Fixing Folder Redirection in Windows Server 2016 – How to Fix Folder Redirection Issues

windows-server-2016

Folder redirection problem – only users in the "Head Office" group should get folder redirection (Desktop, Docs, Pictures, Favs) but everyone is getting there folders redirected.

In order to try to fix the situation I have been checking the settings are as per : https://docs.microsoft.com/en-us/windows-server/storage/folder-redirection/deploy-folder-redirection

The difference that I have not been able to over come is the folder permissions are different. I also note in the current setup the Home Path is being set in Active Directory Users > Profile for each user – this is in addition to the GPO. I assume that they are both doing the same thing and that I really shouldn't been to do it through each user in Active Directory Users > Profile.

When I go to add special permissions to the Home Drives folder (adding List folder / read data, Create folders / append data, Read attributes Read extended attributes, Read permissions)

I get the error :

Error Applying Security – An error occured while applying the security
information to D:\Home Drives\Some User\Desktop. Failed to enumerate
objects in the container. Access is denied.

Note that the existing users have data in there, and so not wanting to create a worse mess I have not tried to push this any further. The current owner of the home drives folder is the Administrators group.

The current users with full control are:

  • Administrator
  • Administrators
  • SYSTEM
  • Authenticated Users (Read & Execute)
  • Head Office Users (Special)

Is anyone able to advise what should be done now?

I see under Home Drives\User.Name\ there is folders like: Desktop, Documents, Favourites, Pictures but there is also Home Drives\User.NameV6\ with 3D Objects, Contacts, Downloads, Links etc.

The ownership of these folders is different too:

  • Home Drives – Owner Administrators
  • Homes Drives\User.Name – Owner Administrators
  • Home Drives\User.NameV6 – Unable to Display
  • Home Drives\User.Name\Documents – Unable to Display

Update: I found the folder redirection had been applied to the whole domain. I have deleted this and created a new folder redirection policy targeting Head Office security group.

I have taken ownership of users folders, taken a copy, and then copied the data back. Messy but its worked.

Last remaining issue is that the built in Administrator is still getting its folders redirected. Even after I added Admins group and gave denied them under Delegation > Advanced.

Best Answer

You've got several questions/problems here and I can generally answer them all, but you haven't provided specific details about your GPO settings or where they are applied in active directory.

The first suggestion I would give you is that the link you used to setup folder redirection is one of the most ridiculously overcomplicated, yet completely lacking of any necessary detail, articles I've seen in a while.

Try reading through this series of articles for a real explanation of how to setup folder redirection and what the settings and permissions you are choosing actually do: https://4sysops.com/archives/folder-redirection-part-1-introduction/

Now, on to you multiple issues:

  • Only users in the "head office" group should get folder redirection but everyone is getting these folders: That is because you are applying the GPO too broadly. You have two options. 1) Create a separate OU or sub-OU and move the users that need folder redirection to that OU and apply the GPO only to that OU. 2) Adjust the permissions on the existing GPO. Go in to delegated permissions (under advanced security) and remove the tick box for the "Apply" permission on Authenticated Users (They should keep Read permissions). Next, add the security groups of users that you want the GPO to apply to and make sure it has Read, and Apply permissions.
  • ...I have not been able to overcome the folder permissions are different: That is because you need to setup the home directory permissions properly to begin with, and make sure you don't grant exclusive access to the redirected folders in the GPO settings. So, first make sure you setup the following permissions on the top level home folders directory: SYSTEM and Administrators:Full Control (This folder, subfolder and files); Authenticated Users:Create Folder, Traverse Folder, List Folder, Read Permissions, Read Extended Permissions (This folder only); CREATOR OWNER:Full Control (subfolders and files). Do not tick the box to replace inherited permissions on subcontainers. Next, change your GPO folder redirection setting so that the option to "Grant user exclusive rights..." is unchecked. This will fix all future permission issues on redirected folders, but it will not fix existing folders. Unfortunately, that would require a powershell script to fix the existing folders and that is fairly complicated and outside the scope of this question.
  • I also notice home path is being set in Active Directory Users -> Profile: Using the "Profile Path" option is turning on Roaming Profiles. That is a completely separate beast and has probably caused some significant issues with your users now overall. If you wanted to connect a network drive to the user's home folder then you would use the 'Home Folder' options. You need to get rid of that Profile Path option all together. Unfortunately, this might cause your users to get a new profile generated on each computer they log in to and lose any existing customizations or settings.
  • When I go to add special permissions to the Home Drives folder - I get an error: That is because you granted exclusive rights to the user in the GPO settings. Now the only person with access to the folder is the user, not administrators or anybody else. This can't be fixed easily.
  • I see Home Drives\User.NameV6: That is because you turned on roaming profiles with the "Profile Path" setting in the user profile. That redirected the entire user profile to another directory. Again, roaming profiles and folder redirection are two completely different beasts, although they can work together. The V6 designates that it is a Windows 10 profile version.
  • The ownership of these folders is different too: Again, all because of the above information I already provided. The redirected folders should be owned by the user and created by the user the first time they login after the folder redirection GPO is applied. The roaming profiles are also owned and created by the user when roaming profiles are enabled. A different GPO setting controls if they will be granted exclusive access to this folder or not. By default, they have exclusive access.
Related Topic