domain functionality winodws 2008 gpresult shows 2000

hi I have just setup a windows 2008 standard domain server/ad/dns/dhcp and the following are also linked to the domain;

- fileserver - detected in dns & dhcp successfully
- win 7 desktop - detected in dns & dhcp successfully

task 1.

- aduc: manually created win 7 desktop inside aduc\computers default folder

task 2.

fileserver:

- shared folder: e\win7redirect -

security tab: added authenticated users & win7 user domain name: johnc with default access instead of full control at this stage as want to confirm user folder is created

task 3.

desktop domain user win 7:

- aduc: user profile tab: \\fileserver\win7redirect\%username%

task 4.

- aduc: ou & group name as below:

- hr\user_hr - domain user inside group

task 5.

default aduc - \computers folder

- win 7 desktop - inside computers folder as stated above

gpresult - not detecting 'redirection folder'

task 6.

master dc:

- active directory user accounts - domain functionality states windows 2008

gpresult - domain type: 2000

task 7.

gpmc: configured and linked to group folder ie hr_users

- edited gpo and set: \\fileserver\win7redirect - successful
- gpo\setting tab: confirmed above is set

task 8.

- removed gpo \\fileserver\win7redirect

- confirmed in gpo\settings tab that above is removed

issue:

- repeated above task 1 - 7 -  but still same issue not connecting to \\fileserver\win7redirect - folder


q1.  can anyone advise ?
mikey250Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Guy LidbetterCommented:
Firstly, GPRESULT /R showing the domain functional level as 2000 or even NT 4 is normal.
It seems that that particular field was ignored for some time... we recently updated our R2 domain servers an the field has finally updated to "Windows 2008 or later"... but as long as right clicking your domain and lookign at properties says you're on 2008 R2... no issue.

Regarding the GPO... make sure its linked to User OU, not the computer OU as it is a User policy.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mikey250Author Commented:
yes below is done:

task 1.

fileserver:

- shared folder: e\win7redirect -

security tab: added authenticated users & win7 user domain name: johnc with default access instead of full control at this stage as want to confirm user folder is created

task 2.

- ou: hr

task 3.

gpmc: right click (ou: hr) and linked\created group folder: hr_users

- edited gpo and set: \\fileserver\win7redirect - successful
- gpo\setting tab: confirmed above is set

task 4.

domain user now inside ou: hr

hr\domain account inside ou
0
Guy LidbetterCommented:
Can you provide the full settings of the GPO?
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

mikey250Author Commented:
qns1.  I have been whatching this youtube below and (surely just for the purposes of allowing a domain user to logon to the domain, I should not have to follow these steps)  ?

https://www.youtube.com/watch?v=E9DHniAe5So
0
mikey250Author Commented:
hi guy, I have not set anything else in gpmc, except for attempting to confirm 'win7redirect' functions, as desktop win 7 is logging via same local switch as currently master dc.
0
mikey250Author Commented:
I have done this in windows 2003 no problem in passed but cannot do in win 2008.
0
Guy LidbetterCommented:
If you have not set any values in the policy, windows will not process it.

If you run a gpresult /r on the user when logged in, the policy is linked on the User OU and it is scoped for authenticated users, but it has no settings applied it will show up as not processed as it is empty under "Group Policies not applied"

If you have set the folder redirection in the User Configuration > Windows Settings > Folder Redirection and it is still not applying... then it's either a permissions issue on the policy or its not linked properly.
0
mikey250Author Commented:
for some unknown reason now due to trying different things:

- gpresult /r - enter

- applied group policy objects

n/a

nothing added
0
Guy LidbetterCommented:
Can you open an Admin CMD Window (right click > run as Admin) and then run gpresult /r and post the result?
0
mikey250Author Commented:
I have only set via gpmc:

- desktop:  \\fileserver\win7redirect
- documents:  \\fileserver\win7redirect
0
mikey250Author Commented:
hi guy,

logged back on win 7 desktop:

open cmd and right click to run as admin: gpresult /r - same result as user 'n/a'
0
mikey250Author Commented:
hi gud,

ive attached 2 x screenshot of: gpmc & file server redirect folder.

note: all are (default settings) except adding domain user: johnc for example
gpo-screenshot.docx
fileserver-screenshot.docx
0
mikey250Author Commented:
note:  I do not wish to set everything up via the redirection folder.....I just wish to initially get the gpo\redirection initially detected and then a folder automatically be created on my file server and that is it.

I am not sure if just creating the following redirection folder by itself is sufficient to be detected and a folder then be created automatically on my fileserver

I have added:

- documents
- desktop
0
mikey250Author Commented:
I have also configured:

gpmc:
\computer configuration\policies\admin templates\system\folder redirection:

I have configured:

gpmc:
\computer configuration\policies\admin templates\system\group policy:

- folder redirection policy processing - enabled
- group policy slow line detection - enabled
- group policy refresh interval for computers - enabled
- files policy processing - enabled
- folders policy processing - enabled
0
Guy LidbetterCommented:
Hi Mikey, from what I can see everything is almost configured correctly. To Fix...

1. Add Everyone with FULL Control on the share permission. (The access will be controlled by NTFS permissions on the security tab - so this is ok)
2. Use the following settings for NTFS Permissions (Security Tab in properties) on the Win7Redirect Folder :
CREATOR OWNER - Full Control (Apply onto: Subfolders and Files Only)
System - Full Control (Apply onto: This Folder, Subfolders and Files)
Domain Admins - Full Control (Apply onto: This Folder, Subfolders and Files)
Everyone - Create Folder/Append Data (Apply onto: This Folder Only)
Everyone - List Folder/Read Data (Apply onto: This Folder Only)
Everyone - Read Attributes (Apply onto: This Folder Only)
Everyone - Traverse Folder/Execute File (Apply onto: This Folder Only)

If a new user then logs in the GPO should create the folder on the share as you hope.
Please check two things: On the GPO delegation Tab Authenticated Users have Read access, and on the Scope tab Authenticated Users are in the Security Filtering.

Then please login with the HR User on HR-DESK-01 and run the admin gpresult /r and post the FULL output here.

You can hide sensitive info if need be.... just replace it with xxxxx
0
mikey250Author Commented:
morning guy,

qns1.  I will check this then amend accordingly, but what I do not understand is why is this not done automatically and why does all the above need to be done when I am trying to just allow a domain user to have a folder auto created at \\fileserver\win7redirect ?
0
Guy LidbetterCommented:
Morning Mikey,

It would be nice if it just did everything automatically, but then system admins wouldn't be needed ;-P

It needs to be done like this to prevent anybody from just going to any folder in the share they like.
Because the "Everyone" group has the Create Folder/Append Data right on Win7Redirect, anyone who logs in with the GPO assigned has the proper permissions to create their own folder in the share; however, the members are not able to read the data afterwards.
The %Username% variable in the GPO, as you know,  is the name of the user that is logging on and then creates the folder. Because the folder (%Username%) is a child of the parent folder (Win7Redirect) , it inherits the permissions that you assigned to Win7Redirect. Also, because the user is creating the folder when first logging on, the user gains full control of the folder because of the Creator Owner Permission setting.

I hope this helps you understand a little better...
0
Guy LidbetterCommented:
Oh, by the way... it is best practice for the Root Home folder (Win7Redirect) to be a hidden System Share so people can't stumble across it just browsing the network...  you do this by adding a $ to the end of the share name in the share permissions tab...

I.E. the folder is shared as Win7Redirect$

You wouldn't need to add the $ when UNC-ing to the path... i.e.  "\\FILESERVER\Win7Redirect\" would still work...  it just wouldn't appear when browsing.
0
mikey250Author Commented:
yes thanks for that info as ive been given that info before but keep forgetting about it.!!  not that im going to remember but I need to.

qns1.  that being said, if a individual is new to this how would they know when creating gpo's for a user to have a folder appear on a share as you describe, where is there that link that states, do what you say above  ?
0
Guy LidbetterCommented:
I've just been in the business too long...
Quick google of "Setup Folder Redirection" and found this gem....

https://4sysops.com/archives/folder-redirection-part-1-introduction/
0
mikey250Author Commented:
hi guy,  I have added the 'everyone' full control in the advanced share\properties.

qns1.  but when I then click on 'security' tab and highlight 'creator owner' and select 'full control' and apply it removes those ticks  and for the others   why  ?
0
mikey250Author Commented:
hi guy,

I have attached a screenshot of what my issue is, as when I attempt to change stuff it appears to add extra things.

qns1.  Include inheritable permissions from this objects parents – If I have highlighted ‘Win7redirection’ then that folder is my ‘parent’ folder – So never really understood this ?

qns2. Replace all existing inheritable permissions on all descendants with inheritable permissions from this object – Never really understood this  ?
test-redirect-folder-screenshot.docx
0
Guy LidbetterCommented:
OK - first he answers to the Qns...

Ans1. It works like this, for example in "c:\windows\system32\drivers"  c:\ is the root, it is also the parent of any folders in it and so on with every folder in a tree...  i.e. Windows is a child of C: but a parent of System32. System32 is then a Child of Windows, but a Parent of Drivers... and so on through the folder structure. So if you include inheritable permissions from the parent, when you create a folder it will automatically have any permissions set on the folder in which it is created.

Ans2. If you have any Child folders under your current folder that have specific permissions set on an inheritable permissions, i.e the everyone group, and children folders under those etc... doing this will replace them with whatever permissions are on the folder you are editing. Be careful with this!!

Now on to your issue.... There is no issue... If the Special box is ticked and everything else not ticked (which is normal with special permissions), and you open advanced security settings and it tells you full control is set... then no problem.
0
mikey250Author Commented:
ans1.  c:\ is the root - it is also the parent of any folders - ok understood

- "& win7redirect is the child which inherits permissions from the e:\ - as the following is located: e:\win7redirect"

ok in which case I have not changed anything at all, which brings me back to why don't my 'redirection' folder work  ?

1. add everyone with full control on the share permission. (the access will be controlled by ntfs permissions on the security tab - yes I have set this ok

2. use the following settings for ntfs permissions (security tab in properties) on the win7redirect folder :
 creator owner - full control (apply onto: subfolders and files only) - the below set by default below and not 'full control':

security tab\advanced:

- creator owner - special e:\ - subfolders and files only
- creator owner - special <not inherited> - subfolders and files only


 system - full control (apply onto: this folder, subfolders and files) - yes set by default

 domain admins - full control (apply onto: this folder, subfolders and files)

I gather the 'domain admins' is referring to:

- administrators (fileserver\administrators) - special <not inherited>
- administrators (fileserver\administrators) full control e:\


I presume the 'everyone' I set a full will allow this but not sure how to check:

 everyone - create folder/append data (apply onto: this folder only)
 everyone - list folder/read data (apply onto: this folder only)
 everyone - read attributes (apply onto: this folder only)
 everyone - traverse folder/execute file apply onto: this folder only)
0
mikey250Author Commented:
I have added the following:

security tab:
everyone - full control
domain user - full control

my win 7 desktop logs onto the domain successfully and I can then browse to \\fileserver\win7redirect - & I can open 'win7redirect' but folder is completely empty.

I have also rebooted the machine multiple times and run: gpresult /r - shows n/a still

im thinking there is something wrong with my gpmc: ou & group
0
Guy LidbetterCommented:
Can you post a screen shot of the CMD window after running gpresult /r?
0
mikey250Author Commented:
hi ive attached what you asked for.
gpresultwin7desktopscreenshot.docx
0
Zacharia KurianAdministrator- Data Center & NetworkCommented:
0
Guy LidbetterCommented:
Mikey - That's not a domain user... That's the local user on the PC - of course he wont get the policy as its only for domain users...

You need to logon to the desktop with an itservices.local Domain User Account.
0
mikey250Author Commented:
hi guy,  I need to create another 'thread' as you have been helping me with additional stuff, so that I can allocate you the points once resolved if that's ok  ?

the below is the thread:

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_28648837.html
0
Guy LidbetterCommented:
That's great, Thanks Mikey
0
mikey250Author Commented:
as expert guy has been assisting me on a question that was linked to this question due to my specific issue.  I have created a new thread that this same expert is still giving me advice on so I will allocate points for this specific question to him as he answered my question anyhow.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.