[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Folder Redirection GPO Not Applying

Posted on 2016-09-22
3
Medium Priority
?
62 Views
Last Modified: 2016-09-23
I have a gpo for folder redirection on our server running 2012 r2 standard.  It is set to apply to an AD group called "folder redirection users".  It has been working fine for the past few months, but the last week or so none of the PC's show it applied when I run rsop,msc.  If I look at user configuration properties the GPO says "filtering not applied (unknown error)"
0
Comment
Question by:DenTechCO
  • 2
3 Comments
 
LVL 6

Expert Comment

by:sAMAccountName
ID: 41811028
Try running
gpresult /h output.htm

Open in new window

on one of the computers that should be applying the policy.  Make sure you run it from an administrator prompt.

That will create an output file (Open it in internet explorer and enable the active x controls when prompted).  There should be detailed information on what was applied, filtered denied etc...

(IMO) GPResult directly on the host will provide more accurate and detailed error information
0
 

Author Comment

by:DenTechCO
ID: 41811075
So it's definitely a security filtering issue.  The gpresult shows a message "access denied: security filtering"  I have verified the group it applies to has read and apply policy permissions.  I have also tested creating a new group and applying it to that one with the same results.
0
 
LVL 6

Accepted Solution

by:
sAMAccountName earned 1500 total points
ID: 41811213
OK...  In the output file, there should be a section which shows what groups the computer was a member of...  Make sure your security group is listed there.  Group membership for computers is a little different for users...  The token which contains the membership is updated much more slowly.  If you added the computer recently, the computer may not have the membership in the token and thus cant read the policy.  

You can restart the server to immeidately update group membership or you can use klist to purge the kerberos tickets and force it without a restart:

Update servers group membership
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
Let's recap what we learned from yesterday's Skyport Systems webinar.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question