Server 2003 Group Policy Problems

toastyman

toastyman

toastyman

Associate
Joined
30 Dec 2005
Posts
415
Hey to all!

I've just set up a domain on a server running Windows Server 2003. I've got things like roaming profiles, DNS, WINS, file sharing, print sharing etc working fine. However, i'd like to have folder redirection for user's 'My Documents', 'Desktop' and 'Application Data' folders to directories on the server.

From reading about this on google I came to the conclusion that I needed to do it via the Group Policy Editor. A lot of tutorials were saying you need to go to gpedit.msc > User Configuration > Windows Settings > Folder Redirection. However, when I navigate to User Configuration > Windows Settings, Folder Redirection isn't there! What am I doing wrong? Do I need to add the domain to the group policy editor or something?

Sorry, this is my first time using server 2003, so it's a steep learning curve for me, but i'm getting there! Any advice/help would be hugely appreciated :D
 
Thanks very much guys! Still took a fair bit of research to work out how to actually open the editor, but when I did that it took no time at all! :D

Now to work out why my roaming profiles are suddenly failing to load :confused:

Cheers!
 
Well after I had installed the editor, I logged off on a client machine, and tried to log back on. It reports that it couldn't find the roaming profile on the server, and would instead use a local profile. Since then, i've managed to get rid of this error by going on GPO > User Configuration > Administrative Templates > System > User Profiles, and setting "Connect home directory to root of share = Enabled".
Since then, it seems to be working. :D


Now i'm having problems with folder redirection! It just doesn't seem to be working, and it's still copying 'My Documents' etc over in the roaming profile :(

On the server I have this directory:
D:\Profiles\john.smith
Click to expand...

In there, it stores the roaming profile (as well as john.smith's my documents and application data :()

I then created the following directory:
D:\Data\john.smith\My Documents
Click to expand...

and set the folder redirection to the following:
Basic - Redirect everyone's folder to the same location
Create a folder for each user under the root path
Root path: D:\Data
Click to expand...

However, nothing seems to be being stored in "D:\Data\john.smith\My Documents", and the my documents folder in the roaming profile is still being used.

Any ideas?
 
Yep, I gave the "D:\Data\" share properties of read only to everyone, then for each user, I gave them and the administration full NTFS access to their directory.
 
Oh right, I read about it on a tutorial, and that's how the guy recommended to do it. Ok so say it does turn out to all be read-only access, how would you do it? Give full permission on the share for everyone?

Cheers for this guys :)
 
Right then, i've given the share for profiles and data full access for everyone, and ticked every box in the NTFS permissions, so users can read, write, etc.

I've deleted the folders you said, so now I just have D:/data/

The root path for the folder redirection is now \\wsuk-svr-01\Data

I think i've just found the main problem though! Ok so the client pc can logon to the server no problem. Except when I go to Explorer on the client pc and type in \\wsuk-svr-01 it prompts me for a username and password! This would explain why it can't access the roaming profiles etc wouldn't it? Shouldn't it be able to access that network resource using the username and password i'm logged in with?

Looks like i've been reading some pretty pants tutorials!

Cheers :D
 
When I get the prompt i've tried to enter my domain username and password, but this is the error message I get:

Logon Unsuccessful:
The user name you typed is the same as the user name you are logged in with. That user name has already been tried. A domain controller cannot be found to verify that user name.
Click to expand...

Where is this error log located that you speak of?
 
Right, I just logged on, and these popped up in the error log:

The Security System detected an attempted downgrade attack for server cifs/wsuk-svr-01. The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.
(0xc000005e)".

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Click to expand...

The Security System could not establish a secured connection with the server cifs/wsuk-svr-01. No authentication protocol was available.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Click to expand...

Does that mean i'm not actually connected to the domain at all?! :confused:
 
Very useful link, thanks!

Using that website and a big of googling, I managed to work out that I needed to turn the offline caching off on the shares. I did this, and I can now type in \\wsuk-svr-01 and view the shares without a problem :)

I've got rid of the roaming profiles as suggested, so that's one less problem to sort out... :)

Still haven't got folder redirection working (the server doesn't create the user's directories and my documents on the client machine points to the local copy).

Also got a few errors in the log still... not worked out how to get rid of them as of yet:

Windows cannot determine the user or computer name. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.
Click to expand...
The redirector failed to determine the connection type.
Click to expand...
Apparently the last one is a microsoft bug and nothing to worry about :confused:


Suppose I've made progress in that I can actually logon to the server, even if its currently useless :D
 
Yep, the client's primary DNS is pointing at the IP address of the DC. Coincidently, the error message has stopped appearing! :D

I'm not sure where i've applied it tbh, or how to change that.. I opened the policy manager, went to Domains>headquarters.webservuk>Group Policy Objects and created a new policy object there. Was that not right? In the box just to the right of that it shows "Security Filtering - The settings in this GPO can only apply to the following groups, users and computers: Authenticated users".

I must be doing something wrong!
 
aix0 said:
Don't worry about security filtering for now, the default is authenticated users, which is fine.

You have got to make sure that the user that you want the policy to apply to is contained within the OU where you have created the folder redirection group policy.

EDIT

Have you been into Active Directory Users & Computers and created any additional Organizational Units (OU) yet?
Click to expand...

No I haven't... i'll have a look into that when I get back from work tonight. Thanks guys :D
 
You must log in or register to reply here.
Back
Top Bottom