Disable Folder Redirection - One User


A client has asked me to disabled folder redirection for one user (desktop and documents)

The problem I have is that the policy set for the redirection is within the main 'default domain policy' and user this we have the firewall settings and mapped drives and security settings, so I can't just remove the user from the group. The scope settings are set to use authenticated users.

I was going to try this - https://social.technet.microsoft.com/Forums/windowsserver/en-US/c644aa0d-d0b5-4eac-80b2-4e4b4789d1d3/reversing-or-disabling-folder-redirection

What's the easiest way to disable one user, will I have to create a brand new policy?

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

First step you should take is to make sure the settings on the policy are such that should the policy fall out of applying, the setting is to reverse/remove forwarding by copying the data back.
The sevond step deals with verifying that you do not have a policy limiting the size of the profile or it could lead to issues.

Usually a redirection policy applies to all my documents, desktop, application data, and start menu.

The redirection either applies or doesn't.  You can not do a partial redirection with a single redirect policy.

Back to tge question, when you confirm the settings, you would need to use a negative wmi filter to get user not equal to the one you want to exclude.

Once done, after two sequential logins the redirect policy will be revoked from this user.
Note the user may start experiencing longer logon times if there is a large amount of data in their redirected folders.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Will SzymkowskiSenior Solution ArchitectCommented:
The quickest way to accomplish this is to deny access to the policy for this specfiic user on the Security Settings of the GPO. However you mentioned that this Folder Re-direction is tied to Default Domain Policy.

In that case you will need to create another GPO with the exact settings apply it at the domain level to get all users. Then deny access for this specific user on the security settings. Use Authenticated Users so you ensure that it does apply to everyone else.

Remove the folder redirection from Default Domain Policy. Btw Default domain policy should really only have Security settings tied to it. For anything outside of that new gpo's should be created.

That would be the quickest way.

The issue is that once the redirect is set, a subsequent policy will not apply until the existing redirect is revoked first.
Through the reading missed that it was within the default domain policy (rather than within the default domain), cloning the default domain policy. Removing the redirect while as will has suggested creating a folder redirect only GPO to manage the transition.

The redirect directives are set within the user's NTUSER.dat file.
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

ryank85Author Commented:
Ok so far I have applied the following:

Created a new GPO for 'Folder Redirection' and added all the users in here apart from the one user in question.

I have then applied all the folder redirection settings for desktop and documents to point to the relevant locations on the server. (I have then removed the folder redirection settings from the default domain policy)

Is this all I need to do?

Do I need to make any of these settings on the new folder redirection policy?

ryank85Author Commented:
Just found this on google also, sounds about right to transfer the items back to the users PC's first and then activate the new policy?

1. I made sure that the following GP options, for the redirected folders, was enabled:
Under the Settings tab enable "Move the contents of My Documents to the new location" and under Policy Removal enable "Redirect the folder back to the local userprofile when the policy is removed"
2. Make sure all client computer have these new GP settings enabled and have restarted once at least. I gave it a two day grace period after changing the policy.
3. Change the new folder redirection policy to enable.
Will SzymkowskiSenior Solution ArchitectCommented:
Just found this on google also, sounds about right to transfer the items back to the users PC's first and then activate the new policy?

yes you still need to move the items back to the default folder because it will not do this for you.

The removal of the redirect before verifying that the setting on the default domain policy revert the redirect is a mistake. One has to lineup everything and analyze the impact that will last through four subsequent logins. The issue is that the revocation of the default domain policy in the interim has to be managed through the use of wmi filter to exclude a controlled number of users every week until all are transitioned from folder redirect within The default domain policy to the stand alone folder redirect.

Unwinding a mistake made long ago has to be carefully contemplated along with making sure there are no other settings that could impact larger profile folders I.e. Space constraint where the profiles are stored.
ryank85Author Commented:
So are we saying the Google fix won't work?

Ie move the folders back to local and then re enable the new policy with the users that need the redirection.

Will seems to think this will work?
Will SzymkowskiSenior Solution ArchitectCommented:
The quote below is from the TechNet regarding how Folder Re-direction works if it was Enabled previously and then disabled. The files and folders do not get moved back to the local default profile location. They stay in the directory path that was origianlly assigned.

When you set it to Not Configured it will leave the files in tact on the network or another shrae and then anything else, AFTER the change was set to Not Configured, will be saved in the default location.

Not configured . This is the default setting. This setting specifies that policy-based folder redirection was removed for that GPO and the folders are redirected to the local user profile location or stay where they are based on the redirection options selected if any existing redirection policies were set. No changes are being made to the current location of this folder.

See link below for additional details. The quote above is from the lnk below. It is about half way down the TechNet.

That is why i said when you assign the new Folder Re-direction to your users make sure that you move all of the files (FROM THE USER THAT IS NOT GETTING THE FOLDER REDIRECTION POLICY) "sorry for the caps!" back to the local profile as this does NOT move the items back automatically.

Also you should be testing this as well before making changes to the Default Domain Policy. You have the correct theroy with the TechNet but every envrionment is different and should be tested before implementing it in to prodcution.

i.e. the share was on \\server1\ and now that server is being retired/replaced
A transition for folder redirection is a two step process.
One deals with reversing the redirection.
Then the new redirect is applied.
The alternative, is to manually/login script that will copy the data.
Separate Folder redirection is a must to have flexibility.
With DFS/Domain based shares is the best way to manage folder redirection as it provides

The suggestion I provided using provides you with a controlled phase out of the redirect in default domain policy. until you can transition all active users, and have to make sure to limit new users from falling into this trap, by enforcing the folder redirection GPO until the transition is completed.

Are the users also have roaming profiles?

The other option, is to use scripts to mount the ntuser.dat file of each user and update their shell folders entries to point to the locations you want.

In the current setup, there is no easy/simple/painless process.
ryank85Author Commented:
thanks guys

I have changed the default policy to redirect the docs and desktop items back to the local directories, once this has been completed I will enable the new policy  - keep you updated
What do you mean you changed it? The only way to change is to have the settings set to revert when the user falls out of having the policy applied and then have the user fall out of the policy applying.
That is difficult to do with the setting in the default domain policy.
Are you testing this with one user to whom the policy will not apply to see whether on the second logon, the data is being copied back into the profile?
ryank85Author Commented:
I mean i have changed the default domain policy so that the desktop items are set to : Path: Redirect to local user profile path - which to let you know has worked.

I will give this a couple of days to make sure everyone has their desktop items to the local directories, i.e. local c:\users\%username%\desktop\ then I will enable the new policy to redirect the chosen users back to the server.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.