none
Folder Redirection Failed due to the error listed below. Event ID 511 on client. (

    Question

  • I had an existing GPO that redirects user folders to their home (F:) drive.  It's been working fine forever.  That is at a higher OU level.  At a lower OU level, where my user I'm targeting exists, I have a 2nd folder redirection GPO, that's an exact copy of the higher one, but with one addition, and that's adding AppData folder redirection.  The user belongs to a group that I'm filtering to on the lower OU gpo.  On the higher GPO, I didn't know if necessary, but to be safe, I added that same group to Delegation with Deny on Read permission.   (However, in gpresults, the higher one still shows under "Applied GPOs" (along with the lower GPO).  I do have 'Domain Computers' added to Delegation with Read permission on the lower GPO (necessary due to Microsoft gpo permission changes caused from KB3163622) In the images following, the settings shown for 'Documents' is representative of the majority of my redrected folders.   But for AppData as you see in the image, I have slightly different ones. My idea is not having 'Move' checked it just copies to F: then.  And I chose 'Redirect the folder back' when policy removed, as a safety issue, so a user's session wouldn't blow up due to missing AppData folder if the GPO was ever un-Linked for whatever reason.  At any rate, I don't think these are the issue.  For the first tab (Target) for all redrected folders I have "Basic-Redirect everyone's folders to the same location" and for target folder location, 'Create a folder for each user under the root path'.    The user has Modify permissions on their entire F: drive, and he can manually create folders/files on his F drive.

    When I run a GP Results, under "User Details", Component Status has a yellow ! with this message after Folder Redirection Failed due to the error listed below.
    Access is denied.   Additional information may have been logged. Review the Policy Events tab in the console or the application event log for events between 4/25/2017 6:07:33 AM and 4/25/2017 6:07:33 AM.

    If I click "View Log" next to that, among the various entries, I see 1085 "Windows failed to apply the Folder Redirection settings. Folder Redirection settings might have its own log file. Please click on the "More information" link. (but I see no such link, where is it?)  If I click the blue "Event XML" link to the right, it won't let me copy the text out so I can't type it all sorry, too long, but toward the end, there is <Data Name='ErrorCode'>2147942405</Data><DataName='ErrorDescription'>Access is denied.</Data><Data Name='DCName'>\\dc1.domain.com    (I hid the name of my domain controller/domain for confidentiality).  

    Checking Application log on the client workstation that I'm trying to apply the policy to, there's an error  Event ID 511  

    The description for Event ID 511 from source Microsoft-Windows-Folder Redirection cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
    If the event originated on another computer, the display information had to be saved with the event.
    The following information was included with the event: 
    Access is denied.
    The handle is invalid





    • Edited by dilbert2015 Tuesday, April 25, 2017 3:42 PM
    Tuesday, April 25, 2017 3:31 PM

Answers

  • Figured it out, hope it helps others.   One of the errors led me to an MS article  https://support.microsoft.com/en-us/help/978098/errors-when-you-have-a-large-folder-redirection-policy-settings-file-in-windows-vista,-in-windows-7,-in-windows-server-2008,-or-in-windows-server-2008-r2  saying too many folder redirections, and to break up GPO into several.  

    I unblocked upper GPO from my user, & edited lower one to remove the same folder redirections that were present in the upper one, but left only the AppData one (which is not in the upper one).   This additive method fixed the issue.  Upon login, I got a black background on the desktop and all redirected folders were created on F: including appdata.

    The need for this made no sense to me, since I was supposedly blocking that upper group, but maybe the fact that it looks to see if the policy is blocked was enough.  Either way,it worked.



    • Marked as answer by dilbert2015 Wednesday, April 26, 2017 5:10 PM
    • Edited by dilbert2015 Wednesday, April 26, 2017 5:51 PM
    Wednesday, April 26, 2017 5:10 PM

All replies

  • Am 25.04.2017 um 17:31 schrieb dilbert2015:
    > Checking Application log on the client workstation that I'm trying to
    > apply the policy to, there's an error  Event ID 511
     
    Permissions, Permissions or Permissions.
    - Share or NTFS on Server side, specially if you check: "Grant exclusive
    rights", than the users need FULL access.
    - GPO permissions, when the computer is not allowed to read the users GPO
    - The Client Side Cache (CSC) needs to be resettet or deleted
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    GET Privacy and DISABLE Telemetry on Windows 10 - gp-pack PaT
     
    Tuesday, April 25, 2017 3:43 PM
  • Mark,

    "especially if you check: "Grant exclusive rights" -->> I don't have it checked.  And we've been working fine for the other redirected folders (from the higher GPO) for a year now.  I wouldn't want to do that anyway, because I wouldn't have easy access to their folder to delete if needed....

    'GPO permissions, when the computer is not allowed to read the users GPO'---> As I said I have Domain Computers in Delegation with Read permissions on the GPO (necessary since am filtering and removed Authenticated Users, per MS16-072\KB3163622 article)

    'The Client Side Cache (CSC) needs to be resettet or deleted' --->  Not familiar with this, but may be a possibility, I'll look up how to do it.

    Thanks



    • Edited by dilbert2015 Tuesday, April 25, 2017 3:54 PM
    Tuesday, April 25, 2017 3:48 PM
  • Is it as 'Matze' recommends in this post, do step 4 then 1?


    https://serverfault.com/questions/624019/how-to-completely-reset-group-policy-on-a-domain-member


    • Edited by dilbert2015 Tuesday, April 25, 2017 4:50 PM
    Tuesday, April 25, 2017 3:59 PM
  • Hi,
     
    Am 25.04.2017 um 17:48 schrieb dilbert2015:
    > 'The Client Side Cache (CSC) needs to be resettet or deleted'
     
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    GET Privacy and DISABLE Telemetry on Windows 10 - gp-pack PaT
     
    Tuesday, April 25, 2017 5:04 PM
  • Thank you.

    The Parameters key already existed.  I'm doing the rest of the steps though.  I'm doing all this under an account that's a local admin on the client machine. (Not as the user, who is highly restricted). Hopefully that is okay.

    Each time I test, I'm deleting the local user profile of my test user, to have a fresh start.

    I'll report back on results.



    • Edited by dilbert2015 Tuesday, April 25, 2017 10:32 PM
    Tuesday, April 25, 2017 5:12 PM
  • No luck.  I knew right away it wasn't working, as upon login, it got the desktop very quickly.  And a check of his F: shows zero redirected folders.  The FormatDatabase entry under Parameters disappeared, so I assume it thinks it did what it needed to do.   Same error in gpresults as before.  There are some other steps discussed in this link:  https://social.technet.microsoft.com/Forums/windows/en-US/4b7ff5f3-e1ab-4749-831d-0cb745442505/rebuilding-offline-file-cache-created-via-group-policy?forum=w7itpronetworking    

     do any of those steps maybe need done too (besides the FormatDatabase entry and rebooting)??

    A a test, I disabled my lower-level OU folder redirection GPO, then removed the user from the group that I'm DENYing "Read" permission to on the higher-level OU folder redirection GPO (same group that I was filtering to on the lower GPO, now disabled), then logged in as him.  I got the spinning busy circle, before getting the Desktop.  I check his F drive and there's all the original, redirected folders (from the old, original higher-level folder redirection GPO), minus of course AppData, which was my goal with the lower-level GPO, to not affect all my users during testing.  Back to square zero. :-(








    • Edited by dilbert2015 Tuesday, April 25, 2017 10:33 PM
    Tuesday, April 25, 2017 5:25 PM
  • Figured it out, hope it helps others.   One of the errors led me to an MS article  https://support.microsoft.com/en-us/help/978098/errors-when-you-have-a-large-folder-redirection-policy-settings-file-in-windows-vista,-in-windows-7,-in-windows-server-2008,-or-in-windows-server-2008-r2  saying too many folder redirections, and to break up GPO into several.  

    I unblocked upper GPO from my user, & edited lower one to remove the same folder redirections that were present in the upper one, but left only the AppData one (which is not in the upper one).   This additive method fixed the issue.  Upon login, I got a black background on the desktop and all redirected folders were created on F: including appdata.

    The need for this made no sense to me, since I was supposedly blocking that upper group, but maybe the fact that it looks to see if the policy is blocked was enough.  Either way,it worked.



    • Marked as answer by dilbert2015 Wednesday, April 26, 2017 5:10 PM
    • Edited by dilbert2015 Wednesday, April 26, 2017 5:51 PM
    Wednesday, April 26, 2017 5:10 PM
  • Am 26.04.2017 um 19:10 schrieb dilbert2015:
    > [...]  saying too many folder redirections, and to break up GPO into several.
     
    Thanks, Never had that issue.
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    GET Privacy and DISABLE Telemetry on Windows 10 - gp-pack PaT
     
    Thursday, April 27, 2017 6:04 AM