folder redirection in a hetergeneous environment

[zstokes]

I've been working on this problem for about two weeks now, and I can't seem to find a definitive solution anywhere....hopefully the experts here can help.

I have created a folder redirection GPO for Desktop and My Documents. First off, anyone who has administrative access has no problems getting this to work. Permissions problem, right? I'm not so sure...

My shop is truly heterogeneous; Linux, OS X, Windows XP, Windows Server 2003 R2. Everyone's UNIX home directory is stored on a NetApp , in a UNIX-style qtree. Windows users have roaming profiles that are stored WITHIN these qtrees, accessed vis CIFS. There are ZERO problems with the roaming profiles...profile location is setup via profile path attribute on my AD (which is sync-ed with a RedHat Directory Server....a real nice setup).

Because we have users that log into all different types of architectures, I want to consolidate two directories across platforms: Desktop and Documents. This way, whatever is on the Desktop or in the various Documents directories are available cross-platform. So, what I am trying to do is this:
GPO is setup to redirect Desktop to \\servername\dirname\%username%\Desktop. This is accessed via CIFS, but is stored within a UNIX-style volume - this means I cannot set NTFS permissions here. Share permissions are set such that Everyone has Full Access to parent and child directories. Also, I'm trying to redirect My Documents to \\servername\dirname\%username%\Documents in the exact same way.

This GPO works fine for anyone in an administrative groups, but it also works fine if the user does not have Documents and/or Desktop directories in their UNIX homedir. If the GPO is allowed to create them, the GPO succeeds. IF THESE DIRECTORIES ALREADY EXIST is where I'm having the problem. I always get Event ID#s 1085 and 111 when the directories already exist. This is why I'm leaning towards the fact that NTFS permissions are probably the issue....make sense?

I can provide more details if need be, but this is the gist of my problem. Anyone ever come across anything that remotely resembles this problem before?

TIA,
Z

[JerryC]

I believe you've nailed it. My experience with Roaming and Redirection indicates that the system is "very" touchy with regards to permissions and root folder ownership. The best solution I've found is to allow the Windows Client systems to "create" the folder structures themselves.

To implement within your environment might require changing the paths for problem accounts. If the account's Roaming and Redirected paths really need to stay the same, then perhaps you could try changing to a different path (just temporarily), wiping out the old folder structure (After validating that you have the user's data intact elewhere... "First, do no harm."), and then repointing their path back to the original.

=====================================

:lol: I suppose another resolution would be to dump all that ancient Linux and Apple stuff (they are so ... 'last century' and 'next' century respectively) and go Windows only. :lol:

Well, at least Bill would be happy...

We've got tons of UNIX, Linux, Mainframe, etc... as well. :wink:

=====================================

More seriously, one additional thing you wrote caught my attention:

<< Share permissions are set such that Everyone has Full Access to parent and child directories >>

Really!!! I hope you do not run into any SOX issues. I've got 50,000 (plus) Roaming Profiles and not a one of them is allowed to see each other's data. It's purely a security issue. Food for thought.

[zstokes]

To implement within your environment might require changing the paths for problem accounts.

I've thought about writing a script to actually do this (my userbase is < 1000) but I got lazy. At least setting up these redirections is just a luxury, not a necessity.

I suppose another resolution would be to dump all that ancient Linux and Apple stuff (they are so ... 'last century' and 'next' century respectively) and go Windows only.

BLASPHEMY!!!
I'm a Mac fan in a pretty big way....now if they had just used a System V kernel instead of this bastardized version of BSD...

More seriously, one additional thing you wrote caught my attention:

<< Share permissions are set such that Everyone has Full Access to parent and child directories >>

Really!!! I hope you do not run into any SOX issues. I've got 50,000 (plus) Roaming Profiles and not a one of them is allowed to see each other's data. It's purely a security issue. Food for thought.

No worries...that was just for testing, and my industry is about as far away from SOX as possible. My company makes cartoons...

Thanks for the response.

[Eric]

I've seen this before, and it was when I was attempting to redirect to a folder that was already created that my user didn't have OWNERSHIP over. I granted the user ownership and everything worked after that. I beleive when the system creates the folders for purposes of redirection, it automatically grants the user ownership.

Do you have the 'Grant the user exclusive rights' check box checked? I beleive it this is unchecked, folder redirection will not look for ownership of the folder. Instead, it will assume the permissions are correct and continue processing the folder redirection.

Here's a Microsoft link that might help. It's the roaming profile and folder ownership FAQ:

http://www.microsoft.com/technet/community/en-us/management/manage_faq.mspx

Hope that helps

Eric