hwtech
asked on
Windows 7 - Server 2016 Folder Redirection issue
Have a new Server 2016 installation with a Folder Redirection policy enabled on a users OU - of which I'm redirecting Desktop/Documents/Favorite s files only.
I have *one* user within this network where I need to also redirect the music folder. And it's just for this specific user only. No one else is to have their music folder redirected.
Nothing I have tried has worked as of yet - my question is what is the best way to accomplish this?
I have *one* user within this network where I need to also redirect the music folder. And it's just for this specific user only. No one else is to have their music folder redirected.
Nothing I have tried has worked as of yet - my question is what is the best way to accomplish this?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If you take "Authenticated Users" off of the scope of the GPO, you might have issues. Test that out and see. If so, you might have to put that user into a different GPO.
Removing Authenticated Users isn't an issue. Not adding computers to the delegation tab so they can read the policy is a known requirement and thoroughly documented.
I prefer to edit the security for the GPO and just untick the Apply Policy permission for Authenticated Users (and leave Read) and then just add the security group with Appy Policy permissions
I get what Joseph is saying. Might be well documented but still worth mentioning it.
I get what Joseph is saying. Might be well documented but still worth mentioning it.
Just the way he said "might" have issues (not, would, or similar) and then say "might HAVE TO" (emphasis mine), move the user into a different OU left an impression that the behavior was erratic, unknown, or no options existed to fix it. So yeah. I clarified.
I understood what you meant in your initial comment.
Just as Joseph "misunderstood" it, so might OP have hence why it was a valuable comment
Just as Joseph "misunderstood" it, so might OP have hence why it was a valuable comment
ASKER
Well, working off Cliff's suggestion due to his being the initial post - and this is what I've been working on so far. Take a gander if you would please and let me know if looks good. I"ve tried this GPO earlier before and it didn't work (after several logon/off attempts) - so let me know if should be working - or if needs to be modified.
That seems fine except...
From that view you cannot see the actual GPO permissions. Ensure that Authenticate Users has read rights (it won't show in GPMC) or on the computer as per Cliffs' comment.
If you did the remove and add of the group via that GPMC screen, it is wrong
From that view you cannot see the actual GPO permissions. Ensure that Authenticate Users has read rights (it won't show in GPMC) or on the computer as per Cliffs' comment.
If you did the remove and add of the group via that GPMC screen, it is wrong
ASKER
That tab. Delegation. Add Authenticated Users back there and add read permissions.
Can you post the security tab? (one for authenticated users and one for the security group)
After editing the GPO, properties, security
After editing the GPO, properties, security
ASKER
In response to Cliff's last suggestion - added "authenticated users" - did 3 logoff/on attempts and documents still local on users PC.
Here's the gpresult output, which shows the policy getting applied - but it's not actually applying:
C:\Windows\system32>gpresu lt /r /scope:user
Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 8/27/2018 at 3:49:41 PM
RSOP data for DOMAIN\Username on PCName : Logging Mode
-------------------------- ---------- ---------- ---------- ----
OS Configuration: Member Workstation
OS Version: 6.1.7601
Site Name: N/A
Roaming Profile: N/A
Local Profile: C:\Users\username
Connected over a slow link?: No
USER SETTINGS
--------------
CN=Username,OU=Music Director Personnel,DC=DOMAIN,DC=loc al
Last time Group Policy was applied: 8/27/2018 at 3:48:35 PM
Group Policy was applied from: server.domain.local
Group Policy slow link threshold: 500 kbps
Domain Name: DOMAINNAME
Domain Type: Windows 2000
Applied Group Policy Objects
-------------------------- ---
Folder Redirection MUSIC
Default Domain Policy
The following GPOs were not applied because they were filtered out
-------------------------- ---------- ---------- ---------- ---------- -
Folder Redirection Policy
Filtering: Denied (Security)
Local Group Policy
Filtering: Not Applied (Empty)
The user is a part of the following security groups
-------------------------- ---------- ---------- -----
Domain Users
Everyone
BUILTIN\Administrators
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
CONSOLE LOGON
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
Authentication authority asserted identity
High Mandatory Level
C:\Windows\system32>
Here's the gpresult output, which shows the policy getting applied - but it's not actually applying:
C:\Windows\system32>gpresu
Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 8/27/2018 at 3:49:41 PM
RSOP data for DOMAIN\Username on PCName : Logging Mode
--------------------------
OS Configuration: Member Workstation
OS Version: 6.1.7601
Site Name: N/A
Roaming Profile: N/A
Local Profile: C:\Users\username
Connected over a slow link?: No
USER SETTINGS
--------------
CN=Username,OU=Music Director Personnel,DC=DOMAIN,DC=loc
Last time Group Policy was applied: 8/27/2018 at 3:48:35 PM
Group Policy was applied from: server.domain.local
Group Policy slow link threshold: 500 kbps
Domain Name: DOMAINNAME
Domain Type: Windows 2000
Applied Group Policy Objects
--------------------------
Folder Redirection MUSIC
Default Domain Policy
The following GPOs were not applied because they were filtered out
--------------------------
Folder Redirection Policy
Filtering: Denied (Security)
Local Group Policy
Filtering: Not Applied (Empty)
The user is a part of the following security groups
--------------------------
Domain Users
Everyone
BUILTIN\Administrators
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
CONSOLE LOGON
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
Authentication authority asserted identity
High Mandatory Level
C:\Windows\system32>
The policy is reporting as applied. So if documents aren't redirecting, it is either the setting in the policy itself or the client couldnt add/move files which would be on the client machine's event logsm
ASKER
I am getting a 510 event ID:
"Folder redirection policy application has been delayed until the next logon because the group policy logon optimization is in effect" -
Is this one of those "domain computers" /w read is required on the delegation tab?
This is a Windows 7 SP1 workstation - attempting to move to Server 2016 FR folder. I remember running into this with W10 workstations - but that was redirecting to Server 2008 -
PS - well scratch that domain computer comment. All other work stations (11) are redirecting without issue - and they're all W7-SP1 systems as well.
"Folder redirection policy application has been delayed until the next logon because the group policy logon optimization is in effect" -
Is this one of those "domain computers" /w read is required on the delegation tab?
This is a Windows 7 SP1 workstation - attempting to move to Server 2016 FR folder. I remember running into this with W10 workstations - but that was redirecting to Server 2008 -
PS - well scratch that domain computer comment. All other work stations (11) are redirecting without issue - and they're all W7-SP1 systems as well.
So this is likely a bandwidth or network issue. The client is deciding not to redirect until it can safely move that data relatively quickly. This is a client-side decision, not a server-side issue.
Are you using offline files at all by chance? If so, try disabling it completely on the affected client and then doing a gpupdate /force, rebooting, and then doing your logon/logoff cycles. I find disabling offline files sometimes kicks the sync back into actually working. If that works for you, you can re-enable offline files and everything should behave properly. Just a random idea I thought I'd add amidst all the excellent advice you've already received since I didn't see anyone mention it yet.
Asif, offline files are enable by default for folder redirection on Windows Client OSes
Shaun, yes that's correct. I should have been more clear. I've found that temporarily disabling offline folders sometimes forces a sync for folders not redirecting. Just thought it's an easy thing to try and simple to revert if it doesn't help.
ASKER
Guys...my bad. I worked on this last night and decided to move the target user into the "general" folder redirection policy - which worked on all other workstations - and then it failed again. A palm slap to the head when I realized that I had failed to move the target AD user account into the "Folder Redirection Users" security group on the server. Effectively this user did not have access to the FR folder itself. It had been a few weeks since I last worked on this and must have pulled the user out of the FR group when I had issues earlier. An event indicating such would have been nice on the workstation - vs the generic 510 ID. Probably should have looked at the event log on the server itself..which I did not do.
Added the user back to the MUSIC policy - and off she goes. A check this morning shows everything is now redirecting properly.
I appreciate all the input - Not sure how you divvy up the points anymore, but I prefer Cliff's initial response as to how to accomplish my objective - since I had issues earlier I wasn't sure the "best practice" way of doing this - thus my post.
All's now well in FR world - thanks much -
Added the user back to the MUSIC policy - and off she goes. A check this morning shows everything is now redirecting properly.
I appreciate all the input - Not sure how you divvy up the points anymore, but I prefer Cliff's initial response as to how to accomplish my objective - since I had issues earlier I wasn't sure the "best practice" way of doing this - thus my post.
All's now well in FR world - thanks much -
https://support.microsoft.com/en-za/help/242557/registry-settings-for-folder-redirection-in-windows
Open in new window