Re: My Documents Folder Redirection
From: Shahir A. Ahang (thisisbs.saa_at_thisisbsintrinsic.thisisbsnet)
Date: 04/01/04
- Next message: Ryan Grainger: "Users remove network cable to avoid Group Policy"
- Previous message: Roger Abell: "Re: Programmatically change security settings. Is it possible?"
- In reply to: Roger Abell: "Re: My Documents Folder Redirection"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 1 Apr 2004 00:21:56 -0600
Roger,
That was exactly what I had in mind but I was apprehensive since it would be
very time consuming. Nonetheless, you have confirmed that that is the only
way to pinpoint the offending policy element. Thank you for your time as it
is greatly appreciated.
Shahir
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:e7fYiRvFEHA.1012@TK2MSFTNGP11.phx.gbl...
> That is actually a tough one, at least as far as I can see.
> As it is something that only surfaces at runtime, I cannot
> think of a tool that will show you which policy is impacting
> the behavior.
> (BTW, one can find references in the docs for XP that an
> account should be owner of and have full control over its
> profile.)
> The first thought approach is to use GPMC to make a copy
> of the restricted policy, and link this to a test OU. Once you
> have verified the behavior is present in the test OU under the
> GPO copy, start using the divide and conquer technique.
> First, disable the computer or user section to determine if the
> behavior ceases. Then, within the section causing the behavior,
> remove half of the policies. If the behavior remains, make a
> GPMC backup of the policy and then remove a further half.
> If the behavor ceases, restore from the most recent backup
> and instead remove the other half. Etc.
> If the behavor is not the result of a combination of policies
> interacting, this divide and conquer technique is a least step
> method for blind search of the behavior's cause.
> --
> Roger Abell
> Microsoft MVP (Windows Server System: Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "Shahir A. Ahang" <thisisbs.saa@thisisbsintrinsic.thisisbsnet> wrote in
> message news:OjB1kbpFEHA.3188@TK2MSFTNGP10.phx.gbl...
> > All,
> >
> > I am experiencing a very strage problem with redirecting My Documents.
My
> > AD domain is 2003 native mode and my clients are all XP. I have the
> > following OU structure:
> >
> > Accounts
> > Restricted
> > Unrestricted
> >
> > I have a GPO called ALL ACCOUNTS which redirects My Documents to
> > \\SERVER\Users$\%Username% that is applied to the "Accounts" OU
> >
> > I have another GPO called RESTRICTED which has many different settings
> > applied (too many to list) applied to the "Restricted" OU
> >
> > I have another GPO called UNRESTRICTED which has only a few settings
> applied
> > to the "Unrestricted" OU
> >
> > On the file server where the users's home directories exist (\\SERVER),
> each
> > directory which corresponds to the user's home drive has the following
> > setup:
> >
> > Share Level Permissions - Everyone - Full Control
> > NTFS Permissions - Administrators - Full Control
> > NTFS Permissions - user - Modify
> >
> > The owner of these folders is the Administrator and the "Grant the user
> > exclusive rights to my documents" is disabled.
> >
> > What happens is when I login with a user ID which is in the
"Unrestricted"
> > OU, the folder redirection works. When I login with an ID that is in
the
> > "Restricted" OU, folder redirection fails with the following error:
> >
> > Failed to perform redirection of folder My Documents. The files for the
> > redirected folder could not be moved to the new location. The folder is
> > configured to be redirected to <\\SERVER\Users$\%Username%>. Files were
> > being moved from <D:\Documents and Settings\testlogin\My Documents> to
> > <\\SERVER\Users$\testlogin>. The following error occurred while copying
> > <D:\Documents and Settings\testlogin\My Documents\My Music\Desktop.ini>
to
> > <\\SERVER\Users$\testlogin\My Music\Desktop.ini>:
> >
> > This security ID may not be assigned as the owner of this object.
> >
> > From this, I gather that some policy element in the RESTRICTED GPO is
> > preventing the redirection from taking place. Now the restricted GPO
> > contains many different settings. I tried to disable some of the more
> > obvious ones but it not work. Here is what did work though:
> >
> > I changed the NTFS Permissions such that the user, instead of having
> modify
> > permission to their home folder, I gave them Full Control. That seems
to
> > have done the trick and I was able to re-direct My Documents. But, I
> would
> > rather identify the policy element in the RESTRICTED GPO which is not
> > allowing the redirection to occure instead of assigning Full Control to
> all
> > home directories. I have used GPMC but have not been able to pinpoint
the
> > problem using the GP Modeling or GP Results
> >
> > So my question is that what is the best way to identify exactly which
> policy
> > element is PREVENTING the redirection to occure?
> >
> >
>
>
- Next message: Ryan Grainger: "Users remove network cable to avoid Group Policy"
- Previous message: Roger Abell: "Re: Programmatically change security settings. Is it possible?"
- In reply to: Roger Abell: "Re: My Documents Folder Redirection"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
