Link to home
Start Free TrialLog in
Avatar of Mark
Mark

asked on

Domain users not able to automatically get redirected desktop folders

Our office has been running Samba4 as the Active Directory / Domain Controller for about 4 years. Recently, I've been upgrading workstations, still Windows 7, just faster processors. I've noticed after joining the workstation to the domain and logging in as a domain user that the user's redirected desktop is not there. To get it I have to go to C:\Users\userid\Desktop > Properties, and change the location from C:\Users\userid\Desktop, to \\mail.hprs.local\Users\userid\Desktop, then delete the Desktop folder from C:. I have to do likewise for the other redirected folders: 'Favorites' and 'My Documents'.

This is was not the case before. Any domain user could log onto any domain workstation and get his/her redirected Desktop immediately upon login.

I've check the event log from a recently setup workstation. In the System log I have several Group Policy errors. The first one is shown in the attachment and gives the 'General' error: "The processing of Group Policy Failed. Windows could not apply the registry-based policy settings for the Group Policy object LDAP;//CN=Machine,cn={B78D19CB-914B-48F4-AA63-FD8708A55ED7},cn=policies,cn=system,DC=hprs,DC=local. Group Policy settings will not be resolved until this event is resolved. View the event details for more information on the file name and path that caused the failure."

The event details are as shown below:
User generated image
# record 181
dn: CN=Machine,CN={B78D19CB-914B-48F4-AA63-FD8708A553D7},CN=Policies,CN=System,DC=hprs,DC=local
objectClass: top
objectClass: container
cn: Machine
instanceType: 4
whenCreated: 20140913070842.0Z
whenChanged: 20140913070842.0Z
uSNCreated: 3723
uSNChanged: 3723
showInAdvancedViewOnly: TRUE
name: Machine
objectGUID: c326b663-5878-422f-9e4a-9e3885ebc4be
objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=hprs,DC=local
distinguishedName: CN=Machine,CN={B78D19CB-914B-48F4-AA63-FD8708A553D7},CN=Pol
 icies,CN=System,DC=hprs,DC=local

Open in new window

The file permissions on the file listed in details are:
> ls -l /var/lib/samba/sysvol/hprs.local/policies/\{B78D19CB-914B-48F4-AA63-FD8708A553D7\}/Machine/
total 16
drwxrwx--- 3 BUILTIN\administrators users 4096 2014-09-13 03:22 Microsoft/
-rwxrwx--- 1 root                   users  958 2014-09-13 04:01 Registry.po*
-rwxrwx--- 1 BUILTIN\administrators users  958 2014-09-13 04:01 Registry.pol*
drwxrwx--- 4 BUILTIN\administrators users 4096 2014-09-13 03:22 Scripts/

Open in new window

There are other policy errors on other CNs, but I'll try to deal with one at a time.

Any ideas on this error?
general.png
Avatar of Mark
Mark

ASKER

David Johnson, CD, MVP, Comment posted, 2018-05-13

if I compare this to a windows AD security you're missing a bunch of permissions
Creator Owner Full Control
Authenticated Users Read & Execute
Domain Admins Full Control
Enterprise Admins Full Control
System Full control
You may very well be right, although I'm not seeing where you're seeing the permission in what I've posted. I've attached an image with the folder ownership for \\addc\Users\doris\Desktop listed as "Account Unknown". doris is supposed to be the domain user owning this folder. Permissions on this folder for CREATOR OWNER are list as "special" and are all checked as "Allow". Maybe this is not what you're referring to. Please clarify and I'll go about fixing permissions.

Steve Knight, Comment posted 2018-05-13

Is that policy called "machine" the one doing the redirect as it would be user related my machine?
I snagged that record out of the sam.ldb because its dn was the one listed in the GPOCNName in the Error Detail.

Do your existing machines also site a similar error?
Yes.

Does gpresult /z on old and new machines show up ok?
Interesting. I didn't know about this command. I've run this on a newer and an older workstation. Output attached. One caveat, the older workstation isn't that old. It was updated a year ago, so it may very well be suffering from the same problems. The original workstations (joined to domain circa 2014) are now all mothballed. In any case, these gpresult outputs show interesting differences. For example, the 'new' listing does not have a heading for COMPUTER SETTINGS. I'll examine these files for more information.

Could it be the policy has not been applying for years but the existing redirection policy was in place for users in the existing profiles on computers - also do you use roaming profiles?
Yes, that could very well be. We don't turn over or add to staff often, but if I recall correctly the last time we added a new user was in 2016, although that was using an existing workstation.

If by, "roaming profiles" you mean do or can users log onto other workstations and get their own desktops, then YES, we use them. That's actually how this question originated; that stopped working. If there's something special to be done to set this up I'm unaware of what.

I think a big clue must be that the original event log error said, "Access is denied", but the Domain Administrator is able to get its redirected desktop when logging onto any domain workstations. This might point to the permission issue David Johnson brought up, though I need more clarification on that.

This all is getting more important because we now want to add a Mac computer to the domain, so I want my policies all working correctly with Windows before trying that.
security.png
gpresult-old.txt
gpresult-new.txt
SOLUTION
Avatar of Shaun Vermaak
Shaun Vermaak
Flag of Australia image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Mark

ASKER

Shaun Vermaak:
Users need read rights to policies otherwise they will get Access Denied
Perhaps read-rights are granted some other way besides just native file permissions? I checked with a backup from a year ago and the permissions on Registry.pol are set the same as they are shown in my OP. I'm not sure that explains it.

compdigit44:
Are other GP's processing ok?
Some are and some are not. The folder redirection does not initially work unless I manually point the user's desktop there. Nor do the Protected View, Trust Center policies (except for the one User who has not yet been upgraded). On the other hand, Remote Desktop Connection works, but maybe that would work without a GP.

The "Access denied" thing is puzzling. I'll try setting read access for all on that policy, but I'm skeptical that will do anything.

Meanwhile, here's a related error that is generated just after the 1096 error in my OP. The 'General' message is, "Event 1085, GroupPolicy. Windows failed to supply the folder Redirection settings. Folder Redirection settings might have its own log file. Plese click on the "More information" Link." (I don't see a "More Information" link).

Details are:
User generated image
Avatar of Mark

ASKER

Later ... tried Shaun Vermaak's idea of making the policy file world readable. No go, same error (but on User rather than Machine):
User generated image
Avatar of Mark

ASKER

Anyone on this? I've tried several things and am still getting the "Event 1085, GroupPolicy. Windows failed to apply the folder Redirection settings." and the 1096 access denied error shown above.
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Mark

ASKER

I found the solution. Points to Shaun and compdigit44 for giving it a shot.