Updating Folder Redirection policy on Windows 7 workstations remotely

Hello,

Can anyone help?  we have a Server 2012 R2 domain network that has lots of remote Windows 7 laptops user.  this laptop users are considered as Home workers in that they rarely visit the office.  They login to their laptops using their cached domain account and use a Cisco VPN client to connect to the network after they have logged in to the laptops.

Each of the users have their My documents directed to a server share which is only accessible via the VPN.  Offline files is disabled. this configuration is managed by Group Policy and would setup when the laptop was in the office.

Problem we has is we need to move the location where users my documents is stored.  The GPO has been updated on the server and is working fine for those who are able to visit the office, but there are many remote users where this wont be possible.  Even though we have set the speed threshold for GPO processing to 0 so that it will run over a slow link, the users cant run the VPN to connect to the office network until after they have logged in.

I have tried to create a reg file that updates the folder direction path, not sure if we did this wrong but it wasn't reliable or didn't work, and sometimes caused more grief that it was worth.

Any thoughts on how we can get this working?  Windows 8 doesn't seem to have this problem.

thanks :-)
khodgsonAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Netman66Commented:
There is a bunch of nice tools mentioned here.

http://www.windowsecurity.com/articles-tutorials/windows_2003_security/How-Force-Remote-Group-Policy-Processing.html

However, if they connect on vpn and are online for the refresh cycle (whenever the 90 minutes may roll around) they should get updated policies.

Maybe a good old gpudate /force run by the user may work.  

Personally, I like the look of Specops Gpudate since it adds context menus to ADUC.  Your mileage may vary.
0
Lionel MMSmall Business IT ConsultantCommented:
I agree with netman66 about gpudate /force but I suggest you add a gpudate /force to the logon script they execute when connecting to the VPN--this way if will only run when they are connected to their domain server.
0
khodgsonAuthor Commented:
Sorry for the delay - this we have already tried, but the folder redirection is applied before the user logs in - which is before the VPN connects the machine to the network.  The GPO message says:

User Policy update has completed successfully.

The following warnings were encountered during user policy processing:

The Group Policy Client Side Extension Folder Redirection was unable to apply one or more settings because the changes must be processed before system startup or user logon. The system will wait for Group Policy processing to finish completely before the next startup or logon for this user, and this may result in slow startup and boot performance.
Computer policy could not be updated successfully.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

khodgsonAuthor Commented:
the only way I can get this to work, is to login to the remote computers using another account, in this case a local user, connect the VPN first, then switch user - the laptop is then remotely connected at the point when the user logs in and the folder redirection policy is applied.  Once the user has finished logging in, we need to reconnect again but the folder redirection policy has updated.

Is it not possible for this to complete, without having to work to this method?
0
Netman66Commented:
Some VPN software allows connection between logons to stay connected  - meaning the user can log in, connect by vpn, logout, then log back in - all while the vpn stays up.

Does your vpn client allow this configuration?
0
khodgsonAuthor Commented:
it does, but the software has been deployed to the remote users as a client only (Cisco Anywhere client) - so would need to install the additional components to allow VPN before login.  I don't think its delivered by GPO so for the time it would take to manage that, we may as well connect to each one and login locally then switch user
0
Lionel MMSmall Business IT ConsultantCommented:
OK but what you are describing seems to be working properly 1) if the user is not logged onto the domain there there is a folder redirection error -- this is to be expected if it has not connections to the domain 2) if you have a connection to the domain, via VPN, then folder redirection works. This is what I would expect to happen. usually a user logs onto their laptop, makes a connection to the VPN and then logs onto the domain or am I missing something in what you are asking, reporting?
0
khodgsonAuthor Commented:
the issue we have is changing the redirected folder path of remote users that can not remotely connect to the domain before logging in.

windows 7 folder redirection seems to apply at login - so in order to change the path via group policy, the remote users need to be connected in some way to the domain before they login for the redirection path to update - my question is can it be done somewho without having to be connected to login.

As the remote users login to their machines first, using their cached user profiles - then start a cisco VPN client
0
Lionel MMSmall Business IT ConsultantCommented:
OK but the folder redirection should be applied by the domain policy. When they first logon, locally, the cached settings try to apply but if the server is unavailable you will get an error in event viewer (this is normal and to be expected). If they have cached credentials then they will get a folder redirection fail (if they try to connect to their libraries it should say inaccessible or unavailable). When they logon to the domain part of the logon to the domain process is to go through the gpo and apply any settings. Once logged onto the domain they should be available again once the appropriate connection have been made. You can have users run gpupdate either manually or in a script if the folders have changed or moved but you can only do this once they are connected to the domain.
0
khodgsonAuthor Commented:
folder redirection is applied by the Group policy

its all working fine - we just need to change the path again to alternative server.  problem we have is in order for the group policy to take affect, the machine needs to be connected by some means to the network first before the user logs in for the GPO update to apply, regardless of whether we run GPUPDATE /FORCE logged in as the user.

I want to know if the path can change without the user being connected to the network before login - because at this stage, this is not an option for us
0
Lionel MMSmall Business IT ConsultantCommented:
I want to know if the path can change without the user being connected to the network before login?
No,
not by using gpo and not if you are not connected to the network or the server that you plan to switch it to

By definition domain group policy (which has the folder redirection settings) needs a server and a domain logon to be applied, whether new, or a change. If the other server you want to switch to is on that domain you have to get logged in and authenticated to get permission to access that server.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
khodgsonAuthor Commented:
Thanks for everyone that contributed, points awarded.  I've included a comment I made as its a way of getting what I want to work.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 7

From novice to tech pro — start learning today.