Folder Redirection not applying completely
Folder Redirection is not applying completely.
we've had folder redirection working perfectly under window 7, the share published using dfs, offline files are disabled.
the share has full permisions for authenticated users.
the ntfs security is set per the microsoft doc: Folder Redirection best practise
the gpo has read rights for the authenticated users under the delegation tab .
security filtering is not being used, authenticated users resides in the security filtering as per defaults.
the gpo has loopback processing enabled and set to replace.
under the event viewer of the desktops the following can be seen
"Folder redirection is being controlled by group policy" - good
Searches, Links, Contacts, Start Menu all redirect successfully according to the event log.
however, the following do not: Desktop, RoamingAppData, Documents, Pictures, Music, Videos, Favorites, Downloads
for these the following event is seen, it's as if it does not have a path to redirect to.
i'm at my wits end as we've recreated the GPO in an effort to fix the problem, recreated the server share, as well as reimage one desktop.
we're using the basic setting of folder redirection,
the current desktops are a mix of 1703 and 1803, i should mention this has not worked since deploying windows 10 in jan of 2017. we reimaged in order to move to windows 10, ie a clean install.
ADMX templates are updated to version 1703 as well.
we run server 2016 as our DC.
we've had folder redirection working perfectly under window 7, the share published using dfs, offline files are disabled.
the share has full permisions for authenticated users.
the ntfs security is set per the microsoft doc: Folder Redirection best practise
the gpo has read rights for the authenticated users under the delegation tab .
security filtering is not being used, authenticated users resides in the security filtering as per defaults.
the gpo has loopback processing enabled and set to replace.
under the event viewer of the desktops the following can be seen
"Folder redirection is being controlled by group policy" - good
Searches, Links, Contacts, Start Menu all redirect successfully according to the event log.
however, the following do not: Desktop, RoamingAppData, Documents, Pictures, Music, Videos, Favorites, Downloads
for these the following event is seen, it's as if it does not have a path to redirect to.
i'm at my wits end as we've recreated the GPO in an effort to fix the problem, recreated the server share, as well as reimage one desktop.
we're using the basic setting of folder redirection,
the current desktops are a mix of 1703 and 1803, i should mention this has not worked since deploying windows 10 in jan of 2017. we reimaged in order to move to windows 10, ie a clean install.
ADMX templates are updated to version 1703 as well.
we run server 2016 as our DC.
Don
Are you redirecting to the server name or the DFS share name ??
ASKER
the dfs share name. if i try and browse directly to the dfs share from one of the problematic desktops i'm able to successfully and also delve into any of the folders within. so it does not look like a permissions issue
Check the NTFS permissions for the user's subfolder within the share. Does the user have ownership of this folder and Full permissions?
ASKER
yes.. all of this has been tried already.
the gpo is simply not applying all the folder redirections for some reason. i could not find any other errors in the event log as according to the rsop the folder redirection gpo IS being applied.
the root folder ntfs perms set correctly per the microsoft doc.
the users perms, inherited from the root
the gpo is simply not applying all the folder redirections for some reason. i could not find any other errors in the event log as according to the rsop the folder redirection gpo IS being applied.
the root folder ntfs perms set correctly per the microsoft doc.
the users perms, inherited from the root
Masteritlion: The permissions shouldn't be inherited unless you don't want these folders to be restricted to access by the user and administrators only. Even if you allowed inherited permissions, the user's account itself has to have Full Permissions applied to "This folder, subfolders and files" in order for profile folders to be redirected successfully. I can't quite tell if you have it set up that way from your screen captures, but it doesn't look like it.
ASKER
The CREATOR OWNER should have full rights on their own profile, This should be passed down through inheritance per the link microsoft doc i posted in the original post.
the following screehshot is from that doc.
i know that sometimes these docs are incorrect.
However this is what's mentioned there.
the second screenshot i posted is the security settings that were inherited when the user first logged on and the folder was created.
the following screehshot is from that doc.
i know that sometimes these docs are incorrect.
However this is what's mentioned there.
the second screenshot i posted is the security settings that were inherited when the user first logged on and the folder was created.
I will tell you what I do that works, where the redirected folder share is on a Windows 2012 server and we have a mix of Win7 and Win10 workstations:
Share permissions: Domain Users: F; Domain Administrators:F
NTFS permissions on shared folder:
SYSTEM: F; This folder, subfolders and files
Domain Users: F; This folder, subfolders and files
Domain Administrators: F; This folder, subfolders and files
We REMOVE inheritance from the User main subfolder and also remove the Domain Users group and add the individual user:
Specific User: F; This folder, subfolders and files
Domain Administrators: F; This folder, subfolders and files
SYSTEM: F; This folder, subfolders and files
Strictly speaking, SYSTEM doesn't have to be there on the user's main subfolder, but it allows us to do less editing when the subfolder is created if we just leave it there.
Moreover, we tend to use Roaming Profiles for everything except the Documents folder, which is redirected. But I know there are a lot of people who don't like roaming profiles, and we work in smaller environments so they're easier to manage.
Share permissions: Domain Users: F; Domain Administrators:F
NTFS permissions on shared folder:
SYSTEM: F; This folder, subfolders and files
Domain Users: F; This folder, subfolders and files
Domain Administrators: F; This folder, subfolders and files
We REMOVE inheritance from the User main subfolder and also remove the Domain Users group and add the individual user:
Specific User: F; This folder, subfolders and files
Domain Administrators: F; This folder, subfolders and files
SYSTEM: F; This folder, subfolders and files
Strictly speaking, SYSTEM doesn't have to be there on the user's main subfolder, but it allows us to do less editing when the subfolder is created if we just leave it there.
Moreover, we tend to use Roaming Profiles for everything except the Documents folder, which is redirected. But I know there are a lot of people who don't like roaming profiles, and we work in smaller environments so they're easier to manage.
ASKER
we had it setup exactly like that a few years ago. but it required manual editing. this setup is supposed to take the creator of the folder and give them ownership over the folder. and then the 'creator owner' has full perms over the subfolders and file.
theoretically i understand what it's doing and it should work.
i know i can just give Domain Users full read and write perms on the root of the folder too. but of course i'd rather not do that.
theoretically i understand what it's doing and it should work.
i know i can just give Domain Users full read and write perms on the root of the folder too. but of course i'd rather not do that.
Yes, I don't disagree, but I've never been able to get it to work properly with the "creator owner" settings either. My other thought is that maybe you need to use the "Grant the user exclusive rights" setting. Although that would then remove your administrators group access. Perhaps someone else will chime in here that has some insight into how to make it work with that permission setting.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
the issue was not with the permissions or configuration itself but with the fact that the policy was not applying to the site based gpo. this is a separate problem which will need to be investigated as well