Folder Redirection

[Steven Hutchinson]

Hi everyone,

I am currently having a problem with Folder Redirection through a specific
GPO. The problem stems from a move of the location of the "My Documents"
folder.

Previously all of our users "My Documents" were redirected to the following
path: \\oldserver\users$\%username%\My Documents

I then changed the My Documents target to the path:
\\newserver\users$\%username%\My Documents by changing the target under
Folder Redirection in the group policy.

This transferred all users documents successfully, however, we are now
having problems where users are logging in to the system, trying to access
My Documents and receiving an error message along the lines of "Path cannot
be found. \\oldserver\users$\%username%\ My Documents is not available.

In the event log of the Windows XP Professional client, the following events
are logged under the Application Log after the first logon to a new Windows
XP client with a new user:

Event ID: 401
Source: Folder Redirection
Type: Information
Description:

Successfully redirected folder My Documents. The folder was redirected from
<C:\Documents and Settings\Username\My Documents> to
<\\NewServer\users$\Username\My Documents>.

Event ID: 401
Source: Folder Redirection
Type: Information
Description:

Successfully redirected folder My Pictures. The folder was redirected from
<C:\Documents and Settings\Username\My Documents\My Pictures> to
<\\NewServer\users$\Username\My Documents\My Pictures>.

Strangely this is where it fails and when the user tries to access "My
Documents" an error appears stating that the share on the old server is not
accessible.

When logging in for a second time, the event log description changes to the
following:

Event ID: 401
Source: Folder Redirection
Type: Information
Description:

Successfully redirected folder My Documents. The folder was redirected from
<\\OldServer\users$\Username\My Documents> to
<\\NewServer\users$\Username\My Documents>.

Event ID: 401
Source: Folder Redirection
Type: Information
Description:

Successfully redirected folder My Pictures. The folder was redirected from
<<\\OldServer\users$\Username\My Documents\My Pictures> to
<\\NewServer\users$\Username\My Documents\My Pictures>.

This is where either myself or the system is getting confused. When a user
now clicks on My Documents, the new target is opened correctly. However, I
believe that if we were to remove this policy, the target would change back
to the old server path rather than to C:\Documents and Settings\Username\My
Documents which was correctly stated in the eventlog when the My Documents
failed to open.

The other issue is that this redirection randomly redirects either from the
oldserver path and the C:\Documents and Settings path and the result is
users cannot always access their "My Documents".

I have tried the usual gpupdate on the client, etc.. and believe that it is
an issue with Fast Logon Optimization feature in Windows XP as Windows 2000
Professional clients always work after the second logon.

Has anyone seen this issue before?

Any help would be greatly appreciated.

Thanks in advance,

Steven Hutchinson.

 

[Bob Qin [MSFT]]

Hi Steven,

Thanks for your posting here.

Does the problem occur in all the user accounts? or just some certain user
accounts?

I recommend that you check the permissions on the shard folder. Please set
the minimum permissions on the folders as follows:

NTFS permissions for root folder:
creator owner - FC - this folder, subfolders and files
Local Admin - FC - this folder subfolders and files
Everyone - List folder/read data, create files/write data, create
folders/append
data - This folder only
Local System - FC - this folder, subfolders and files

Share level permissions for root folder:
Everyone - FC

NTFS permissions for each user's redirected folder:
%username% - FC - Owner of folder
Local System - FC
Everyone - no permissions.

In addition, when the redirection redirects either from the oldserver path
and the C:\Documents and Settings path, did you run gpreult to check if the
policy is applied at that time?

In order to make further research on this issue, please collect the
following information when the issue occur and send them to me.

1. Enabled userenv debug logging on the client machines.

Please enable the userenv Debug logging as in the following article:
Q221833 Enabling User Environment Debug Logging in Retail Windows
http://support.microsoft.com/?id=221833

2. Run the following command in DOS prompt.

gpresult /z >textfile.txt

3, Folder Redirection can provide a detailed log to aid troubleshooting. To
create a detailed log file for folder redirection, use the following
registry key:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics

Set: FDeployDebugLevel = Reg_DWORD:0x0F

Note: The log file can be found at %windir%\debug\usermode\fdeploy.log

Please also enable this on the client and send back the fdeploy.log file.

Thank you for your assistance.

Regards,
Bob Qin
Product Support Services
Microsoft Corporation

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Steven Hutchinson]

Hi Bob,

Thanks for the reply. This problem occurs in all user accounts when logging
on to a Windows XP client PC.

I have checked the NTFS permissions on the folder "Users" which is the
central location where we store redirected users My Documents.
These are the permissions that are currently set:

Creator Owner - Full Control (Subfolder and Files only)
Local Admin - Full Control, This folder only
Domain Admins - Full Control, This folder, subfolders and files
Everyone - List Folder/Read Data, Read Attributes, Create Folders/Append
Data (This Folder Only)

The share level permissions are currently set at Everyone - Full Control

The permissions on each users redirected folder are then inherited from this
set of permissions

I have set these permissions by referring to Knowledgebase Article 274443
but they might be wrong

When running gpresult from the user session, I receive an error Access
Denied but this may be due to another group policy setting which
prevents the user from running this command from their session.

I have enabled userenv debug logging on the client pc and will send you the
userenv.log via email.

I also have a detailed log of folder redirection, fdeploy.log which I will
also send via email.

What I have noticed is that if I move the Windows XP client I am using for
testing into an Organizational Unit which
has a group policy object linked to it that specifies "Always wait for the
network at computer startup and logon" (Basically disabling Windows XP Fast
Logon Optimization)
the users folder redirection will always fail on first logon but will work
thereafter.

 

[Bob Qin [MSFT]]

Hi Steven,

I have done some research on this issue and I would like to share the
following information with you.

Because Fast Logon Optimization is a background refresh, when logon
optimization is on, a user may need to log on to a computer twice before
folder redirection policies and software installation policies are applied.

This is because application of these types of policies require the
synchronous policy application. During a policy refresh (which is
asynchronous), the system sets a flag that indicates that the application
of folder redirection or a software installation policy is required. The
flag forces synchronous application of the policy at the user's next logon.

For more information, please refer to the following article.

305293 Description of the Windows XP Professional Fast Logon Optimization
http://support.microsoft.com/?id=305293

Have a nice day!

Regards,
Bob Qin
Product Support Services
Microsoft Corporation

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Steven Hutchinson]

Hi Bob,

The problem that I seem to be having is that unless there is a synchronous
application of policy at every logon, the policy does not take effect.

Although I can disable Fast Logon Optimization using group policy, there
will still be an issue for users logging on for the first time on a given
Windows XP client.

I need to try and find the underlying issue of why this old server is still
referenced.

 

[Bob Qin [MSFT]]

Hi Steven,

Thanks for your reply.

Please enable the "Always wait for the network at computer startup and
logon" setting in Local group policy to turn off the functionality of Fast
Logon Optimization.

In addition, you can also add the following registry value in Windows XP
client.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows
NT\CurrentVersion\Winlogon\

Valuename: SyncForegroundPolicy

Type: DWORD

Value: 1 (Hex)

Note: please run "gpupdate /force" command after you modify the settings.

What is the result now?

Regards,
Bob Qin
Product Support Services
Microsoft Corporation

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.