NZSchooltech
2010-02-07 05:24:58 UTC
Good day,
We are having problems with a folder redirection policy which has recently
been changed, but the new settings are not being applied to the clients. The
changes in the policy settings coincided with changes in the domain servers,
and the old policy settings are the ones that are still being applied even
though the policies themselves are changed.
I'll try to explain the evolution of our domain in case that turns out to
have some relevance. When we first set up the domain, we had two DCs, dc01
and dc02, running WS2003 and WS2003 R2. The dc01 before that as a WS2003
server was a member server of a Samba domain which the old dc02 was the
domain controller for (running Linux at that time) using the old NT4 type
System Policy. The Samba domain was not migrated to the new domain
controllers; they were set up from scratch and everything was migrated by
hand. However, the fact that dc01 was previously a member server of this old
domain meant there were some settings that were carried over from the old
domain to the new. For example, the server on becoming a DC had two Domain
Admins groups, one being carried over from the old domain, and some of the
policy settings on the clients were tatooed as is often the case with NT4
system policies.
Later on, we got a new dc02 running Windows Server 2008 which was first set
up independently, and then joined to the domain, and then promoted to be a
DC on our current domain. Subsequently this DC got most of the FSMO roles
because of having the most recent release of Windows. Throughout all this
time Group Policy has appeared to be working well and no problems were
encountered with policy settings, which have been changed numerous times.
This included recently when we worked around a disk problem on DC02 by
temporarily moving some of the files to DC01 and changing the folder
redirection of My Documents to suit.
The problem has been most apparent since early this year when we changed the
DCs around. DC01 which is now running WS2003 R2, was demoted to a member
server and got renamed as FP01, just a file and print server. The OS HDD
partitiion was ghosted off and then one of the two RAID arrays was replaced
and the OS partition was reloaded onto a different array and disk partition
scheme. We then brought a new DC on line, still called DC01 but now it is a
virtualised WS2008 R2 server on a different Hyper-V member server. However,
I have only just found out about Sysvol migration to DFS and we have not yet
undertaken this step.
We use FP01 as a file server for some users and DC02 as a file server for
other users. I changed the group policies for Folder Redirection to use new
paths on DC02 and change the path for users that used DC01 as a file server,
to use FP01 instead. However, the policy that is being applied is the old
policy which referred to the previous locations; the policy changes which
have been made since the DCs were changed around, are not being applied. The
only other thing I can think of is there has been a delay in getting the
license for DC01 so it has not yet been activated.
I thought perhaps a good start is to look in the Sysvols to find out if the
policy files are there. The policy's GUID from GPMC matched to a folder name
in C:\Windows\Sysvol on DC02. I went into the User folder and found a file
called Fdeploy.ini which has a subsection for My Documents that looks like
this:
[My Documents]
s-1-5-21-1131366045-2363284717-2431634961-1715=\\dc02\pupils
s-1-5-21-1131366045-2363284717-2431634961-1672=\\dc02\homes\pupils\Year5\%username%
s-1-5-21-1131366045-2363284717-2431634961-1673=\\dc02\homes\pupils\Year6\%username%
s-1-5-21-1131366045-2363284717-2431634961-1674=\\dc02\homes\pupils\Year7\%username%
s-1-5-21-1131366045-2363284717-2431634961-1675=\\dc02\homes\pupils\Year8\%username%
s-1-5-21-1131366045-2363284717-2431634961-1676=\\dc02\homes\pupils\Year9\%username%
s-1-5-21-1131366045-2363284717-2431634961-1677=\\dc02\homes\pupils\Year10\%username%
s-1-5-21-1131366045-2363284717-2431634961-1714=\\dc02\homes\pupils\%username%
The paths shown above are the same ones that I have recently put into the
GPO (I assume the SIDs are for security groups as this policy uses the
capability to apply paths according to group membership).
Also, if I create a new GPO I can see from GPResult that it is being
deployed onto clients. It does the same as the settings above yet it is not
being applied in any shape or form.
DC01's Sysvol also contains the same file and the same settings. It would
appear that the policies have been successfully replicated across both DCs
and are being deployed to the clients; they are, however, not being applied
on the clients.
Our clients are running Windows XP SP2 or SP3 and are in fact applying
folder redirection policies, as the event logs show. They are just not
applying the most recent changes to these settings; instead, they are
applying old settings.
I don't know if there are any permissions settings on a local client that
are needed to deploy particular policies, but I haven't found this to be the
case before. However the group of users which are experiencing the problems
have restricted user rights and are using a super-mandatory roaming profile.
They have other policy settings which lock down their desktops and their
access to and ability to change settings on their desktops and computers.
These factors haven't been a problem before now when the DCs were a mixture
of older and newer versions of WS. There only seems to be a problem now when
the DCs are all running Windows Server 2008 variants. I know that permission
problems do crop up with the 2008 desktop OS variants such as Vista so I
wondered if something like this is turning up because of 2008 DCs.
In order to further test out these settings I turned off the "Link Enabled"
setting in GPMC for the main policy that is supposed to apply these settings
(the one with the settings shown above). I can see from GPResult that this
policy is not being applied on the local client. Yet the settings are still
being applied when the event logs for the system are read.
This is a very long post but I have spent half of today trying to debug this
problem on the servers and so it just details a lot of different things that
have been tried. I know that if I log on as a user which is a member of the
Domain Admins group the folder redirection policies for that user (which are
in a different GPO) are being applied. I changed them to test this out and
found the change was applied straight away. So there is not a problem for
users who have power-user or administrative permissions in general. I also
tried giving the specific username of a restricted user, explicit
permissions to apply GPO settings on the GPO object itself. This still
didn't change the non application of policy settings to them even though the
RSOP data from GPRESULT shows that policy is being applied to them on that
computer.
We are having problems with a folder redirection policy which has recently
been changed, but the new settings are not being applied to the clients. The
changes in the policy settings coincided with changes in the domain servers,
and the old policy settings are the ones that are still being applied even
though the policies themselves are changed.
I'll try to explain the evolution of our domain in case that turns out to
have some relevance. When we first set up the domain, we had two DCs, dc01
and dc02, running WS2003 and WS2003 R2. The dc01 before that as a WS2003
server was a member server of a Samba domain which the old dc02 was the
domain controller for (running Linux at that time) using the old NT4 type
System Policy. The Samba domain was not migrated to the new domain
controllers; they were set up from scratch and everything was migrated by
hand. However, the fact that dc01 was previously a member server of this old
domain meant there were some settings that were carried over from the old
domain to the new. For example, the server on becoming a DC had two Domain
Admins groups, one being carried over from the old domain, and some of the
policy settings on the clients were tatooed as is often the case with NT4
system policies.
Later on, we got a new dc02 running Windows Server 2008 which was first set
up independently, and then joined to the domain, and then promoted to be a
DC on our current domain. Subsequently this DC got most of the FSMO roles
because of having the most recent release of Windows. Throughout all this
time Group Policy has appeared to be working well and no problems were
encountered with policy settings, which have been changed numerous times.
This included recently when we worked around a disk problem on DC02 by
temporarily moving some of the files to DC01 and changing the folder
redirection of My Documents to suit.
The problem has been most apparent since early this year when we changed the
DCs around. DC01 which is now running WS2003 R2, was demoted to a member
server and got renamed as FP01, just a file and print server. The OS HDD
partitiion was ghosted off and then one of the two RAID arrays was replaced
and the OS partition was reloaded onto a different array and disk partition
scheme. We then brought a new DC on line, still called DC01 but now it is a
virtualised WS2008 R2 server on a different Hyper-V member server. However,
I have only just found out about Sysvol migration to DFS and we have not yet
undertaken this step.
We use FP01 as a file server for some users and DC02 as a file server for
other users. I changed the group policies for Folder Redirection to use new
paths on DC02 and change the path for users that used DC01 as a file server,
to use FP01 instead. However, the policy that is being applied is the old
policy which referred to the previous locations; the policy changes which
have been made since the DCs were changed around, are not being applied. The
only other thing I can think of is there has been a delay in getting the
license for DC01 so it has not yet been activated.
I thought perhaps a good start is to look in the Sysvols to find out if the
policy files are there. The policy's GUID from GPMC matched to a folder name
in C:\Windows\Sysvol on DC02. I went into the User folder and found a file
called Fdeploy.ini which has a subsection for My Documents that looks like
this:
[My Documents]
s-1-5-21-1131366045-2363284717-2431634961-1715=\\dc02\pupils
s-1-5-21-1131366045-2363284717-2431634961-1672=\\dc02\homes\pupils\Year5\%username%
s-1-5-21-1131366045-2363284717-2431634961-1673=\\dc02\homes\pupils\Year6\%username%
s-1-5-21-1131366045-2363284717-2431634961-1674=\\dc02\homes\pupils\Year7\%username%
s-1-5-21-1131366045-2363284717-2431634961-1675=\\dc02\homes\pupils\Year8\%username%
s-1-5-21-1131366045-2363284717-2431634961-1676=\\dc02\homes\pupils\Year9\%username%
s-1-5-21-1131366045-2363284717-2431634961-1677=\\dc02\homes\pupils\Year10\%username%
s-1-5-21-1131366045-2363284717-2431634961-1714=\\dc02\homes\pupils\%username%
The paths shown above are the same ones that I have recently put into the
GPO (I assume the SIDs are for security groups as this policy uses the
capability to apply paths according to group membership).
Also, if I create a new GPO I can see from GPResult that it is being
deployed onto clients. It does the same as the settings above yet it is not
being applied in any shape or form.
DC01's Sysvol also contains the same file and the same settings. It would
appear that the policies have been successfully replicated across both DCs
and are being deployed to the clients; they are, however, not being applied
on the clients.
Our clients are running Windows XP SP2 or SP3 and are in fact applying
folder redirection policies, as the event logs show. They are just not
applying the most recent changes to these settings; instead, they are
applying old settings.
I don't know if there are any permissions settings on a local client that
are needed to deploy particular policies, but I haven't found this to be the
case before. However the group of users which are experiencing the problems
have restricted user rights and are using a super-mandatory roaming profile.
They have other policy settings which lock down their desktops and their
access to and ability to change settings on their desktops and computers.
These factors haven't been a problem before now when the DCs were a mixture
of older and newer versions of WS. There only seems to be a problem now when
the DCs are all running Windows Server 2008 variants. I know that permission
problems do crop up with the 2008 desktop OS variants such as Vista so I
wondered if something like this is turning up because of 2008 DCs.
In order to further test out these settings I turned off the "Link Enabled"
setting in GPMC for the main policy that is supposed to apply these settings
(the one with the settings shown above). I can see from GPResult that this
policy is not being applied on the local client. Yet the settings are still
being applied when the event logs for the system are read.
This is a very long post but I have spent half of today trying to debug this
problem on the servers and so it just details a lot of different things that
have been tried. I know that if I log on as a user which is a member of the
Domain Admins group the folder redirection policies for that user (which are
in a different GPO) are being applied. I changed them to test this out and
found the change was applied straight away. So there is not a problem for
users who have power-user or administrative permissions in general. I also
tried giving the specific username of a restricted user, explicit
permissions to apply GPO settings on the GPO object itself. This still
didn't change the non application of policy settings to them even though the
RSOP data from GPRESULT shows that policy is being applied to them on that
computer.