none
GP Folder Redirection, User mismatch

    Question

  • Hi All,

    I hope this is the correct forum for this.

    I am having a strange problem on a site that has been using Folder Redirection for several years without any significant problems.

    A recently created user (UserA) is somehow logging in and having folders redirected to another Users (UserB) redirected folder path.

    The DC is a 2008R2, it is currently the only DC.

    'My Documents' folder is redirected to \\DomainController\users\%USERNAME%\My Documents

    My Pictures, Videos and Music are set to follow 'My Documents'

    Security on the root 'users' share is set as standard (as I understand it) for Folder Redirection

    All Users have traverse, read and create folder on "This Folder Only"

    Creator/Owner have Full Access on "Subfolders and Files"

    I checked the UserB folder, the Owner is currently UserA - this would indicate that UserA Logged in, and through the Folder Redirection policy, created the UserB folder, using the %USERNAME% variable?

    UserA SID    S-1-5-21-4188890273-337180924-3510778672-2807
    UserB SID    S-1-5-21-4188890273-337180924-3510778672-2806

    I checked the FolderRedirection events on UserA's PC:

    Log Name:      Application
    Source:        Microsoft-Windows-Folder Redirection
    Date:          09/01/2015 17:07:59
    Event ID:      501
    Task Category: None
    Level:         Information
    Keywords:      
    User:          DOMAIN\UserA
    Computer:      PC.DOMAIN.local
    Description:
    Successfully applied policy and redirected folder "Documents" to \\DOMAINCONTROLLER01\users\UserB\My Documents  <----???
     Redirection options=0x80009020.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Folder Redirection" Guid="{7D7B0C39-93F6-4100-BD96-4DDA859652C5}" />
        <EventID>501</EventID>
        <Version>0</Version>
        <Level>4</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8000000000000000</Keywords>
        <TimeCreated SystemTime="2015-01-09T17:07:59.668519200Z" />
        <EventRecordID>5017</EventRecordID>
        <Correlation ActivityID="{AC608459-4916-4F31-A221-0DB73F686C35}" />
        <Execution ProcessID="1156" ThreadID="13364" />
        <Channel>Application</Channel>
        <Computer>PC.DOMAIN.local</Computer>
        <Security UserID="S-1-5-21-4188890273-337180924-3510778672-2807" />
      </System>
      <EventData Name="EVENT_FDEPLOY_SucceededToApplyPolicy">
        <Data Name="FromFolder">Documents</Data>
        <Data Name="ToFolder">\\DOMAINCONTROLLER01\users\UserB\My Documents</Data>
        <Data Name="Options">0x80009020</Data>
      </EventData>
    </Event>

    There are 3 other succesfully FolderRedirection messages for the Videos, Pictures and Music folders.

    I then checked the Security Logs for the login event:

    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          09/01/2015 17:07:52
    Event ID:      4624
    Task Category: Logon
    Level:         Information
    Keywords:      Audit Success
    User:          N/A
    Computer:      PC.DOMAIN.LOCAL
    Description:
    An account was successfully logged on.

    Subject:
                    Security ID:                         SYSTEM
                    Account Name:                 PC$
                    Account Domain:                             DOMAIN
                    Logon ID:                             0x3e7

    Logon Type:                                       2

    New Logon:
                    Security ID:                         DOMAIN\UserA
                    Account Name:                 UserB      <------????
                    Account Domain:                             DOMAIN
                    Logon ID:                             0x1fc9641
                    Logon GUID:                      {b4e87fd7-b860-39fd-e5f4-fce222c5b258}

    Process Information:
                    Process ID:                          0x344
                    Process Name:                  C:\Windows\System32\lsass.exe

    Network Information:
                    Workstation Name:        PC
                    Source Network Address:            -
                    Source Port:                       -

    Detailed Authentication Information:
                    Logon Process:                  Advapi  
                    Authentication Package:               Negotiate
                    Transited Services:          -
                    Package Name (NTLM only):       -
                    Key Length:                        0

    This event is generated when a logon session is created. It is generated on the computer that was accessed.

    The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

    The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

    The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

    The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

    The authentication information fields provide detailed information about this specific logon request.
                    - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
                    - Transited services indicate which intermediate services have participated in this logon request.
                    - Package name indicates which sub-protocol was used among the NTLM protocols.
                    - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
        <EventID>4624</EventID>
        <Version>0</Version>
        <Level>0</Level>
        <Task>12544</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8020000000000000</Keywords>
        <TimeCreated SystemTime="2015-01-09T17:07:52.478590200Z" />
        <EventRecordID>3814</EventRecordID>
        <Correlation />
        <Execution ProcessID="836" ThreadID="8044" />
        <Channel>Security</Channel>
        <Computer>PC.DOMAIN.LOCAL</Computer>
        <Security />
      </System>
      <EventData>
        <Data Name="SubjectUserSid">S-1-5-18</Data>
        <Data Name="SubjectUserName">PC$</Data>
        <Data Name="SubjectDomainName">DOMAIN</Data>
        <Data Name="SubjectLogonId">0x3e7</Data>
        <Data Name="TargetUserSid">S-1-5-21-4188890273-337180924-3510778672-2807</Data>
        <Data Name="TargetUserName">UserB</Data>
        <Data Name="TargetDomainName">DOMAIN</Data>
        <Data Name="TargetLogonId">0x1fc9641</Data>
        <Data Name="LogonType">2</Data>
        <Data Name="LogonProcessName">Advapi  </Data>
        <Data Name="AuthenticationPackageName">Negotiate</Data>
        <Data Name="WorkstationName">PC</Data>
        <Data Name="LogonGuid">{B4E87FD7-B860-39FD-E5F4-FCE222C5B258}</Data>
        <Data Name="TransmittedServices">-</Data>
        <Data Name="LmPackageName">-</Data>
        <Data Name="KeyLength">0</Data>
        <Data Name="ProcessId">0x344</Data>
        <Data Name="ProcessName">C:\Windows\System32\lsass.exe</Data>
        <Data Name="IpAddress">-</Data>
        <Data Name="IpPort">-</Data>
      </EventData>
    </Event>

    I am totally confused as to how this is occurring.

    Has anyone had a similar problem before?

    I have been using FolderRedirection with this setup at many different sites for many years, and its the first time this particular event has cropped up..

    Any suggestions or help would be appreciated.

    Cheers,

    Craig.


    • Edited by Teppic47 Monday, February 02, 2015 7:50 AM Highligting
    Friday, January 30, 2015 4:31 PM

All replies

  • Hi Craig,

    >>Security ID:                DOMAIN\UserA
    >>Account Name:             UserB      <------????

    How did we create the UserA? Here, we can try to use PowerShell to convert the SID of UserA to account name to check if it is correct.

    To do this, the following PowerShell command can be referred to.

    Convert SID to User Name using PowerShell

    http://blogs.msdn.com/b/mpeder/archive/2014/10/07/convert-sid-to-user-name-using-powershell.aspx

    Best regards,

    Frank Shen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, February 02, 2015 8:29 AM
    Moderator
  • >                  Security ID:                         DOMAIN\UserA
    >                  Account Name:                 UserB
     
    Double check all account properties in dsa.msc - seems something screwed
    UPN, samAccountName etc.
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Monday, February 02, 2015 8:39 AM
  • check out this link to convert SID to user name and user name to SID:

    https://technet.microsoft.com/en-us/library/ff730940.aspx


    Every second counts..make use of it. Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
    IT Stuff Quick Bytes

    Monday, February 02, 2015 8:59 AM
  • Hi Frank,

    I am *told* by the engineer that he created the user directly into ADUC using Action -> New -> User

    My first thought was that he perhaps created one user, then Right Click -> Copy, and something went wrong, however cannot see anything to indicate this.

    I checked the SIDs, both resolve to the correct usernames.

    Cheers,

    Craig.


    • Edited by Teppic47 Monday, February 02, 2015 9:57 AM typo
    Monday, February 02, 2015 9:46 AM
  • Hi Martin,

    I have been through all of the Attributes several times, for both UserA and UserB, any reference to account, names, SIDs are correct - including UPN, samAccountName, objectSid and also all exchange attributes.

    There is an exchange server on domain, but not running on this server.

    UserA has logged into 3 separate machines, all with the incorrect RedirectedFolders

    UserB has logged into 2 separate machines, they all *try* to get the correct Folder Path, but it fails due to insufficient rights, as UserA has ownership.

    Cheers,

    Craig.

    Monday, February 02, 2015 9:55 AM
  • > I have been through all of the Attributes several times, for both UserA
    > and UserB, any reference to account, names, SIDs are correct - including
    > UPN, samAccountName, objectSid and also all exchange attributes.
     
    Hm - hopefully you agree with me that it MUST be something related to
    UserA. But I have no idea... Never seen such a thing :(
     
    Tried to delete and recreate UserA?
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Monday, February 02, 2015 12:10 PM
  • I agree, it certainly feels like the problems are with UserA!

    I have not yet tried to delete/recreate, this is a live environment and said account is currently in use.

    We are only aware of the problem because of monitoring in place to make sure all users have redirection applying - and only on troubleshooting why UserB's folder redirection isn't working, did I stumble onto UserA's "issue".

    There were no documents in the folders so, I have changed ownership on the 'UserB' folder back to UserB, and I will monitor, but expect that redirection will now apply correctly for UserB.

    Not too sure what UserA will see: failing Redirection or Redirection to the correct location...

    Worst case, I will delete UserA over a weekend and recreate.

    Obviously I would much prefer to understand how this occurred, and try to ensure it does not happen again, but I am at a bit of a loss as to where to look.

    Cheers,

    Craig.

    Monday, February 02, 2015 1:56 PM
  • > Obviously I would much prefer to understand how this occurred, and try
     
    Me too - I've never seen such odd behaviour if the user account in AD is
    "clean"...
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Monday, February 02, 2015 3:00 PM
  • have you tried checking on user registry, the folder redirection settings?

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders


    Every second counts..make use of it. Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
    IT Stuff Quick Bytes

    Tuesday, February 03, 2015 4:02 AM