none
Mapping Shared folder with Group Policy using security Filtering

    Question

  • Afternoon IT Gurus.

    Anybody to help me out with this.I have been searching for 2 weeks now but not getting a proper solution.

    I have 3 servers:PDC,DC and Secondary DC.Replication seems to work fine.Sysvol folder same with all servers.

    I had created shared folders that should be mapped with group policies.I ve double checked all settings but I cant find what is that I am doing wrong.GPO are linked to OU and where users are in different OUs,,the GPO I have linked in at the MAIN OU and then use Security Group as a form of filtering(both read and apply group policy permission are ticked)

    Every time i do gpupdate /force on a client PC it gives me the following error:


    The Group Policy Client Side Extension Folder Redirection was unable to apply on
    e or more settings because the changes must be processed before system startup o
    r user logon. The system will wait for Group Policy processing to finish complet
    ely before the next startup or logon for this user, and this may result in slow
    startup and boot performance.

    For more detailed information, review the event log or run GPRESULT /H GPReport.
    html from the command line to access information about Group Policy results.

    Certain user policies are enabled that can only run during logon.

    Tuesday, March 14, 2017 11:07 AM

All replies

  • Afternoon IT Gurus.

    Anybody to help me out with this.I have been searching for 2 weeks now but not getting a proper solution.

    I have 3 servers:PDC,DC and Secondary DC.Replication seems to work fine.Sysvol folder same with all servers.

    I had created shared folders that should be mapped with group policies.I ve double checked all settings but I cant find what is that I am doing wrong.GPO are linked to OU and where users are in different OUs,,the GPO I have linked in at the MAIN OU and then use Security Group as a form of filtering(both read and apply group policy permission are ticked)

    Every time i do gpupdate /force on a client PC it gives me the following error:


    The Group Policy Client Side Extension Folder Redirection was unable to apply on
    e or more settings because the changes must be processed before system startup o
    r user logon. The system will wait for Group Policy processing to finish complet
    ely before the next startup or logon for this user, and this may result in slow
    startup and boot performance.

    For more detailed information, review the event log or run GPRESULT /H GPReport.
    html from the command line to access information about Group Policy results.

    Certain user policies are enabled that can only run during logon.

    The Folder Redirection CSE, is unrelated to the Drive Mapping CSE.
    I suggest, for the moment, you ignore this warning relating to Folder Redirection, instead, focus on the Drive Mapping matter.

    How are you doing the Drive Mapping? Which method? GPP or script or what?
    What is actually happening with the Drive Mapping? Does it error?
    What does gpresult /h <filename.htm> reveal, when you examine the <filename.htm> output with a web browser?
    What is the OS version of the client where this occurs?
    Examine the Windows event logs on the affected client computer - what is revealed in event logs?


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Tuesday, March 14, 2017 11:18 AM
  • > Security Group as a form of filtering(both read and apply group policy permission are ticked)
     
    Check MS16-072 and its known issues :-)
     
    > The Group Policy Client Side Extension Folder Redirection was unable to apply on
    > e or more settings because the changes must be processed before system startup o
    > r user logon.
     
    That's not an error, but an information. It's about "async background processing vs. sync foreground processing".
     
    Tuesday, March 14, 2017 11:47 AM
  • Im using Group Policy for Drive mapping.I created a folder first,shared it and then move on to the group policy
    Tuesday, March 14, 2017 2:17 PM
  • I have tested the domain user xcount both with Window 7,8 and 10 and its not working.

    Where exactly should i run gpresult /h (Ist on the Server or client PC) ?

    Tuesday, March 14, 2017 2:19 PM
  • I have tested the domain user xcount both with Window 7,8 and 10 and its not working.

    Where exactly should i run gpresult /h (Ist on the Server or client PC) ?

    gpresult /h, should be executed at the client pc

    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Tuesday, March 14, 2017 8:14 PM
  • Hi,
    As Martin said, when the information appear after you run gpupdate command, we generally suggest to reboot the client and run gpupdate command to see if it works.
    In addition, add some reference for MS16-072, you could check if MS16-072 is installed on client and domain controller which might cause GPO not working, if that is the case, please use the Group Policy Management Console (GPMC.MSC) and add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO). If you are using security filtering, add the Domain Computers group with read permission. Please see: https://support.microsoft.com/en-sg/kb/3163622
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, March 15, 2017 7:26 AM
    Moderator
  • Hi Wendy Jiang Thanks for the advice again.

    I had actually done that (  add the Domain Computers group with read permission.) to the Delegation Tab of the GPO.And what is fussing me a lot is,when i run gpresult <filename.html> on the client computer,it shows that the Policy was applied but THE MAPPED DRIVE IS NOT APPEARING.

    Wednesday, March 15, 2017 8:38 AM
  • Another problem is ,when i created the Group Policy i tested with my own laptop,whereby i logged in with a user who is part of the security group used for filtering and the mapped drive showed.I though all was good but when i go login on a different PC with the same user name then its like nothing was done

    Wednesday, March 15, 2017 8:52 AM
  • Hi,
    Please check if there are any other GPOs or logon/startup scripts to delete mapped drives.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com


    Tuesday, March 21, 2017 2:08 AM
    Moderator
  • Sorry guys,was away for some days.There is no logon or startup script.

    I actually transfered my roles from my PDC(running 2012 R2) to a DC (running 2008 R2)

    This worked for some GPO but there is still some GPO mapped on OU that dont wanna work

    Secondly with some users,I tested them in our IT office and the Mapped folder worked,but when i go login at the client PC ,there is nothing

    Its really confusing me.

    Wednesday, March 22, 2017 11:55 AM
  • When i do gpresult / r it shows in GP result that the policy was applied but no mapped drive is showing.

    Wednesday, March 22, 2017 2:06 PM
  • Hi,

    You could enable gpsvc log for help, it could be used to thoroughly analyze the application of GPO. Using this Group Policy logging, you could track the order and time of applying group policies, find the policies that slow down the booting and solve other GPO related problems.

    A Treatise on Group Policy Troubleshooting–now with GPSVC Log Analysis!

    https://blogs.technet.microsoft.com/askds/2015/04/17/a-treatise-on-group-policy-troubleshootingnow-with-gpsvc-log-analysis/

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, March 27, 2017 1:51 AM
    Moderator
  • Hi,

    I am checking how the issue is going, if you still have any questions, please feel free to contact us.

    And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

    Appreciate for your feedback.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, March 31, 2017 9:30 AM
    Moderator