Windows 7 - Server 2016 Folder Redirection issue

I use GPO Registry Preferences. For the exception, you can use an Item Level Filter to only apply to that user
https://support.microsoft.com/en-za/help/242557/registry-settings-for-folder-redirection-in-windows

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Name: AppData
Type: REG_EXPAND_SZ
Data: %USERPROFILE%\Application Data

Name: Desktop
Type: REG_EXPAND_SZ
Data: %USERPROFILE%\Desktop

Name: Personal
Type: REG_EXPAND_SZ
Data: %USERPROFILE%\My Documents

Name: My Pictures
Type: REG_EXPAND_SZ
Data: %USERPROFILE%\My Documents\My Pictures

Name: Start Menu
Type: REG_EXPAND_SZ
Data: %USERPROFILE%\Start Menu

Select allOpen in new window

If you take "Authenticated Users" off of the scope of the GPO, you might have issues.  Test that out and see.  If so, you might have to put that user into a different GPO.

Removing Authenticated Users isn't an issue. Not adding computers to the delegation tab so they can read the policy is a known requirement and thoroughly documented.

I prefer to edit the security for the GPO and just untick the Apply Policy permission for Authenticated Users (and leave Read) and then just add the security group with Appy Policy permissions

I get what Joseph is saying. Might be well documented but still worth mentioning it.

Just the way he said "might" have issues (not, would, or similar) and then say "might HAVE TO" (emphasis mine), move the user into a different OU left an impression that the behavior was erratic, unknown, or no options existed to fix it. So yeah. I clarified.

I understood what you meant in your initial comment.

Just as Joseph "misunderstood" it, so might OP have hence why it was a valuable comment

Well, working off Cliff's suggestion due to his being the initial post - and this is what I've been working on so far.  Take a gander if you would please and let me know if looks good. I"ve tried this GPO earlier before and it didn't work (after several logon/off attempts) - so let me know if should be working - or if needs to be modified.

That seems fine except...

From that view you cannot see the actual GPO permissions. Ensure that Authenticate Users has read rights (it won't show in GPMC) or on the computer as per Cliffs' comment.

If you did the remove and add of the group via that GPMC screen, it is wrong

Not sure I'm tracking with everyone on the "authenticated users" comment(s) -

Are we talking under the delegation tab where authenticated users needs to go? This are the current settings:

That tab. Delegation. Add Authenticated Users back  there and add read permissions.

And here we go...ready to test?

Can you post the security tab? (one for authenticated users and one for the security group)

After editing the GPO, properties, security

In response to Cliff's last suggestion - added "authenticated users" - did 3 logoff/on attempts and documents still local on users PC.

Here's the gpresult output, which shows the policy getting applied - but it's not actually applying:

C:\Windows\system32>gpresult /r /scope:user

Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 8/27/2018 at 3:49:41 PM


RSOP data for DOMAIN\Username on PCName : Logging Mode
------------------------------------------------------------

OS Configuration:            Member Workstation
OS Version:                  6.1.7601
Site Name:                   N/A
Roaming Profile:             N/A
Local Profile:               C:\Users\username
Connected over a slow link?: No


USER SETTINGS
--------------
    CN=Username,OU=Music Director Personnel,DC=DOMAIN,DC=local
    Last time Group Policy was applied: 8/27/2018 at 3:48:35 PM
    Group Policy was applied from:      server.domain.local
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        DOMAINNAME
    Domain Type:                        Windows 2000

    Applied Group Policy Objects
    -----------------------------
        Folder Redirection MUSIC
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Folder Redirection Policy
            Filtering:  Denied (Security)

        Local Group Policy
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups
    ---------------------------------------------------
        Domain Users
        Everyone
        BUILTIN\Administrators
        BUILTIN\Users
        NT AUTHORITY\INTERACTIVE
        CONSOLE LOGON
        NT AUTHORITY\Authenticated Users
        This Organization
        LOCAL
        Authentication authority asserted identity
        High Mandatory Level

C:\Windows\system32>

Shaun - hopefully this is what you were requesting:

The policy is reporting as applied. So if documents aren't redirecting, it is either the setting in the policy itself or the client couldnt add/move files which would be on the client machine's event logsm

I am getting a 510 event ID:

"Folder redirection policy application has been delayed until the next logon because the group policy logon optimization is in effect" -

Is this one of those "domain computers" /w read is required on the delegation tab?

This is a Windows 7 SP1 workstation - attempting to move to Server 2016 FR folder. I remember running into this with W10 workstations - but that was redirecting to Server 2008 -

PS - well scratch that domain computer comment. All other work stations (11) are redirecting without issue - and they're all W7-SP1 systems as well.

So this is likely a bandwidth or network issue. The client is deciding not to redirect until it can safely move that data relatively quickly. This is a client-side decision, not a server-side issue.

Are you using offline files at all by chance?  If so, try disabling it completely on the affected client and then doing a gpupdate /force, rebooting, and then doing your logon/logoff cycles.  I find disabling offline files sometimes kicks the sync back into actually working.  If that works for you, you can re-enable offline files and everything should behave properly.  Just a random idea I thought I'd add amidst all the excellent advice you've already received since I didn't see anyone mention it yet.

Asif, offline files are enable by default for folder redirection on Windows Client OSes

Shaun, yes that's correct. I should have been more clear. I've found that temporarily disabling offline folders sometimes forces a sync for folders not redirecting. Just thought it's an easy thing to try and simple to revert if it doesn't help.

Guys...my bad. I worked on this last night and decided to move the target user into the "general" folder redirection policy - which worked on all other workstations - and then it failed again.  A palm slap to the head when I realized that I had failed to move the target AD user account into the "Folder Redirection Users" security group on the server. Effectively this user did not have access to the FR folder itself. It had been a few weeks since I last worked on this and must have pulled the user out of the FR group when I had issues earlier. An event indicating such would have been nice on the workstation - vs the generic 510 ID. Probably should have looked at the event log on the server itself..which I did not do.

Added the user back to the MUSIC policy - and off she goes. A check this morning shows everything is now redirecting properly.  

I appreciate all the input - Not sure how you divvy up the points anymore, but I prefer Cliff's initial response as to how to accomplish my objective - since I had issues earlier I wasn't sure the "best practice" way of doing this - thus my post.

All's now well in FR world - thanks much -