none
Folder Redirection Policy Not Applying

    Question

  • I am having trouble with getting a particular GPO to apply to a particular user account. I have created a folder redirection policy that redirects the desktop to a network location that the user has permission to.  The settings are:

    The policy never seems to apply, and a GPResult on a client computer does not return this in the list of applied GPOs.

    I ran a GP modeling query in GPMC and it shows that the policy should be applied to the user. However, if I run the same query in GP Results in GPMC it does not appear in the list of applied or denied GPOs. There are no other policies applied that perform redirection for the desktop, although there is another redirection policy in place for the documents folder.

    When I run a GPUpdate /force when logged in as the affected user, I get the message that a folder redirection policy has been detected and this can only be applied with a logoff. I agree to the logoff but when I log back in I get the same result - no redirection and a subsequent GPUpdate /force gives me the same message again.

    I applied another GPO to make sure that Fast Logon is disabled so that this will process policy synchronously. I can see via GPResult that this policy applied, but it has made no difference and the redirection policy still won't apply.

    Affected client computers and my management workstation are both on Windows 8.1. Please let me know if you have any thoughts on why this may be happening or what else I can do to troubleshoot. Thanks!

    Tuesday, September 20, 2016 7:31 PM

Answers

  • > The policy never seems to apply, and a GPResult on a client computer
    > does not return this in the list of applied GPOs.
     
    Welcome to MS16-072...
     
    • Marked as answer by Matt McNabb Wednesday, September 21, 2016 12:36 PM
    Wednesday, September 21, 2016 7:57 AM

All replies

  • Hi,

    Thanks for your post.

    The issue seems to be caused by a delay in initializing network and locating domain controllers. Enabling "Always wait for the network at computer startupand logon" via group policy should resolve it as we need to give system more time to initiate network before proceeding with the logon process.

    We could also enable "
    startupPolicy Processing Wait Time" and setting wait time to an appropriate value to let the software installation GPOs working with minimal boot delays. We could know the accurate policy processing time via the Group Policy Operational Log Event. Please refer to the following article to get more details:

    Optimizing Group Policy Performance

    https://technet.microsoft.com/en-us/magazine/2008.01.gpperf.aspx
    There are two ways to enable this option:

    Group Policy
    Computer Configuration > [Policies] > Administrative Templates > System >Group Policy > Startup Policy Processing Wait Time – Enable the option and set wait time to 10 - 60 seconds
    Note 1: This option is only supported by Windows Vista and later clients and may be not present on Server 2003 domain controllers
    Note 2: Group policy description tells that the default wait time is 30 seconds, which obviously raises the question how setting time-out to less than 30 seconds can fix the problem. It seems that default 30 seconds interval is not always used and Windows often employs its own algorithms to calculate the time-out (if it's not enforced by Group Policy or Registry)

    Registry
    On Client Computer:

    1. Start > Regedit.exe

    2. Navigate to  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

    3. Create New DWORD value with name GpNetworkStartTimeoutPolicyValue and set Value data (decimal) to the required timeout interval in seconds

    4. Restart the computer

    More articles for your reference:

    Understand the Effect of Fast Logon Optimization and Fast Startup on Group Policy

    https://technet.microsoft.com/en-us/library/jj573586.aspx

    Control How Group Policy Is Applied At Logon

    https://technet.microsoft.com/en-us/magazine/gg486839.aspx

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, September 21, 2016 6:40 AM
    Moderator
  • > The policy never seems to apply, and a GPResult on a client computer
    > does not return this in the list of applied GPOs.
     
    Welcome to MS16-072...
     
    • Marked as answer by Matt McNabb Wednesday, September 21, 2016 12:36 PM
    Wednesday, September 21, 2016 7:57 AM
  • > The policy never seems to apply, and a GPResult on a client computer
    > does not return this in the list of applied GPOs.
     
    Welcome to MS16-072...
     

    Nailed it Martin! I seem to remember hearing something about this back in the summer, but I've had my head out of Group Policy for a while and this is the first need we've had for a few months. I added read permission for domain computers to the GPO and this took right off. I suppose I need to dig around now and find out if this update broke any of our other user policies that are security filtered.

    Thanks!

    • Proposed as answer by Phil Grime Thursday, October 20, 2016 1:05 PM
    Wednesday, September 21, 2016 12:36 PM
  • Just added Domain Computers with Read permissions on the GPO as previous post suggested - worked after a reboot so happy here!
    Thursday, October 20, 2016 1:06 PM