• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1033
  • Last Modified:

User shortcuts asking for permission to open file after folders redirected in GPO

We have a Windows Server 2012 R2 Hyper-V host, running several Server 2012 R2 VMs (e.g. DC, File Server, apps server, etc.).
We have recently migrated from SBS 2003 to Server 2012 R2.
As part of this I had removed the SBS GPO that redirected user documents to the SBS server, so that all users' 'My documents' folders were back on each users' local hard drive. Last week I added anew GPO to redirect the users' documents folders back to a new server. I didn't include the Pictures, Videos and Music folders (because they are large and mostly personal rather than business-related).
A few days later, I also redirected AppData, Desktop, Favorites and Start Menu.

Since then users are complaining about a dialogue box that appears when a shortcut is opened.

The message says:
Open File
Do you want to open this file?
It shows the name, type and location of the file.
Options are 'Open' or 'Cancel' and there is a security warning/explanation at the bottom of the dialogue box.

Clicking on 'Open' works as it should, but it adds an extra click to every shortcut.

Can someone tell me how to overcome this?

  • 2
2 Solutions
Joseph MoodyBlogger and wearer of all hats.Commented:
Add your UNC path to the list of internal sites in Internet Explorer.
gregmiller4itAuthor Commented:
Can I use Group Policy to do this for all users?
You can absolutely do that.  In your GPO, go into the Computer Configuration\Policies\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page and the SiteToZone Assignment List setting is there.
Enable the policy, and click the Show button.
In the subsequent dialog box you'll enter the sites that you want to set.  BTW.. this also overrides the ability of the user to set their own security zones.  
You'll put in the dns names plus the zone assignment by number.

Zone 0 - this is undocumented, but does exist, and it tells IE that the file is running on the local computer.
Zone 1 - this is the Local Intranet zone
Zone 2 - this is the Trusted Sites zone
Zone 3 - this is the Internet zone -- by default, IE treats all URLS that contain periods as being Internet zones, unless it is overridden
Zone 4 - this is the Untrusted Sites zone

In addition, you can include handlers and wildcards in the zone names you enter.
if you put in domain.local = 2, then everything that presents itself as domain.local will be trusted.. it could be ftp, http, https, etc.
If you put in http://*.domain.local = 2, then only the http protocol for all subdomains of domain.local will be trusted

gregmiller4itAuthor Commented:
Ok. That's sorted.
At first it didn't seem to make a difference...but I eventually worked out that if I added the following UNC path as Zone 0, it worked:
It didn't seem to work at first, but I redirected the 'Start Menu' back to the local computer and the links in the Start Menu stopped giving the security warning. The Task Bar links still gave the warning.
I put the Start Menu redirection back in and tested it and the Start Menu still didn't give the warning, so then I checked the Task Bar and the warning had disappeared.
I suspect that it actually took more than one logoff/on for the Zone 0 addition to take effect...otherwise I can't explain it.
But anyway it is sorted now.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now