Windows 7 - Server 2016 Folder Redirection issue

Have a new Server 2016 installation with a Folder Redirection policy enabled on a users OU - of which I'm redirecting Desktop/Documents/Favorites files only.

I have *one* user within this network where I need to also redirect the music folder. And it's just for this specific user only. No one else is to have their music folder redirected.

Nothing I have tried has worked as of yet - my question is what is the best way to accomplish this?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
A second GPO with a security group on the filter instead of Authenticated Users would probably be my preference in most circumstances.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Shaun VermaakTechnical SpecialistCommented:
I use GPO Registry Preferences. For the exception, you can use an Item Level Filter to only apply to that user
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Name: AppData
Data: %USERPROFILE%\Application Data

Name: Desktop
Data: %USERPROFILE%\Desktop

Name: Personal
Data: %USERPROFILE%\My Documents

Name: My Pictures
Data: %USERPROFILE%\My Documents\My Pictures

Name: Start Menu
Data: %USERPROFILE%\Start Menu

Open in new window

Joseph HornseyPresident and JanitorCommented:
If you take "Authenticated Users" off of the scope of the GPO, you might have issues.  Test that out and see.  If so, you might have to put that user into a different GPO.
CEOs need to know what they should worry about

Nearly every week during the past few years has featured a headline about the latest data breach, malware attack, ransomware demand, or unrecoverable corporate data loss. Those stories are frequently followed by news that the CEOs at those companies were forced to resign.

Cliff GaliherCommented:
Removing Authenticated Users isn't an issue. Not adding computers to the delegation tab so they can read the policy is a known requirement and thoroughly documented.
Shaun VermaakTechnical SpecialistCommented:
I prefer to edit the security for the GPO and just untick the Apply Policy permission for Authenticated Users (and leave Read) and then just add the security group with Appy Policy permissions

I get what Joseph is saying. Might be well documented but still worth mentioning it.
Cliff GaliherCommented:
Just the way he said "might" have issues (not, would, or similar) and then say "might HAVE TO" (emphasis mine), move the user into a different OU left an impression that the behavior was erratic, unknown, or no options existed to fix it. So yeah. I clarified.
Shaun VermaakTechnical SpecialistCommented:
I understood what you meant in your initial comment.

Just as Joseph "misunderstood" it, so might OP have hence why it was a valuable comment
hwtechAuthor Commented:
Well, working off Cliff's suggestion due to his being the initial post - and this is what I've been working on so far.  Take a gander if you would please and let me know if looks good. I"ve tried this GPO earlier before and it didn't work (after several logon/off attempts) - so let me know if should be working - or if needs to be modified.

Shaun VermaakTechnical SpecialistCommented:
That seems fine except...

From that view you cannot see the actual GPO permissions. Ensure that Authenticate Users has read rights (it won't show in GPMC) or on the computer as per Cliffs' comment.

If you did the remove and add of the group via that GPMC screen, it is wrong
hwtechAuthor Commented:
Not sure I'm tracking with everyone on the "authenticated users" comment(s) -

Are we talking under the delegation tab where authenticated users needs to go? This are the current settings:

Cliff GaliherCommented:
That tab. Delegation. Add Authenticated Users back  there and add read permissions.
hwtechAuthor Commented:
And here we go...ready to test?

Shaun VermaakTechnical SpecialistCommented:
Can you post the security tab? (one for authenticated users and one for the security group)

After editing the GPO, properties, security
hwtechAuthor Commented:
In response to Cliff's last suggestion - added "authenticated users" - did 3 logoff/on attempts and documents still local on users PC.

Here's the gpresult output, which shows the policy getting applied - but it's not actually applying:

C:\Windows\system32>gpresult /r /scope:user

Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 8/27/2018 at 3:49:41 PM

RSOP data for DOMAIN\Username on PCName : Logging Mode

OS Configuration:            Member Workstation
OS Version:                  6.1.7601
Site Name:                   N/A
Roaming Profile:             N/A
Local Profile:               C:\Users\username
Connected over a slow link?: No

    CN=Username,OU=Music Director Personnel,DC=DOMAIN,DC=local
    Last time Group Policy was applied: 8/27/2018 at 3:48:35 PM
    Group Policy was applied from:      server.domain.local
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        DOMAINNAME
    Domain Type:                        Windows 2000

    Applied Group Policy Objects
        Folder Redirection MUSIC
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
        Folder Redirection Policy
            Filtering:  Denied (Security)

        Local Group Policy
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups
        Domain Users
        NT AUTHORITY\Authenticated Users
        This Organization
        Authentication authority asserted identity
        High Mandatory Level

hwtechAuthor Commented:
Shaun - hopefully this is what you were requesting:

Cliff GaliherCommented:
The policy is reporting as applied. So if documents aren't redirecting, it is either the setting in the policy itself or the client couldnt add/move files which would be on the client machine's event logsm
hwtechAuthor Commented:
I am getting a 510 event ID:

"Folder redirection policy application has been delayed until the next logon because the group policy logon optimization is in effect" -

Is this one of those "domain computers" /w read is required on the delegation tab?

This is a Windows 7 SP1 workstation - attempting to move to Server 2016 FR folder. I remember running into this with W10 workstations - but that was redirecting to Server 2008 -

PS - well scratch that domain computer comment. All other work stations (11) are redirecting without issue - and they're all W7-SP1 systems as well.
Cliff GaliherCommented:
So this is likely a bandwidth or network issue. The client is deciding not to redirect until it can safely move that data relatively quickly. This is a client-side decision, not a server-side issue.
Asif BacchusI.T. ConsultantCommented:
Are you using offline files at all by chance?  If so, try disabling it completely on the affected client and then doing a gpupdate /force, rebooting, and then doing your logon/logoff cycles.  I find disabling offline files sometimes kicks the sync back into actually working.  If that works for you, you can re-enable offline files and everything should behave properly.  Just a random idea I thought I'd add amidst all the excellent advice you've already received since I didn't see anyone mention it yet.
Shaun VermaakTechnical SpecialistCommented:
Asif, offline files are enable by default for folder redirection on Windows Client OSes
Asif BacchusI.T. ConsultantCommented:
Shaun, yes that's correct. I should have been more clear. I've found that temporarily disabling offline folders sometimes forces a sync for folders not redirecting. Just thought it's an easy thing to try and simple to revert if it doesn't help.
hwtechAuthor Commented: bad. I worked on this last night and decided to move the target user into the "general" folder redirection policy - which worked on all other workstations - and then it failed again.  A palm slap to the head when I realized that I had failed to move the target AD user account into the "Folder Redirection Users" security group on the server. Effectively this user did not have access to the FR folder itself. It had been a few weeks since I last worked on this and must have pulled the user out of the FR group when I had issues earlier. An event indicating such would have been nice on the workstation - vs the generic 510 ID. Probably should have looked at the event log on the server itself..which I did not do.

Added the user back to the MUSIC policy - and off she goes. A check this morning shows everything is now redirecting properly.  

I appreciate all the input - Not sure how you divvy up the points anymore, but I prefer Cliff's initial response as to how to accomplish my objective - since I had issues earlier I wasn't sure the "best practice" way of doing this - thus my post.

All's now well in FR world - thanks much -
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.