domain functionality winodws 2008 gpresult shows 2000

yes below is done:

task 1.

fileserver:

- shared folder: e\win7redirect -

security tab: added authenticated users & win7 user domain name: johnc with default access instead of full control at this stage as want to confirm user folder is created

task 2.

- ou: hr

task 3.

gpmc: right click (ou: hr) and linked\created group folder: hr_users

- edited gpo and set: \\fileserver\win7redirect - successful
- gpo\setting tab: confirmed above is set

task 4.

domain user now inside ou: hr

hr\domain account inside ou

Can you provide the full settings of the GPO?

qns1.  I have been whatching this youtube below and (surely just for the purposes of allowing a domain user to logon to the domain, I should not have to follow these steps)  ?

https://www.youtube.com/watch?v=E9DHniAe5So

hi guy, I have not set anything else in gpmc, except for attempting to confirm 'win7redirect' functions, as desktop win 7 is logging via same local switch as currently master dc.

I have done this in windows 2003 no problem in passed but cannot do in win 2008.

If you have not set any values in the policy, windows will not process it.

If you run a gpresult /r on the user when logged in, the policy is linked on the User OU and it is scoped for authenticated users, but it has no settings applied it will show up as not processed as it is empty under "Group Policies not applied"

If you have set the folder redirection in the User Configuration > Windows Settings > Folder Redirection and it is still not applying... then it's either a permissions issue on the policy or its not linked properly.

for some unknown reason now due to trying different things:

- gpresult /r - enter

- applied group policy objects

n/a

nothing added

Can you open an Admin CMD Window (right click > run as Admin) and then run gpresult /r and post the result?

I have only set via gpmc:

- desktop:  \\fileserver\win7redirect
- documents:  \\fileserver\win7redirect

hi guy,

logged back on win 7 desktop:

open cmd and right click to run as admin: gpresult /r - same result as user 'n/a'

hi gud,

ive attached 2 x screenshot of: gpmc & file server redirect folder.

note: all are (default settings) except adding domain user: johnc for example
gpo-screenshot.docx
fileserver-screenshot.docx

note:  I do not wish to set everything up via the redirection folder.....I just wish to initially get the gpo\redirection initially detected and then a folder automatically be created on my file server and that is it.

I am not sure if just creating the following redirection folder by itself is sufficient to be detected and a folder then be created automatically on my fileserver

I have added:

- documents
- desktop

I have also configured:

gpmc:
\computer configuration\policies\admin templates\system\folder redirection:

I have configured:

gpmc:
\computer configuration\policies\admin templates\system\group policy:

- folder redirection policy processing - enabled
- group policy slow line detection - enabled
- group policy refresh interval for computers - enabled
- files policy processing - enabled
- folders policy processing - enabled

Hi Mikey, from what I can see everything is almost configured correctly. To Fix...

1. Add Everyone with FULL Control on the share permission. (The access will be controlled by NTFS permissions on the security tab - so this is ok)
2. Use the following settings for NTFS Permissions (Security Tab in properties) on the Win7Redirect Folder :
CREATOR OWNER - Full Control (Apply onto: Subfolders and Files Only)
System - Full Control (Apply onto: This Folder, Subfolders and Files)
Domain Admins - Full Control (Apply onto: This Folder, Subfolders and Files)
Everyone - Create Folder/Append Data (Apply onto: This Folder Only)
Everyone - List Folder/Read Data (Apply onto: This Folder Only)
Everyone - Read Attributes (Apply onto: This Folder Only)
Everyone - Traverse Folder/Execute File (Apply onto: This Folder Only)

If a new user then logs in the GPO should create the folder on the share as you hope.
Please check two things: On the GPO delegation Tab Authenticated Users have Read access, and on the Scope tab Authenticated Users are in the Security Filtering.

Then please login with the HR User on HR-DESK-01 and run the admin gpresult /r and post the FULL output here.

You can hide sensitive info if need be.... just replace it with xxxxx

morning guy,

qns1.  I will check this then amend accordingly, but what I do not understand is why is this not done automatically and why does all the above need to be done when I am trying to just allow a domain user to have a folder auto created at \\fileserver\win7redirect ?

Morning Mikey,

It would be nice if it just did everything automatically, but then system admins wouldn't be needed ;-P

It needs to be done like this to prevent anybody from just going to any folder in the share they like.
Because the "Everyone" group has the Create Folder/Append Data right on Win7Redirect, anyone who logs in with the GPO assigned has the proper permissions to create their own folder in the share; however, the members are not able to read the data afterwards.
The %Username% variable in the GPO, as you know,  is the name of the user that is logging on and then creates the folder. Because the folder (%Username%) is a child of the parent folder (Win7Redirect) , it inherits the permissions that you assigned to Win7Redirect. Also, because the user is creating the folder when first logging on, the user gains full control of the folder because of the Creator Owner Permission setting.

I hope this helps you understand a little better...

Oh, by the way... it is best practice for the Root Home folder (Win7Redirect) to be a hidden System Share so people can't stumble across it just browsing the network...  you do this by adding a $ to the end of the share name in the share permissions tab...

I.E. the folder is shared as Win7Redirect$

You wouldn't need to add the $ when UNC-ing to the path... i.e.  "\\FILESERVER\Win7Redirect\" would still work...  it just wouldn't appear when browsing.

yes thanks for that info as ive been given that info before but keep forgetting about it.!!  not that im going to remember but I need to.

qns1.  that being said, if a individual is new to this how would they know when creating gpo's for a user to have a folder appear on a share as you describe, where is there that link that states, do what you say above  ?

I've just been in the business too long...
Quick google of "Setup Folder Redirection" and found this gem....

https://4sysops.com/archives/folder-redirection-part-1-introduction/

hi guy,  I have added the 'everyone' full control in the advanced share\properties.

qns1.  but when I then click on 'security' tab and highlight 'creator owner' and select 'full control' and apply it removes those ticks  and for the others   why  ?

hi guy,

I have attached a screenshot of what my issue is, as when I attempt to change stuff it appears to add extra things.

qns1.  Include inheritable permissions from this objects parents – If I have highlighted ‘Win7redirection’ then that folder is my ‘parent’ folder – So never really understood this ?

qns2. Replace all existing inheritable permissions on all descendants with inheritable permissions from this object – Never really understood this  ?
test-redirect-folder-screenshot.docx

OK - first he answers to the Qns...

Ans1. It works like this, for example in "c:\windows\system32\drivers"  c:\ is the root, it is also the parent of any folders in it and so on with every folder in a tree...  i.e. Windows is a child of C: but a parent of System32. System32 is then a Child of Windows, but a Parent of Drivers... and so on through the folder structure. So if you include inheritable permissions from the parent, when you create a folder it will automatically have any permissions set on the folder in which it is created.

Ans2. If you have any Child folders under your current folder that have specific permissions set on an inheritable permissions, i.e the everyone group, and children folders under those etc... doing this will replace them with whatever permissions are on the folder you are editing. Be careful with this!!

Now on to your issue.... There is no issue... If the Special box is ticked and everything else not ticked (which is normal with special permissions), and you open advanced security settings and it tells you full control is set... then no problem.

ans1.  c:\ is the root - it is also the parent of any folders - ok understood

- "& win7redirect is the child which inherits permissions from the e:\ - as the following is located: e:\win7redirect"

ok in which case I have not changed anything at all, which brings me back to why don't my 'redirection' folder work  ?

1. add everyone with full control on the share permission. (the access will be controlled by ntfs permissions on the security tab - yes I have set this ok

2. use the following settings for ntfs permissions (security tab in properties) on the win7redirect folder :
 creator owner - full control (apply onto: subfolders and files only) - the below set by default below and not 'full control':

security tab\advanced:

- creator owner - special e:\ - subfolders and files only
- creator owner - special <not inherited> - subfolders and files only


 system - full control (apply onto: this folder, subfolders and files) - yes set by default

 domain admins - full control (apply onto: this folder, subfolders and files)

I gather the 'domain admins' is referring to:

- administrators (fileserver\administrators) - special <not inherited>
- administrators (fileserver\administrators) full control e:\


I presume the 'everyone' I set a full will allow this but not sure how to check:

 everyone - create folder/append data (apply onto: this folder only)
 everyone - list folder/read data (apply onto: this folder only)
 everyone - read attributes (apply onto: this folder only)
 everyone - traverse folder/execute file apply onto: this folder only)

I have added the following:

security tab:
everyone - full control
domain user - full control

my win 7 desktop logs onto the domain successfully and I can then browse to \\fileserver\win7redirect - & I can open 'win7redirect' but folder is completely empty.

I have also rebooted the machine multiple times and run: gpresult /r - shows n/a still

im thinking there is something wrong with my gpmc: ou & group

Can you post a screen shot of the CMD window after running gpresult /r?

hi ive attached what you asked for.
gpresultwin7desktopscreenshot.docx

Please go through the below links posted on EE . Read carefully those marked with accepted & assisted solutions.

https://www.experts-exchange.com/questions/23747287/Gpresult-returns-domain-type-as-windows-2000-is-that-right.html

https://www.experts-exchange.com/questions/26964311/Group-Policy-on-Windows-2008-R2-DC-not-working-and-report-also-saying-it's-a-Windows-2000-domain.html


Zac.

Mikey - That's not a domain user... That's the local user on the PC - of course he wont get the policy as its only for domain users...

You need to logon to the desktop with an itservices.local Domain User Account.

hi guy,  I need to create another 'thread' as you have been helping me with additional stuff, so that I can allocate you the points once resolved if that's ok  ?

the below is the thread:

https://www.experts-exchange.com/questions/28648837/gpo-redirect-folder-domain-user-not-detecting.html

That's great, Thanks Mikey

as expert guy has been assisting me on a question that was linked to this question due to my specific issue.  I have created a new thread that this same expert is still giving me advice on so I will allocate points for this specific question to him as he answered my question anyhow.