Server 2003 Group Policy Problems

toastyman · 9 Jun 2007 at 16:58

Hey to all!

I've just set up a domain on a server running Windows Server 2003. I've got things like roaming profiles, DNS, WINS, file sharing, print sharing etc working fine. However, i'd like to have folder redirection for user's 'My Documents', 'Desktop' and 'Application Data' folders to directories on the server.

From reading about this on google I came to the conclusion that I needed to do it via the Group Policy Editor. A lot of tutorials were saying you need to go to gpedit.msc > User Configuration > Windows Settings > Folder Redirection. However, when I navigate to User Configuration > Windows Settings, Folder Redirection isn't there! What am I doing wrong? Do I need to add the domain to the group policy editor or something?

Sorry, this is my first time using server 2003, so it's a steep learning curve for me, but i'm getting there! Any advice/help would be hugely appreciated

Terrier_Jimlad · 9 Jun 2007 at 18:13

you shouldnt be doing gpedit.msc for what you want as thats local to the box ... download the Group Policy Management Tool from Microsoft (it's a very simple group policy editor) ... make sure you logon the box as a domain admin, run the tool, right click on the domain/ou/group etc and click create new group policy object (going off top of my head here so lol) and then you'll see similar but MORE stuff to when you do gpedit.msc (which is local settings btw)

This will then be applied to the domain/group/ou/users you've applied it to ... do a gpupdate /force on your machines or just reboot/logon a few times to take effect

oddjob62 · 9 Jun 2007 at 18:15

That the local policy. You need to edit a policy in AD.

Download and install the Group Policy Management Console from the MS site. Much nicer interface for managing Group Policies.

EDIT: Wow... great advice twice

toastyman · 9 Jun 2007 at 20:39

Thanks very much guys! Still took a fair bit of research to work out how to actually open the editor, but when I did that it took no time at all!

Now to work out why my roaming profiles are suddenly failing to load :confused:

Cheers!

Terrier_Jimlad · 9 Jun 2007 at 20:56

be a bit more specific mate?

toastyman · 9 Jun 2007 at 21:13

Well after I had installed the editor, I logged off on a client machine, and tried to log back on. It reports that it couldn't find the roaming profile on the server, and would instead use a local profile. Since then, i've managed to get rid of this error by going on GPO > User Configuration > Administrative Templates > System > User Profiles, and setting "Connect home directory to root of share = Enabled".
Since then, it seems to be working.

Now i'm having problems with folder redirection! It just doesn't seem to be working, and it's still copying 'My Documents' etc over in the roaming profile

On the server I have this directory:

D:\Profiles\john.smith

In there, it stores the roaming profile (as well as john.smith's my documents and application data

)

I then created the following directory:

D:\Data\john.smith\My Documents

and set the folder redirection to the following:

Basic - Redirect everyone's folder to the same location
Create a folder for each user under the root path
Root path: D:\Data

However, nothing seems to be being stored in "D:\Data\john.smith\My Documents", and the my documents folder in the roaming profile is still being used.

Any ideas?

Terrier_Jimlad · 9 Jun 2007 at 22:42

if you have manually created that My Doc's folder ... did you remember to give "authenticated users" full NTFS permissions it?

toastyman · 9 Jun 2007 at 22:45

Yep, I gave the "D:\Data\" share properties of read only to everyone, then for each user, I gave them and the administration full NTFS access to their directory.

oddjob62 · 10 Jun 2007 at 02:08

toastyman said:
Yep, I gave the "D:\Data\" share properties of read only to everyone, then for each user, I gave them and the administration full NTFS access to their directory.

You do realise that if you give some one share read only and NTFS full access, they will only have read only access. IE only the lowest of the 2 access levels will apply.

toastyman · 10 Jun 2007 at 08:18

Oh right, I read about it on a tutorial, and that's how the guy recommended to do it. Ok so say it does turn out to all be read-only access, how would you do it? Give full permission on the share for everyone?

Cheers for this guys

oddjob62 · 10 Jun 2007 at 08:29

toastyman said:
Oh right, I read about it on a tutorial, and that's how the guy recommended to do it. Ok so say it does turn out to all be read-only access, how would you do it? Give full permission on the share for everyone?

Cheers for this guys

99% of the time i give full access on the share, and user NTFS for fine tuning permissions (as you have a lot more options with NTFS).

Also you say you created the dir
D:\Data\john.smith\My Documents

You shouldn't have to manually create that. The system will create that automatically. So delete the john.smith\My Documents folder.

Change the permission on the data share to full access on the share and NTFS.

Also you have
Root path: D:\Data

Shouldn't that be \\servername\data

toastyman · 10 Jun 2007 at 08:40

Right then, i've given the share for profiles and data full access for everyone, and ticked every box in the NTFS permissions, so users can read, write, etc.

I've deleted the folders you said, so now I just have D:/data/

The root path for the folder redirection is now \\wsuk-svr-01\Data

I think i've just found the main problem though! Ok so the client pc can logon to the server no problem. Except when I go to Explorer on the client pc and type in \\wsuk-svr-01 it prompts me for a username and password! This would explain why it can't access the roaming profiles etc wouldn't it? Shouldn't it be able to access that network resource using the username and password i'm logged in with?

Looks like i've been reading some pretty pants tutorials!

Cheers

oddjob62 · 10 Jun 2007 at 09:54

toastyman said:
Except when I go to Explorer on the client pc and type in \\wsuk-svr-01 it prompts me for a username and password! This would explain why it can't access the roaming profiles etc wouldn't it? Shouldn't it be able to access that network resource using the username and password i'm logged in with?

You should not get a username and password prompt.

On the client are there any errors showing up in the event log during login?

toastyman · 10 Jun 2007 at 10:32

When I get the prompt i've tried to enter my domain username and password, but this is the error message I get:

Logon Unsuccessful:
The user name you typed is the same as the user name you are logged in with. That user name has already been tried. A domain controller cannot be found to verify that user name.

Where is this error log located that you speak of?

aix0 · 10 Jun 2007 at 11:41

I'd stick with folder redirection, no need for roaming profiles. If you're using roaming profiles in an organisation where people are hot-desking, logon / logoff times will eventually become a pain as profile sizes increase.

The user folders are automatically created too, this saves a lot of time if you have a large number of users.

oddjob62 · 10 Jun 2007 at 12:08

toastyman said:
Where is this error log located that you speak of?

Event Viewer (eventvwr.msc)

toastyman · 10 Jun 2007 at 12:44

Right, I just logged on, and these popped up in the error log:

The Security System detected an attempted downgrade attack for server cifs/wsuk-svr-01. The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.
(0xc000005e)".

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

The Security System could not establish a secured connection with the server cifs/wsuk-svr-01. No authentication protocol was available.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Does that mean i'm not actually connected to the domain at all?! :confused:

oddjob62 · 10 Jun 2007 at 13:13

http://www.eventid.net/

Put the error id into here for more assistance.

toastyman said:
Does that mean i'm not actually connected to the domain at all?!

Yes it seems that Kerberos authentication is failing

toastyman · 10 Jun 2007 at 14:05

Very useful link, thanks!

Using that website and a big of googling, I managed to work out that I needed to turn the offline caching off on the shares. I did this, and I can now type in \\wsuk-svr-01 and view the shares without a problem

I've got rid of the roaming profiles as suggested, so that's one less problem to sort out...

Still haven't got folder redirection working (the server doesn't create the user's directories and my documents on the client machine points to the local copy).

Also got a few errors in the log still... not worked out how to get rid of them as of yet:

Windows cannot determine the user or computer name. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

The redirector failed to determine the connection type.

Apparently the last one is a microsoft bug and nothing to worry about :confused:

Suppose I've made progress in that I can actually logon to the server, even if its currently useless

oddjob62 · 10 Jun 2007 at 14:36

Where have you applied the group policy? It's a user policy so will have to be applied to the OU containing the user account in AD

that first error.... does that happen during login?

is the client's primary DNS pointing at the DC?