Redirected folder structure

[tonyr63]

Hi

We used Group Policy to setup folder redirection and we found that everything works OK until we enable 802.1x on the switch port. This caused redirection to fail with an error that it cannot access the DC hosting the redirected folders even though we can see the network once the network login has completed.

On examination of the folder structure on the server we notice that appears inconsistent. E.G.

User A
Desktop
User A's Documents
User A's Music
User A's Pictures

User B
Desktop
My Documents
My Music
My Pictures

Q. Since I only created the root Redirected$ folder and the system created the rest of the folder structure as each user logged on why do some have a mirror of their client folder structure and other have the different naming structure as per User A above? All clients are XP Pro SP2.

To see the structure I had to take ownership of each folder one by one. Is there a better way for the Administrator get access to the folder structure as by default they are locked out? It is a major design flaw that administrators are locked out in this fashion even if they can regain access by taking ownership.

Q. What extra considerations do I need to account for if using 802.1x enabled ports with MS certificate server running EAP - TLS with both User and Computer certs with auto enrollment to get folder redirection to work consistently?

Many Thanks

[AdamV]

Admins should own systems, not data.
It is not (in my opinion) a design flaw for this to be the default behaviour, since there should be no need for an admin to gain access to these documents, and many countries have laws in place regarding privacy that makes this a big no-no.

You can change the behaviour so that admins do have this access, but IIRC this only takes effect on new redirections, not existing.

[tonyr63]

Hi AdamV

I could debate with you whether data created on corporate systems in corporate time is owned by the corporation and NOT the personal property of the author but this would not be the best forum for that.

Any idea's why a different folder structure is created?

Many Thanks

[graycat]

is user A on and XP machine and user B on a 2000 pr machine by any chance?

Tim/.

[tonyr63]

Hi Tim

As stated in my orifinal post "All clients are XP Pro SP2."

[AdamV]

is there only one user which has "User B's documents" etc?

If you look at local profiles on a machine I think you will find that it only shows up like this for the currently logged-on user. Is it possibel this is related?

[tonyr63]

Hi

There are several users with the file structure different from the standard My documents naming structure. Note that this naming arose from users logging on and were not created manually.

To further test in the absence of further suggestions we did the following to try to test again from scratch.

We removed 2 workstations from the Domain and re-imaged 1 of them as XP Pro SP2 & just deleted all profiles from the other. We deleted the computer accounts of the 2 removed workstations from the domain & forced replication making sure they were removed from every instance of the directory. We edited the User Group Policy for both Light & Highly Managed parent GPO to point to a newly created Redirected$ folder created on a 2nd DC in the domain. We joined the domain with one of the new workstations connecting to a static port (non 802.1x) and it received its computer certificate OK and issued a user cert to the administrator. This was confirmed via the switch control s/w and the MS MMC Certificates snap-in. We put this computer into a highly managed computer OU so that it would get the User and Machine policies including the amended redirection path. We logged back in as a Highly Managed user with the w/s connected to an 802.1x enabled port to see if auto enrolment would work. It failed as expected. We reconnected the w/s to a std port and the Highly managed user got its certificate however redirection & logon scripts failed. We relogged in as a highly managed user a 2nd time and everything seemed to work. We switched the port back to 802.1x enabled and retested several times and redirection fails every time saying it cannot find the DC. Unusual observations gathered as follows:

1. The client side redirection details page was showing that the workstation trying to connect to BOTH the old redirection server as well as the new server on the machine that was not reimaged? We searched the registry and found a reference to the old server in the HKEY_Users……\NetCache\ Shares which we deleted. It appears that deleting a profile does not remove all registry keys.

2. Despite deleting the old redirected server reference we still get an error on logout redirection as it still attempts to connect to the old server. Where is the reference to this old server coming from?

3. We still cannot get redirection and logon scripts to run reliably on w/s connected to 802.1x ports even when they have been provisioned 1st by logging in the user to a static port 1st to obtain the user certificate. We have applied the registry setting as recommended in KB 840669 to no good effect.

4. It appears that the client side redirection messages are always misleading where we have seen it say it completed successfully when we know that we had no connectivity to the server and it reports failure often when it actually appears to have successfully copies files created locally? Running RSOP and examining the error logs does not reconcile with the client side error messages?

Does Microsoft support the proper function of XP with Group Policy and redirection using a w/s connected to an 802.1x port as our testing suggests otherwise.

Any suggestions of further tests we can do before looking at non Microsoft solutions?

[JerryC]

========================================
Here are some comments, thoughts, and questions...
========================================

<<It appears that deleting a profile does not remove all registry keys.>>

That sounds like a correct assessment. Some details about user accounts that have logged on previously are stored within the HKLM hive (e.g. the HKLM side will register details of a user resetting their profile's type from "Roaming" to "Local" mode...but only after they have logged on the first time and changed their profile's type). For your situation, have you checked the obvious "My Network Places" and cleared out those 'cached' values as well?

<<...the client side redirection details page...>>

Which log are you referring to here?

What are the Share level and NTFS level permissions on your server-side shares?

Have you engaged Client-side offline caching of the redirected folders from the server shares?
If so, is this done from the server "share" side of things or via GPO targeted at the client devices?

Are your customer devices desktops, laptops, both?

You may find that Wireless access is VERY problematic. Roaming Profile and Folder Redirection technologies are...mmm..."touchy"... even in well connected enviroments. Adding wireless to the mix adds additional complexities. I know of situations today where security precautions preclude any access (other than simple IP assignment) to the domain unless the wireless access session to the domain is either pre-established at the GINA or access is separately established by the End User after that user has already logged on (too late for redirection to work). Add the same types of issues at logoff and you can see that this is totally dependent upon that "link" to the domain being in place at all times for this to work.

Have you verified that the same issues occur after having the user account logon, logoff, and then logon again? I have seen that correct many of these kinds of issues...and "what a pain" that is.

On boot-up, are your devices "waiting for the network" to process GPO settings...in other words, have you disabled the Windows XP Fast Boot Logon feature by setting the Computer-side setting Always wait for the network at computer startup and logon to Enabled?

In your environment, "when" is true connectivity established to the domain? I see notes about machine and user certificates, but nothing about how you are verifying that domain connectivity (not simpe IP assignment) is actually established and "when" in the boot up process it occurs.

I do not see it mentioned, but are you also configuring RUP (Roaming User Profiles) in your environment?

==============================================
Admin and/or Customer Support access to user's data" The issue is a legal one and varies by jurisdiction. Other readers of these messages should make note of this and make similar efforts to determine the appropriateness of user data access by Server Admins or other support staffs. Make sure to perform the "legal" review appropriate to your environment.

I will add this comment from a practical support standpoint: You may find that granting access rights to local Server Administrators as well as certain Customer Support Analysts to be a solid "practical" requirement. There can be daily (even hourly) Help Desk calls where permissions need to be corrected or for times in which Customer Support Analysts need to access the server-side or client-side data to help manage or restore the End User's information.

While you should not grant Admin level access to Customer Support Analysts on servers, you might find it necessary to run nightly scripts which grant them Modify permissions to that data...again, after due diligence verifying the legal standards appropriate to your company's situation.

This is especially true if a company and its employess handles ANY Government or ANY Export Restricted data. In these situations, you will have to perform vulnerability assessments which should included end-to-end analysis of access to the data. Watch out for situations where Server Administration or End User support has been Outsourced. If outsourced, your company may have to impose very strict Nationality and/or Foreign Person guidelines within the outsource support contracts and then audit them all the time.
============================================

[grauch]

Out of curiousity, have you tried adding appdata to replicate the certificate stores?