-b23f-c1123b7984e9
  3. http://blogs.technet.com/b/askds/archive/2008/07/18/enabling-group-policy-preferences-debug-logging-using-the-rsat.aspx

What I don't particularly want to do is rebuild machines to see if there is just a conflict somewhere, as this isn't an isolated case. Different machines do and do not receive different policies correctly for different users. I'd have to rebuild them all and keep my fingers crossed.

Perhaps re-adding the machines to the domain will kick-start policies again? Remove from domain, delete any domain related profiles, add to domain? I don't suppose you'd know where the Group Policy cache is on a Win 7 machine?
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 36990242
C:\Windows\System32\GroupPolicy
0
 
LVL 9

Author Comment

by:Vampireofdarkness
ID: 37107493
Apologies for the delay.

- Rejoined to domain, no change.
- Ran Procmon
- Re-created GPOs
- Forced updates of GPOs
- Deleted and re-created users
- Took ownership of and deleted user folder
- GPO cache is empty

Tests on PC1 using user1, user2, user3. All users are members of the same groups. Policy scope is set to 'Everyone' and 'Domain Computers'.

user1: Desktop redirects, Proxy Settings OK, Documents redirect
user2: Desktop redirects, Proxy Settings OK, Documents redirect
user3: none

PC2, same users

user1: Desktop redirects, Proxy Settings OK, Documents redirect
user2: Desktop redirects, Proxy Settings OK, Documents redirect
user3: Desktop redirects, Proxy Settings OK, Documents redirect

PC3, same users

user1: Desktop redirects, Proxy Settings OK, Documents redirect
user2: Desktop redirects, Proxy Settings OK, Documents redirect
user2: Proxy Settings OK

PC4, same users

user1: Desktop redirects, Proxy Settings OK
user2: Desktop redirects, Proxy Settings OK, Documents redirect
user2: Proxy Settings OK
0
 
LVL 9

Accepted Solution

by:
Vampireofdarkness earned 0 total points
ID: 37124580
Changed from \\server\User Profiles$\ to \\server\User Profiles\ and removed exclusive rights on the FOLDER REDIRECTION and it appears to have also solved issues with proxy settings, folder redirection, etc... Not ideal as now no privacy...although the folders are already created, so perhaps it won't matter for existing users.

Believe this customer is a PITA though, as not two days after demonstrating it all working they're claiming all files are deleted from their redirected folders (policies are set to return documents to original locations). Folders/files were all in place at the time I left, tested on 8 different users.
0
 
LVL 9

Author Closing Comment

by:Vampireofdarkness
ID: 37151654
See comment.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question