Folder Redirection isn’t working correctly — the redirection targets the wrong server!

That’s an issue I troubleshooted a few days ago. My fellow admin was about to check permissions on redirected folders for a few VIP users in his department and wanted to make sure all those users’ profiles are on the same server, have the current security applied and are currently backuped.

When he browsed through the folders and went through his check list, he notice that one user’s folders weren’t on the server. Since he was dealing with important users there, he called in and I took a look what was going on.

From what it looked like on the server and what he told me, all his co-workers and people in the same sub-OU had the same folder redirection settings – and those users’ files were all there. So what next?

I fired up GPMC to check the Folder Redirection policy. There are a couple of options you can configure there and I just wanted to see what and how it was configured – just to rule out any configuration error. The OU structure was built according to how the organization works. They have site-OUs and below those, they have departmental OUs. The departmental OUs didn’t have Folder Redirection GPOs configured — but the site-OU did.The configuration of that OU looked like this:

and we expected the files to be redirected to the IT-Core share (last line). That is when I had the idea. I checked with the user in question if he was around and whether I could remote-assist his session to run a few commands to see what’s going on and he agreed. I fired up the command line and ran “whoami /all”:

GROUP INFORMATION
———————

Group Name Type SID
================================= ================ ===============
Everyone Well-known group S-1-1-0
BUILTIN\Users Alias S-1-5-32-545
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4
CONSOLE LOGON Well-known group S-1-2-1/
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11
NT AUTHORITY\This Organization Well-known group S-1-5-15
LOCAL Well-known group S-1-2-0
INTERN\internetUsers Group S-1-5-21-372229…
INTERN\Finance Group S-1-5-21-372229…
INTERN\sg-HQ-ITCore_gl Group S-1-5-21-372229…
US\sg_USIT_gl Group S-1-5-21-288144…


Here we go — that was the reason. From picture 1, we see that Folder Redirection is setup to redirect the folders based on the group membership the user has. Depending on what group the user is a member of, the system would redirect the folder to the specified location.

Now, whoami is a command line tool that lists all user group memberships in the console. You can just run it from Vista and Win7, I think there’s a seperate download for XP and below. What you can see there is that the user is member in at least two of the groups that are configured in Folder Redirection — and what the system does is kind of … well … human.

It picks the first entry in the list and happily redirects – not bothering what other groups the user might be member of. Obviously, the user is in both the ITCore group and the Finance group. Since the Finance group is listed higher than ITCore in Folder Redirection, that’s the place the system puts the files at. How we solved it? the troubling user was accidentially added to theƂ Finance group and that group was listed first in FR. We removed him from the group and kindly asked him to log off and back in — that solved the issue for us.

So when messing with Folder Redirection and the “Advanced – specify locations for various uesr groups” option, remember: the system just picks the first entry that matches one of the user’s groups and redirects the folders to that target. Not all entries in the GP get evaluated — only the first that matches.

No Comment