Solved

Redirected Folder probems, continues

Posted on 2014-09-15
23
118 Views
Last Modified: 2014-10-13
I had this working once, but didn't write down exactly what I did. I can't seem to get redirected folders working. I've followed the instruction in http://www.alexwyn.com/computer-tips/folder-redirection-samba4-active-directory-domain-controller. I've deleted everything and re-configured according to these instruction at least 3 times now. I've double and triple checked my permissions and everything seems OK. My redirected folder is: \\mail\hprs.local\Users. After configuring permissions, that folder does have ACLs set. I've run gpupdate and rebooted both workstation and DC several times.

I'm suspecting my problem is the GPO settings, but I don't know. I'm out of ideas. Can someone help me debug this problem? First attached image is of my GPO "HPRS Redirected Folders".  2nd image are that GPO's settings showing 'Desktop' expanded. I've set the same settings for Documents, Favorites and Start Menu. The 3rd image is the 'member of' tab for a test user I'm trying to redirect.
redirectedGPO.jpg
redirectedSettings.jpg
testUser.jpg
0
Comment
Question by:jmarkfoley
  • 14
  • 9
23 Comments
 
LVL 23

Expert Comment

by:rhandels
ID: 40324865
Hey,

First off, could you please check the event viewer of the test user logging in? Because it might be that you get an error there.
Also, what happens if you run a \Group Policy Results an the test user machine, do you see the policy active?

If not then yes, you have misconfigured the policy. The policy should be attached to an OU where user accounts reside, otherwise they will; not be applied (user configuration should be on user OU). Second, user settings should be enabled (check the settings tab) otherwise they will not be applied.

And last but not least (that's why you need to check the event viewer), you state that the original data needs to be moved (see redirected settings), this means that if the user has a Desktop profile folder already, data will be moved from this location to the new location. If he doesn't have write permissions on both locations, redirection will fail. You will see this however in the event viewer.
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40327402
rhandels: > check the event viewer of the test user logging in ...

On the DC, I can see successful logins, but nothing at all about the redirected folders. On the client workstation, not sure what to look for. The security log has plenty of successful logins, nothing related to redirected folders. Perhaps you could give me a bit more detail on what to look for.

> what happens if you run a \Group Policy Results an the test user machine?

How would I do that?

> The policy should be attached to an OU where user accounts reside,

This is where I think I'm messing up. The link I referenced likewise said, "Link the new GPO policy (if not done already) to an OU with a user account that can be used to test this policy."

What does this mean, "where the user accounts reside" ... "an OU with a user account ..."? What OU has user accounts?

My testUser.jpg image shows the group this user is a member of:

Domain Users (hprs.local/Users)
HPRS Remote Desktop Users (hprs.local/HPRS Groups/Security) <- custom group
Remote Desktop Users (hprs.local/Builtin)

My 'HPRS Redirected Folders' GPO (redirectedGPO.jpg) shows links: HPRS Groups (hprs.local/HPRS Groups); and shows Security Filtering: Authenticated Users.

This user is an Authenticated User, I presume.

Given that, is this "policy attached to an OU where user accounts reside or not? If you need more information, what else can I give you?

> if the user has a Desktop profile folder already, data will be moved from this location to the new location. If he doesn't have write permissions on both locations, redirection will fail. You will see this however in the event viewer.

As I said, I had this working before and it did move the folders to the server, as advertised. I'm pretty sure the permissions are correct because I triple checked them and also deleted  and recreated the security properties three times, just to make sure (and removed the folder hierarchy on the server!). I would be a huge moron if I've messed up these settings, but I'll check again. There are absolutely no "permission denied"-like errors logged anywhere that I can find.

When I: Start > right-click 'Documents' > Properties, I see the following:
Document Propertieswhereas when I had this working it was pointing to \\mail.hprs.local\Users\mark\Documents

I don't even think it's trying - hence no error logs. My "feeling" is that I have something wrong with the GPO. I have a vestigial memory that I did something additional to "link" the GPO to the user, but I have no idea what.
0
 
LVL 23

Expert Comment

by:rhandels
ID: 40327431
<<On the DC, I can see successful logins, but nothing at all about the redirected folders. On the client workstation, not sure what to look for. The security log has plenty of successful logins, nothing related to redirected folders. Perhaps you could give me a bit more detail on what to look for.>>

If , then look in the application log of the machine you are logging into. This information is not available at the DC. This is were errors logs regarding folder redirection are placed in.

<<> what happens if you run a \Group Policy Results an the test user machine?>>

2 options. Either go to the machine the user is logged into and run rsop.msc. This will give you a Resultant Set of Policies (which means all applied policies). You should see the created policy  inthere, also in the settings tab the policy should also be there.



I think indeed that the policy is placed on the wrong OU. What happens in an AD is that you have multiple OU's (Organisational Units) for storing user accounts and computer accounts. You should look at these things as a logical way of organizing the organisation into multiple parts. Also, these OU's are created for setting policies to specific users.

What you should do is make on OU (these yellow folders in AD USers and Computers) then create a policy and attach it to this OU. After that, place 1 specific test user in this OU and attach the policy to this OU. Then set the folder redirection policy and it should be applied.

Authenticated users are all users that are succesfully logged in. The way you set it up (and GPO's work default out of the box) is that all users get the policies applied if in the correct OU, this has nothing to do with the group you are a member of.

If you don't see any loggings in the application log of folders being redirected (successfully or failed) then  yes, the policy is not being applied.

And as I am not quite sure what your level of expertise is with policies it might be a good idea to try and get a global overview of what GPO's can do. They are quite powerfull so you have to be carefull with setting policies. 1 wrong policy could cause a big headache..

Here is a Microsoft link that might be a good starters.
http://technet.microsoft.com/en-us/windowsserver/bb310732.aspx
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40328980
Logged in as the test user on the WIN7 workstations, In the Event Viewer > Applications and Services Log I only have log entries in ACEEventLog. The most recent from my current login have under Details:
- System 

  - Provider 

   [ Name]  ACEEventLogSource 
 
  - EventID 0 

   [ Qualifiers]  0 
 
   Level 4 
 
   Task 0 
 
   Keywords 0x80000000000000 
 
  - TimeCreated 

   [ SystemTime]  2014-09-17T07:31:19.000000000Z 
 
   EventRecordID 802 
 
   Channel ACEEventLog 
 
   Computer hplaptop.hprs.local 
 
   Security 
 

- EventData 

   0000000001: 2014-09-17 03:31:19:471 Exception: Access is denied Exception Called by: ATI.ACE.MOM.Implementation.MOM::KillOldMOMandCCCs processID:04064 threadID:( ) domainName:(MOM.exe ) assemblyName:(MOM.Implementation, Version=3.5.4403.41550, Culture=neutral, PublicKeyToken=90ba9c70f846762e) ************************************************************************************************************************  

Open in new window

Though not obvious, I suppose this is the attempt to access the redirected folders? There are many of these.

rsop.msc - running this as the test user gave me the initial message, "The RSoP snap-in was unable to generate the computer's data due to insufficient permissions. The snap-in will continue to start but only the user's data will be displayed." I assume for now this is OK and this is what we want. I can run again as Administrator if you want. Basically, don't know what I'm looking at on this output. Nothing seems interesting on any folder. See attached image. Where should I look on this?

> What you should do is make on OU ... then create a policy and attach it to this OU. After that, place 1 specific test user in this OU and attach the policy to this OU. Then set the folder redirection policy and it should be applied.

OK, let's take this step-by-step. I had previously created an OU called "HPRS Groups" (see image GPO.jpg). I initially created this in order to create the "HPRS Remote Desktop" GPO, which works just fine. Under the "HPRS Groups" OU I have the "HPRS Redirected Folders" GPO. So far so good? If so, what's my next step?

My experience with Group Policies is light. A bit when using SBS 2008, but otherwise just this exercise and that of creating the Remote Desktop access ... which worked w/o problem. I will check out your link.
rsop.jpg
GPO.jpg
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40329628
It seems I was wrong about the event log message. ATI.ACE.MOM doesn't appear to have anything to do with redirected folder permissions. I just logged in again as the test user after adding that user explicitly to the Redirected Folders' Security Filtering (see image) and rebooting. No event logged in the ACEEventLog at all, but still no connection to redirected folders :(

I hope you can help with this problem because I'm completely out of ideas and will have to abandon this project if I can't get redirected folders working. I'm also completely stumped as to why this worked once, but not now. The only difference is the DC OS was 32 bit before and is now reinstalled as 64 bit. I can't imagine that would make any difference.
securityFiltering.jpg
0
 
LVL 23

Expert Comment

by:rhandels
ID: 40329701
Just to make 1 thing clear, there is no need to add the user to the GPO because the authenticated users group already is all users.

In the attached printscreen i do see that you have created a GPO to redirect and for as far as i could see that policy was actually working. When you look at the screen you attached you see, at the bottom, the option "Group Policy Results". Try to create a new report and pick the machine the test user is logged into, then choose the user that you are testing with when making the report and check to see if the policy is actually applied.

Also, in what OU is the user placed in. I see the policy is attached to the OU HPRS Groups, is the user in the OU Security that is down there? Or is the user in an entirely different OU? The user should be placed in the OU were this policy is actually applied to being all OU's beneath HPRS Groups. If the user is not in that OU than please place it inthere..
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40331322
> Just to make 1 thing clear, there is no need to add the user to the GPO because the authenticated users group already is all users.

I did understand that, but I thought I'd give it a try and see. I've removed Domain Users and the specific user.

> Try to create a new report and pick the machine the test user is logged into, then choose the user that you are testing with when making the report and check to see if the policy is actually applied.

Sorry to be obtuse, but how do I create a new report picking "the machine the test user is logged into"? The Group Policy Results contents is empty. I see no place there or on the Redirected Folders GPO to specify either the machine or a place to "choose the user". This is probably simple, but I'll need a step-by-step instruction to accomplish what you're asking.

>  Also, in what OU is the user placed in.

I have no clue. Again, newbie-ness. The properties on the HPRS Groups and Security OUs show no users listed at all. On Active Directory Uses and Computers, the properties for the test user  show "Member Of", but is that what you're asking? If so see my testUser.jpg image in my initial posting. If not then I'll need some more step-by-step instruction to show what OU the user is placed in.

Thanks.
0
 
LVL 23

Expert Comment

by:rhandels
ID: 40332033
Hey,

maybe I'm going out of my league here but if you don't know how OU's work or how policies work in basic (because this is basic AD stuff) i don;t think it is a good idea to do this without someone who actually knows what to do with Active Directory.

Are you doing this for a company or just for testing? If the first is true, please ask someone with specific knowledge about it, if for testing it might be a good idea to google up some basic AD and policy stuff.

I am really willing to help but if you don't really know where the user account is placed in your AD i don't think you will manage this without someone actually physically helping you out.

Anyway. To create the policy report go to the GPMC you opened (and printscreened) then do the following.
1. Right click group policy results and choose Group Policy Result Wizard. When the screen shows up klik Next.
2. Choose "another computer" and click browse. Make sure to select the computer the user is logged into. This machine needs to be a member of the domain. Click Next.
3. Choose the user you are testing with by clicking | select a specific user" and click next.

A report will be created in which you can see what policies are being applied.

Searching a user:

GO to AD Users and Computers, right click the domain and choose "Find". Type in the user name in the Name field, open it by doubleclicking on the name and go to the object tab.  Look at the Cononical name of objects. You can see the full OU path here in which the user is placed.
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40333209
I am doing this for a company (and it is a test at the moment). I am it! There is no one else I can ask about this stuff. I do have an idea about how group policies work, but not so much about Organization Units. Nevertheless, I have been working on computers for many, many years doing sysadmin stuff for Linux, GCOS6, VMS, etc., even SBS 2008 for 5 years (but no GPO stuff); I am capable of following instructions and learning. I do appreciate your patience and I am sure I'll get this figured out with your help.

I ran the GPO Results report as you instructed and it is attached and an image: GPOresults.jpg. I noticed under 'Applied GPOs' that the 'Redirected Folders' GPO is not listed.

I did the AD Users > Find > username thing. But when I double-clicked on the name found I got the same dialog as shown in my testUser.jpg in my initial posting: no 'Object' tab. Perhaps I did something wrong. I did, however, notice that when I right-clicked the searched-name there was an "Add to Group ..." selection. Is that what we're aiming to do?
GPOresults.jpg
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40336796
Are you still with me on this?
0
 
LVL 23

Expert Comment

by:rhandels
ID: 40337262
Hey,

Strangely enough i didn;t get the previous message you posted. strange.. To get the object tab you need to switch to advanced. Click in AD Users and Computers on the "Edit" tab (thought it was the edit tab) and enable the advanced view. This way you see the object tab when you open up the users properties.

Also, the RSOP was quite good but the fact that the policy wasn;t listed there means that the user is not in an OU where the policy was applied to. You don't need to add the user to a group to get policies applied. You need to look at the OU's as a structure of folders (but then with user accounts and computers account) that are organized (hence the name Organisation Unit) is sections of people with the same settings/needs. For example all users of the sales office are put in 1 OU for settings that only need to be applied to those specific users.

If you find the OU were the test user is added to or placed in make sure it is in the OU (or sub OU, just like folder views in Explorer) were the policy is set. This way the policy should be applied.
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40338510
> Strangely enough i didn;t get the previous message you posted

Yeah, I haven't gotten any messages about your posts at all. I just check EE every so often. In fact, I haven't received any messages from EE on open questions since September 5th. Something must be up at EE with that.

To get the canonical user I did: ADU&C > View > Advanced, Users > right-click test user > Properties > 'Object' tab.

I've attached my image of the Object tab. The canonical name is: hprs.local/Users/Mark Foley

> If you find the OU were the test user is added to or placed in make sure it is in the OU (or sub OU, just like folder views in Explorer) were the policy is set. This way the policy should be applied.

OK, this is where I get a bit lost. I understand almost nothing of your sentence ... "If you find the OU were the test user is added ..." The test user is added in hprs.local > Users. That's it. Is 'Users' an OU? It doesn't seem to have the same properties as the OUs I created.

"... make sure it is in the OU ... where the policy is set ..." Sorry, I'm not *really* stupid, but I have no idea what you're saying here. I've created a group: "HPRS Redirected Folders" in hprs.local > HPRS Groups > Security, but I've no idea how to link the policy to this group; see image HPRSgroups.jpg.

Does the Object tab, canonical name show the OU? Is it "Users"? My research indicates that canonical names are of the format domain/OU/SubOU, so I'm guessing that "Users" is the OU, right?

I've played around with this for hours. I moved the working "Enable Remote Desktop" GPO link from 'hprs.local' to hprs.local > HPRS Groups, just because it seems like it should be there. That made it stop working. So, I moved the link back and went ahead and move the troublesome Redirected folders link from 'HPRS Groups' up to the domain level hprs.local -- reasoning that if the one didn't work at the 'HPRS Groups' level, but did at the domain level, the other might too ... but no. Nevertheless, I've left the link moved and my current GPO setup is in the image GPO2.jpg

The instructions I followed originally say, "Link the new GPO policy (if not done already) to an OU with a user account that can be used to test this policy." I believe this is what you are trying to get me to do as well, but HOW DO I DO THAT!?!?!? I don't see a GPO edit that lets you link to an OU! I believe I want to connect my "Enable Redirected Folders" GPO to my hprs.local > HPRS Groups > Security OU ... HOW?

I must have done this way back when it worked, though I don't remember. The difference was that the user existed before I created the GPO. Now, I created the GPO first, so many the pre-existence of the user invoked the "if not done already" condition and I didn't have to actually to anything.

Thanks for your patience -- I'm sure when I get this sorted out it will all make perfect sense.
canonicalName.jpg
GPO2.jpg
HPRSgroups.jpg
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40338558
The link you gave me says, "Group Policy settings are contained in Group Policy objects (GPOs), which are linked to the following Active Directory directory service containers: sites, domains, or organizational units (OUs)."

I get the concept. I've got an OU with groups (see HPRSgroups.jpg); I've got a Group Policy. How do I link the GPO to the OU? That's the fundamental question I can't figure out mechanically.

My 'Enable Redirected Folders' GPO shows that it is linked to hprs.local/HPRS Groups (see GPO2.jpg). My test user is a member of "hprs.local/HPRS Groups/Security" OU.

What else is there to link? I just don't get what I'm missing here!
0
 
LVL 23

Expert Comment

by:rhandels
ID: 40338593
Hey,

OK, this is where I get a bit lost. I understand almost nothing of your sentence ... "If you find the OU were the test user is added ..." The test user is added in hprs.local > Users. That's it. Is 'Users' an OU? It doesn't seem to have the same properties as the OUs I created.

Yes, Users is an OU, just as Computers and Domain Controllers is. Difference is that these OU's are created by default if you create a Windows domain. All newly added computers will be placed in the OU Computers by default as will the users be. Normally, if you want to divide the organisation you move the user to a different container and don;t leave it in the Users container.

Does the Object tab, canonical name show the OU? Is it "Users"? My research indicates that canonical names are of the format domain/OU/SubOU, so I'm guessing that "Users" is the OU, right?

Yes, that's it! The OU is indeed Users. And no policy is attached there.


The instructions I followed originally say, "Link the new GPO policy (if not done already) to an OU with a user account that can be used to test this policy." I believe this is what you are trying to get me to do as well, but HOW DO I DO THAT!?!?!? I don't see a GPO edit that lets you link to an OU! I believe I want to connect my "Enable Redirected Folders" GPO to my hprs.local > HPRS Groups > Security OU ... HOW?

Create a new OU that is named New_Users (or some of that sort) in AD Users & Computers and move that test user from the OU Users to the OU New_Users. After that, go to the Group Policy Management console. You will see the new folder New_Users. Attach the redirect policy to this OU, that should do the trick.

The thing is that the concept of policies only work on users and computers, NOT on groups. What happens is this. Your user is member of the domainname/users OU. If you want to have the policy applied you need to apply the policy either to the users OU (using the Group Policy Management Console, which you are using allready) or move the user to an OU that resides below the HRPS Groups OU.

The thing you do need to keep in mind with policies is that it is not applied to groups a user is member of. If you want to apply a policy it need to be applied to the OU the user actually is a member of, not to an OU that holds a group a user is member of.


Also, but that is always for policies. If you change a setting in the Group Policy Management Console, it will not be applied instantly. So for testing this you need to either wait 90 minutes (which sucks :)) or go to a command prompt and type in gpupdate /force This forces the policy to be refreshed instantly.
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40340275
> The thing is that the concept of policies only work on users and computers, NOT on groups.

OK, good to know. That is part of my confusion.

> Create a new OU that is named New_Users (or some of that sort) in AD Users & Computers and move that test user from the OU Users to the OU New_Users.  After that, go to the Group Policy Management console. You will see the new folder New_Users. Attach the redirect policy to this OU, that should do the trick.

This raises more questions, but later ... first things first.

I believe I've done as you've instructed. I've create the new OU: 'HPRS Users' and moved the user to it (image HPRSusersOU.jpg). That OU did appear in the GPM Console, as you indicated. Next, I linked the "Enable Redirected Folders" GPO to this folder (image GPO3.jpg). Unfortunately, redirected folders still not working. I've run gpupdate several times and rebooted both server and workstation

What additional information can I provide?
HPRSusersOU.jpg
GPO3.jpg
0
 
LVL 23

Expert Comment

by:rhandels
ID: 40340863
Oke, your basic setup is complete now. It should work and at least the concept is clear :)
What happens if you run that same resultant set of policies now? Do you actually see the policy now? And there is no need to restart the server. The only thing you need to restart is the computer itself.
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40344346
I've attached the latest Group Policy Results for the test user. Note that under Component Status it says, "Folder Redirect did not complete policy processing because the user needs to log on again for the settings to be applied. Group Policy will be attempted to apply the settings at the user's next logon."

Of course, I've logged on and off several times to no effect.

I tried running gpupdate /force as the test user and got the message:
Updating Policy...

User Policy update has completed successfully.

The following warnings were encountered during user policy processing:

The Group Policy Client Side Extension Folder Redirection was unable to apply on
e or more settings because the changes must be processed before system startup o
r user logon. The system will wait for Group Policy processing to finish complet
ely before the next startup or logon for this user, and this may result in slow
startup and boot performance.
Computer Policy update has completed successfully.

For more detailed information, review the event log or run GPRESULT /H GPReport.
html from the command line to access information about Group Policy results.

Certain User policies are enabled that can only run during logon.

OK to logoff?. (Y/N)

Open in new window

I've run the GPRESULTS /H GPRreport as the test user, but that doesn't shed much more light: http://www.novatec-inc.com/pub/GPRreport.html

ideas?
GPresults2.jpg
0
 
LVL 23

Expert Comment

by:rhandels
ID: 40345692
Nope.. You did configure it correctly as the message states so all is configured correctly now. The only thing i could think of when seeing this message is stating the obvious, restart the machine. But as you said you allready did that. I'm afraid i'm not quite sure what could be causing this..

It clearly states that after a logon it will be executed.. This machine is a physical machine right?? Not some sort of machine that reverst back to a standard image??
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40346018
No, doesn't revert to standard image. Could it be something with the server? I didn't this once before and basically just monkey-typed the howto instructions referenced in my initial posting and it just worked. I didn't set up a separate group or anything. I then decided to start over with a 64 bit version of the server. The remote access policy worked find, but I've had all this problem with redirected folders.

I'll restart the computers again, but I don't think that's gonna help.
0
 
LVL 23

Assisted Solution

by:rhandels
rhandels earned 500 total points
ID: 40346031
I never heard of an issue with the server version with a policy not being applied. Even if it is a 64 bits or 32 bits server to be honest.
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40346947
Well, unless you or someone has another idea, I think I'm going to wipe everything and rebuild from scratch. If I have the same problem at 64 bits I'll do it again at 32. You're right, I can't see why that would make a difference, but I have a backup of a working 32 bit server where this policy works fine. I'm sure there must be some difference other than the bit-size, but I don't know what it would be.
0
 
LVL 1

Accepted Solution

by:
jmarkfoley earned 0 total points
ID: 40369952
Got it working! I wiped the WIN7 computer and reinstalled Windows. first, I removed the test user from the domain, deleted the Redirected Folders GPO and removed the WIN7 host from the domain. On the server, I removed the whole /redirectedFolders/Users folder. Otherwise, I kept the server the same -- did not reinstall it, did not remove the Remote Desktop Access GPO.

After re-installing WIN7 and doing MS Updates, I then followed the step again as described in my initial posting and voila! 10 minutes later I had the redirected folders configured and working! Something must have been screwed up on the workstation, I suppose.

There were things going wrong on the workstation. For example, I could never un-check the 'always available offline' setting on the \\mail.hprs.org\Users folder property. Also, when I'd try to reset Security/Permissions on this folder I'd get something like "unable to access administrator" (lower case 'a'). The admin user was Administrator, not administrator -- not sure what that error was all about. In any case, little things like that indicated something was wrong, so wipe/reinstall seemed called for and worked!

Thanks for all your hard work on this. At least I learned a lot.
0
 
LVL 1

Author Closing Comment

by:jmarkfoley
ID: 40376616
I fixed the problem by re-installing WIN7 on the workstation.
0

Join & Write a Comment

Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now