Mark
asked on
Domain users not able to automatically get redirected desktop folders
Our office has been running Samba4 as the Active Directory / Domain Controller for about 4 years. Recently, I've been upgrading workstations, still Windows 7, just faster processors. I've noticed after joining the workstation to the domain and logging in as a domain user that the user's redirected desktop is not there. To get it I have to go to C:\Users\userid\Desktop > Properties, and change the location from C:\Users\userid\Desktop, to \\mail.hprs.local\Users\us erid\Deskt op, then delete the Desktop folder from C:. I have to do likewise for the other redirected folders: 'Favorites' and 'My Documents'.
This is was not the case before. Any domain user could log onto any domain workstation and get his/her redirected Desktop immediately upon login.
I've check the event log from a recently setup workstation. In the System log I have several Group Policy errors. The first one is shown in the attachment and gives the 'General' error: "The processing of Group Policy Failed. Windows could not apply the registry-based policy settings for the Group Policy object LDAP;//CN=Machine,cn={B78D 19CB-914B- 48F4-AA63- FD8708A55E D7},cn=pol icies,cn=s ystem,DC=h prs,DC=loc al. Group Policy settings will not be resolved until this event is resolved. View the event details for more information on the file name and path that caused the failure."
The event details are as shown below:
Any ideas on this error?
general.png
This is was not the case before. Any domain user could log onto any domain workstation and get his/her redirected Desktop immediately upon login.
I've check the event log from a recently setup workstation. In the System log I have several Group Policy errors. The first one is shown in the attachment and gives the 'General' error: "The processing of Group Policy Failed. Windows could not apply the registry-based policy settings for the Group Policy object LDAP;//CN=Machine,cn={B78D
The event details are as shown below:
# record 181
dn: CN=Machine,CN={B78D19CB-914B-48F4-AA63-FD8708A553D7},CN=Policies,CN=System,DC=hprs,DC=local
objectClass: top
objectClass: container
cn: Machine
instanceType: 4
whenCreated: 20140913070842.0Z
whenChanged: 20140913070842.0Z
uSNCreated: 3723
uSNChanged: 3723
showInAdvancedViewOnly: TRUE
name: Machine
objectGUID: c326b663-5878-422f-9e4a-9e3885ebc4be
objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=hprs,DC=local
distinguishedName: CN=Machine,CN={B78D19CB-914B-48F4-AA63-FD8708A553D7},CN=Pol
icies,CN=System,DC=hprs,DC=local
The file permissions on the file listed in details are:> ls -l /var/lib/samba/sysvol/hprs.local/policies/\{B78D19CB-914B-48F4-AA63-FD8708A553D7\}/Machine/
total 16
drwxrwx--- 3 BUILTIN\administrators users 4096 2014-09-13 03:22 Microsoft/
-rwxrwx--- 1 root users 958 2014-09-13 04:01 Registry.po*
-rwxrwx--- 1 BUILTIN\administrators users 958 2014-09-13 04:01 Registry.pol*
drwxrwx--- 4 BUILTIN\administrators users 4096 2014-09-13 03:22 Scripts/
There are other policy errors on other CNs, but I'll try to deal with one at a time.Any ideas on this error?
general.png
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Shaun Vermaak:
compdigit44:
The "Access denied" thing is puzzling. I'll try setting read access for all on that policy, but I'm skeptical that will do anything.
Meanwhile, here's a related error that is generated just after the 1096 error in my OP. The 'General' message is, "Event 1085, GroupPolicy. Windows failed to supply the folder Redirection settings. Folder Redirection settings might have its own log file. Plese click on the "More information" Link." (I don't see a "More Information" link).
Details are:
Users need read rights to policies otherwise they will get Access DeniedPerhaps read-rights are granted some other way besides just native file permissions? I checked with a backup from a year ago and the permissions on Registry.pol are set the same as they are shown in my OP. I'm not sure that explains it.
compdigit44:
Are other GP's processing ok?Some are and some are not. The folder redirection does not initially work unless I manually point the user's desktop there. Nor do the Protected View, Trust Center policies (except for the one User who has not yet been upgraded). On the other hand, Remote Desktop Connection works, but maybe that would work without a GP.
The "Access denied" thing is puzzling. I'll try setting read access for all on that policy, but I'm skeptical that will do anything.
Meanwhile, here's a related error that is generated just after the 1096 error in my OP. The 'General' message is, "Event 1085, GroupPolicy. Windows failed to supply the folder Redirection settings. Folder Redirection settings might have its own log file. Plese click on the "More information" Link." (I don't see a "More Information" link).
Details are:
ASKER
ASKER
Anyone on this? I've tried several things and am still getting the "Event 1085, GroupPolicy. Windows failed to apply the folder Redirection settings." and the 1096 access denied error shown above.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I found the solution. Points to Shaun and compdigit44 for giving it a shot.
ASKER
Steve Knight, Comment posted 2018-05-13 I snagged that record out of the sam.ldb because its dn was the one listed in the GPOCNName in the Error Detail.
Yes.
Interesting. I didn't know about this command. I've run this on a newer and an older workstation. Output attached. One caveat, the older workstation isn't that old. It was updated a year ago, so it may very well be suffering from the same problems. The original workstations (joined to domain circa 2014) are now all mothballed. In any case, these gpresult outputs show interesting differences. For example, the 'new' listing does not have a heading for COMPUTER SETTINGS. I'll examine these files for more information.
Yes, that could very well be. We don't turn over or add to staff often, but if I recall correctly the last time we added a new user was in 2016, although that was using an existing workstation.
If by, "roaming profiles" you mean do or can users log onto other workstations and get their own desktops, then YES, we use them. That's actually how this question originated; that stopped working. If there's something special to be done to set this up I'm unaware of what.
I think a big clue must be that the original event log error said, "Access is denied", but the Domain Administrator is able to get its redirected desktop when logging onto any domain workstations. This might point to the permission issue David Johnson brought up, though I need more clarification on that.
This all is getting more important because we now want to add a Mac computer to the domain, so I want my policies all working correctly with Windows before trying that.
security.png
gpresult-old.txt
gpresult-new.txt