Solved

Folder Redirection query

Posted on 2014-10-26
19
136 Views
Last Modified: 2014-11-10
I'd like to introduce 'Folder Redirection' to one department in our office - the all have the same software installed, so it's just the Desktop that I want to redirect to allow them to log onto any PC in that department.

I've created a new repository folder for the saved Desktop folders (with full access to domain users, just to help with testing), and also a new Group Policy (W2K8 server - not R2) which redirects 'Desktop' to this new location.

There's a few steps I'm not clear on, and it doesn't seem to be working correctly.

If I apply the GP on the OU containing the user OR the PC (ie one or other)  nothing happens. If I apply the GP on both OUs (ie the user AND the PC) I get a new folder created ('\\server\FolderRedir\user'). However, there is nothing in this folder.

Should I need to apply the GP on both the user AND the PC - is this correct?

Also, as these are existing users / PCs, do I have to copy the Desktop folder across to the 'FolderRedir' manually to get started? Or if not, what action should cause the new 'Desktop' folder to be created?

Thanks
0
Comment
Question by:Michael986
  • 7
  • 6
  • 4
  • +2
19 Comments
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 40405544
Apply it only to the user and no you need to do nothing it will do it by itself
0
 
LVL 5

Expert Comment

by:Armenio
ID: 40405570
Apply to user  as its a user policy. make sure the users have read write access to your new location  test it from users account.
0
 

Author Comment

by:Michael986
ID: 40405648
OK - so something's not correct then.

The user is in a Test OU, and the new Folder Redirection GP is applied to that OU

The '\\server\FolderRedir' folder is shared - Full access to Domain Users both in Security and Sharing.

The user logs onto a PC - nothing created under '\\server\folderRedir'.
The user logs off - still nothing created.

GPResult shows that this policy is being applied

I've attached a screen print of the policy details

Any ideas why it's not  working?
Capture.PNG
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40405689
That policy looks about right. Did you grant the Domain Users full access to the share itself? i.e. right click on the FolderRedir folder > Properties > Sharing tab > Advanced Sharing > Permissions > verify the permissions in here
0
 
LVL 9

Expert Comment

by:tsaico
ID: 40405754
You want to be careful about using the full rights after you are done testing, you can inadvertantly give all your users in the department access to each others' desktops.  Myself, what I do is make a folder on the network with no rights to it, just shared under me (or administrators) as the owner.  Then in teh AD properties, I make a home folder entry for them "\\server\myjustcreatedfolder\%username%" and then AD will create a folder there with only the inherited share permissions (domain\administrators) and the user in question.

I would also check out the event log and see if there are any related error messages in here. Gpresult is showing it is being applied successfully, not that the rule worked as you intended.  Also, when logged in as your test user, try browsing to your proposed network path, and write something there, like a txt file and save it to fully make sure you can actually write to that path.
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40406238
tsaico: FYI Microsoft recommend the following NTFS permissions for the root folder that houses the redirected folders. This will allow for the automatic creation of redirected folders as well as roaming profiles.

CREATOR OWNER - Full Control (Apply onto: Subfolders and Files Only)
System - Full Control (Apply onto: This Folder, Subfolders and Files)
Domain Admins - Full Control (Apply onto: This Folder, Subfolders and Files)
Everyone - Create Folder/Append Data (Apply onto: This Folder Only)
Everyone - List Folder/Read Data (Apply onto: This Folder Only)
Everyone - Read Attributes (Apply onto: This Folder Only)
Everyone - Traverse Folder/Execute File (Apply onto: This Folder Only)

See here for more info: http://blogs.technet.com/b/askds/archive/2008/06/30/automatic-creation-of-user-folders-for-home-roaming-profile-and-redirected-folders.aspx

Michael986: It's best you set the above NTFS permissions on the share once we've sorted out your issues.
0
 

Author Comment

by:Michael986
ID: 40407464
Will definitely look at the permissions and make sure they are correct - but need to get it to actually work first.

Have done a bit more testing and can confirm that with the full permissions set for 'domain users', it does work but ONLY if I have the GP applied to both the Computer AND the User. If it's applied on just the user, or just the computer, it does not work.

Previous answers suggest (and it was my understanding)  that I should only need to apply the GP on the user, and not the computer.

The only thing I can think of that might be relevant is the fact that 'GPResult /r' reports that the Domain Type is Windows 2000. Although it's now a completely W2K8 environment, AD has been upgraded over time.

There is a setting in the Properties of the GP that refers to Windows 2000 / 2003 etc (see attached image) - not sure if this might be related?
Capture.PNG
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40407478
You only need to tick that option if the machine you are trying to enable the folder redirection on is running Windows 2000, 2003 or XP. Is the client machine you're trying to enable the redirection on running these operating systems?
0
 

Author Comment

by:Michael986
ID: 40407538
"Is the client machine you're trying to enable the redirection on running these operating systems?"

No - sorry, should have said. All PCs that I'm working on are Windows 7 Pro and are on the domain.

So any ideas why I'm having to apply the GP on the computer And the user
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40407553
When you say you can only get it working when you apply the policy to the computer and the user, do you mean you are specifying the computer name and user's name in the Security Filtering section?
0
 
LVL 5

Expert Comment

by:Armenio
ID: 40407554
Read this it will help its a detailed how to
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40407560
Just out of curiosity, did you remove Authenticated Users from the Security Filtering section and then add a test account in there for testing purposes? If so, follow these steps to have the policy only apply to your test account: http://www.grouppolicy.biz/2010/05/how-to-apply-a-group-policy-object-to-individual-users-or-computer/
0
 

Author Comment

by:Michael986
ID: 40407562
When you say you can only get it working when you apply the policy to the computer and the user, do you mean you are specifying the computer name and user's name in the Security Filtering section?

No, I mean that I've created two new OU's - one called 'Redirected Computers" and the other called "Redirected Users". The GP is applied on both of these OUs

If I put the user in 'Redirected Users' OR the computer in 'Redirected Computers' it doesn't work. But when I put both user and computer in their respective OUs, I log on to the computer as the user, the GP is applied.
0
 
LVL 5

Expert Comment

by:Armenio
ID: 40407584
0
 
LVL 5

Expert Comment

by:Armenio
ID: 40407589
I think that is the correct, as you are specifying the users and the computers you want to have the policy apply to

you can apply it to all users that connect to  computer look at the link above
0
 
LVL 24

Accepted Solution

by:
VB ITS earned 500 total points
ID: 40407592
As the folder redirection policies are a user level setting, there shouldn't be any need for you to link the policy to the OU containing the computer objects. The only thing I can think of is that you have a separate GPO which also has folder redirection settings enabled that is either being inherited by the 'Redirected Users' OU or it has been linked to the OU and is higher in the Link Order.

Try this:
Unlink the folder redirection policy from the OU containing the computer object(s)
Wait for AD replication or force it manually
Restart the computer or run the command: gpupdate /target:computer in an elevated Command Prompt
Log into the computer using an account that is in the Redirected Users OU
Check if the folder redirection has applied by running the rsop.msc command (Start > Run > type in rsop.msc)
Expand User Configuration > Windows Settings > Folder Redirection
Check if any folder redirections have applied. If so, note down the name of the GPO - does it match the name of your test GPO?
0
 

Assisted Solution

by:Michael986
Michael986 earned 0 total points
ID: 40407644
OK - have tried the above as suggested by VB ITS - and yes, it shows the correct folder redirection.

After a bit more testing I've discovered that once I've got a computer working, I can then take it out of the 'Folder Redirection' OU - ie I no longer have to apply the GP to the computer. I've also forced AD replication at each stage to ensure that's not confusing things.

So maybe I just need to apply the Folder_Redirection GP to ALL computers, then they will all work when a 'Folder Redirection enabled' user logs onto them.

Seems like a bit of a bodge, and I still don't understand why I need to do this. But I suppose if it works ...!
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40407696
Very strange indeed. As I said in one of my earlier posts, the folder redirection settings are user level policies so they should work when you link the policy to an OU containing just user accounts. We do have a workaround at least.

Maybe have a read through these articles when you have time to try and troubleshoot the issue:
http://www.windowsnetworking.com/articles-tutorials/windows-server-2008/Top-10-Reasons-Why-Group-Policy-Fails-to-Apply-Part1.html
http://www.windowsnetworking.com/articles-tutorials/windows-server-2008/Top-10-Reasons-Why-Group-Policy-Fails-to-Apply-Part2.html
http://www.windowsnetworking.com/articles-tutorials/windows-server-2008/Top-10-Reasons-Why-Group-Policy-Fails-to-Apply-Part3.html
0
 

Author Closing Comment

by:Michael986
ID: 40432330
Didn't manage to get to the bottom of why it's not behaving as it should, but :-
1. It's working
2. The reassurance that what I was doing SHOULD have worked helped me to that point - it was helpful to know that it wasn't something silly that I was doing wrong.
0

Join & Write a Comment

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now