Announcement

Collapse
No announcement yet.

folder redirection without administrator access

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • folder redirection without administrator access

    I have a strange problem.

    I've setup folder redirection from a windows xp sp2 client, using windows 2003 r2 standad server os and the file server hosting the profiles is a samba 3.0.20b

    now roaming profiles work fine,
    but when i try to redirect the profiles, i get a lot of 1085 and 111 errors.

    now if i grant the user on the local client machine, local administrator privilege, it works.

    how can i get standard users with no local admiinstrative access to be able to redirect their folders?

    i've set on the gpo to not check ownership and unchecked the grant exclusive rights option.

    i'm not sure what i'm doing wrong.

  • #2
    Re: folder redirection without administrator access

    I don't have an answer to your question yet...

    We are building a server for folder redirection next week.
    I will be doing most of the configuration and testing select groups for consistency and controlled access before we roll out the new profiles in production.

    I will let you know how the project is progressing and if I can find an answer to your question then I will post it here. I am hoping this process goes smoothly and that I am not spending a lot of time searching for answers. Our network is somewhat congested already and I can forsee that being the first issue as I was told that if many users are demanding files from the server at the same time that in itself can be a potential bottleneck.
    ITPro
    MCSE, CCNA

    Comment


    • #3
      Re: folder redirection without administrator access

      Originally posted by roguecoolman
      I've setup folder redirection from a windows xp sp2 client, using windows 2003 r2 standad server os and the file server hosting the profiles is a samba 3.0.20b

      now roaming profiles work fine,
      but when i try to redirect the profiles, i get a lot of 1085 and 111 errors.
      Could you post the full errors? Also, are you changing the location of the roaming profiles or are you implementing folder redirection on these users that have roaming profiles?
      Regards,
      Jeremy

      Network Consultant/Engineer
      Baltimore - Washington area and beyond
      www.gma-cpa.com

      Comment


      • #4
        Re: folder redirection without administrator access

        Essentially, the users have existing roaming profiles on a samba share that they were using for windows 2000 AD domain.

        now that i've migrated the users accts over to a brand new 2003 domain, I want to redirect the heavy portions of their roaming profiles.

        the users profiles data have been moved to a new samba share (basically just a copy) and their new ad accts on the new domain information in regards to profiles have been updated to reflect the new path.

        using GPMC on a domain controller to scan the results of the pc in question.

        i get the following event errors:

        eventid 1085
        The Group Policy client-side extension Folder Redirection failed to execute. Please look for any errors reported earlier by that extension.

        eventid 111
        Unable to apply folder redirection policy, initialization failed.


        on the pc itself:

        \\pc01\c$\WINDOWS\debug\UserMode\userenv.log

        there are a lot of these repeating entries:

        USERENV(2e4.2e 14:55:46:282 GetExclusionList: Failed to get file size of <C:\Documents and Settings\guest1\ntuser.ini>
        USERENV(2e4.2e 14:55:47:126 ReconcileFile: Unable to open temporary file
        USERENV(2e4.e74) 14:56:18:196 CreateEnvironmentBlock: Failed to open HKEY_CURRENT_USER, error = 5
        USERENV(2e4.e74) 14:56:18:196 ProcessGPOs: Extension Folder Redirection ProcessGroupPolicy failed, status 0xcb.
        USERENV(2e4.dbc) 14:56:18:915 PolicyChangedThread: UpdateUser failed with 6.
        USERENV(7e4.eb4) 14:56:21:055 GetProfileType: Profile is not loaded.
        USERENV(7e4.eb4) 14:56:21:195 GetProfileType: Profile is not loaded.
        USERENV(7e4.eb4) 14:56:21:195 GetProfileType: Profile is not loaded.
        USERENV(2e4.2e 14:59:34:344 ReconcileFile: Unable to open temporary file
        USERENV(2e4.2e 14:59:41:374 DeleteProfile: Failed to delete the appmgmt dir C:\WINDOWS\system32\appmgmt\S-1-5-21-797978787-527850745-3894884731-7423, error 2
        USERENV(2ec.2f0) 15:01:12:296 CUserProfile::CleanupUserProfile: Ref Count is not 0
        USERENV(2ec.2f0) 15:01:12:312 CUserProfile::CleanupUserProfile: Ref Count is not 0
        USERENV(2ec.2f0) 15:01:12:312 CUserProfile::CleanupUserProfile: Ref Count is not 0


        in the fdeploy.log

        15:03:20:510 Entering folder redirection extension
        15:03:20:510 Flags = 0x0
        15:03:20:541 Unable to apply folder redirection policy, initialization failed.






        i'm at a loss as to why this doesnt' work.

        Comment


        • #5
          Re: folder redirection without administrator access

          Originally posted by roguecoolman
          Essentially, the users have existing roaming profiles on a samba share that they were using for windows 2000 AD domain.

          now that i've migrated the users accts over to a brand new 2003 domain, I want to redirect the heavy portions of their roaming profiles.

          the users profiles data have been moved to a new samba share (basically just a copy) and their new ad accts on the new domain information in regards to profiles have been updated to reflect the new path.
          Are these new user accounts that are pointed to the old profiles? Depending on how you copied the profiles there may be some permissions issues. I'd check the permissions on the share and within the profile.

          Also, folder redirection is different than roaming profiles so when you say "I want to redirect the heavy portions of their roaming profiles" do you mean you're going to use folder redirection?
          Regards,
          Jeremy

          Network Consultant/Engineer
          Baltimore - Washington area and beyond
          www.gma-cpa.com

          Comment


          • #6
            Re: folder redirection without administrator access

            I plan to use roaming profiles + folder redirection. So essentially I want to users to still login and their profiles roam like the old domain does, but now with our new domain, I want to redirect their: application data, my documents, my desktop folders to their home folder share that i've setup.

            i'll look into the permission. At this point I don't know if it's a samba issue or GPO misconfiguration.

            we were having an issue with authentication of our samba shares. We are using samba 3.0.20 and on the windows 2003, i had set to security policy: accept NTLM V2 only and reject all others, but then users couldn't get to their shares. Now i've toned it down to level 4, to accept NTLM V2, NTLM and reject LM. That allowed them to access their shares.

            So im not sure if this is related some how or not.

            Comment


            • #7
              Re: folder redirection without administrator access

              I'm not familiar with samba but I do know that NT 4 sp4 and later, 2000, XP, and 98 with dsclient installed all support NTLMv2. Very interesting that it would then allow you to now authenticate.
              Regards,
              Jeremy

              Network Consultant/Engineer
              Baltimore - Washington area and beyond
              www.gma-cpa.com

              Comment


              • #8
                Re: folder redirection without administrator access

                aparently the NTLM support for samba is buggy. NTLMV2 is suppose to be supported however does not work fully.


                I've went back to the basics and started troubleshooting with just roaming profiles.

                here is what i have discovered.

                if the user is newly created, everything works fine with just roaming profiles.

                now if i have a user that already has a roaming profile from the previous domain, i sign in with that username and password to the new domain, the desktop shell is screwed up. Not all the task bar icons get loaded up and some of the shell elements (like the right click context menu for creating new file types don't show up). But the profile does roam.

                so i started thinking perhaps it's registry permission issue. I explored into HKUSERS and located the CLSID for the user i'm using. I noticed that the 2 CLSID under HKUSERS (CLSID and CLSID + Classes keys), only one of them has the user with full control. The CLSID + classes key has that, but the CLSID key for the user does not. Infact the user acct isn't even in the ACL.

                after i've added the user account to the CLSID key and granted full control, the desktop is fine again.

                so it's strange to me why the registry permission would screw up like this. The roaming profile works under the old domain, why does not it work under the new domain. I mean it works in the sense the profile roams, but the strange registry shell permission.

                i had thuoght, i was able to just simple have the users sign onto the new domain and windows would update the information on the profiles automatically.

                still unclear what's going on here.

                Comment


                • #9
                  Re: folder redirection without administrator access

                  ok status update:


                  So far the easiest way to migrate my current users is to just rename their ntuser.dat file and let windows create a new ntuser.dat.

                  this way it maintains their desktop / my documents files.

                  The sad part is, all the user settings are gone.

                  What i don't understand is that these profiles have already been used on windows xp for atleast a year.

                  is moving to a new domain using the same data, really not allowed? Does the profile some how retain it's old SID from the old domain and cannot modify it's own hive with the new SID?

                  this is frustrating.

                  Comment


                  • #10
                    Re: folder redirection without administrator access

                    Originally posted by roguecoolman
                    ok status update:

                    is moving to a new domain using the same data, really not allowed? Does the profile some how retain it's old SID from the old domain and cannot modify it's own hive with the new SID?

                    this is frustrating.
                    You should have metioned that part from the start. Profiles are tighed to SID. Unless you have migrated users with sIDHistory and performed profile translation using ADMT (or similar) tool, the profiles are considered foreign despite having the same name.
                    Guy Teverovsky
                    "Smith & Wesson - the original point and click interface"

                    Comment


                    • #11
                      Re: folder redirection without administrator access

                      so if i migrate the sIDHistory this will work?

                      because the profiles are already roaming to start with, then translating is not necessary? or am i wrong on this?

                      Comment


                      • #12
                        Re: folder redirection without administrator access

                        AH HA!!! that did it!!

                        thanks GUYT!!!

                        Comment

                        Working...
                        X