I struggled to figure why my folder redirection policy failed to apply fully. In this case, I was actually trying to have a folder redirection reversal. For some users, we wanted to go back to having the profile local. My method was to create a security group and associate a policy to it that would put the normal redirected folders back to the local user profile. I felt I had it all set up right. I made sure the members of the new group were denied the ability to apply the normal redirection policy so the only one that would take effect was the new gpo.
However, after verifying the settings in windows, I saw the changes didn’t fully work.
For anyone who doesn’t know, your profile folders locations are specified here:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Items such as Desktop are normally set as %USERPROFILE%\Desktop unless you or a policy changes it.
I used myself as a guinea pig and ran the group policy results wizard on myself. Not much clues except oddly, some of my folders that were previously redirected did change. Most didn’t.
The clues I needed finally came from eventvwr. I really enjoy the way events are grouped at a high level. It makes things easier.
I actually had some error events in the Application log with Folder redirection as the source. The event ID I had was 502.
Failed to apply policy and redirect folder “Desktop” to “C:\Users\chris\Desktop”.
The following error occurred: “Can not create folder “C:\Users\chris\Desktop””.
Error details: “This security ID may not be assigned as the owner of this object.”.
With this in hand, I went to google and found some posts of people having similar issues in dealing with roaming profiles. The cause turned out to be ownership on my local profile.
I checked mine and sure enough that was it. I had full control of my profile but System was the owner. I checked another user and he had the same problem.
I needed a way to correct this for myself and everyone else. I like using the application subinacl (from Microsoft) for ownership changes. You can find it here.
I did some testing and created a script to do the corrections for me. I stored subinacl.exe in the netlogon folder.
Here is the script I created. I called it SetOwner.bat
<start of script>
REM Set owner at profile root
\\domain.loc\netlogon\subinacl /subdirectories “%Userprofile%” /setowner=”ncdsb\%username%”
REM Set owner on files and folders in profile
\\domain.loc\netlogon\subinacl /subdirectories “%Userprofile%\*.*” /setowner=”ncdsb\%username%”
<end of script>
I made the .bat file a script that would run on user logon in my new local redirection policy. Maybe I don’t need to correct the root profile folder and the files in two separate lines. In my testing, I didn’t see changes in subfolders without it. However, I did notice checking ownership on my Desktop folder twice in the same logon session did take some time to update. There might be some processing time for it to all work.
After the permissions are corrected, a second reboot is required to fully fix the folder redirection.
The only mystery left in this for me is how System ended up as owner of my profile.