Folder redirection.... isn't! <- now resolved
I know a lot has been written about this (emotive!) subject, and XP SP3 made it all the more fun to deal with, but I'm wondering if anybody can give some advice here, or pointers to where the problem might lie.
I'll try to give as much info as possible having read some of the other folder redirection threads, so this will be quite long. Bear with me! :)
One of our feeder schools has a Windows XP network - mainly SP2 machines - controlled by a pair of Server 2003 boxes. Folder redirection is used for staff and students to give a consistent set of desktop and start menu icons.
This is achieved through a single GPO that uses the "advanced" redirection settings to shift the start menu and desktop folders based on group membership:
Pupils desktop redirects to \\DUMBLEDORE\profiles\redirection\pupil\desktop
Pupils start menu redirects to \\DUMBLEDORE\profiles\redirection\pupil\startmenu
Staff desktop redirects to \\DUMBLEDORE\profiles\redirection\staff\desktop
and their start menu goes to \\DUMBLEDORE\profiles\redirection\staff\startmenu
The GPO is configured so that the computer configuration side is disabled, and all other settings apart from the folder redirection are left as "not configured" so interference with other GPOs should be minimal.
Recently, it came to our attention that "on occasion" it wasn't working. According to the school staff anyway - when I looked at it today, it seemed to me like it wasn't working at all! :mad:
Further investigation showed that the pupils can log in fine but they receive a blank desktop and start menu. There are two application event log errors generated: one for Folder redirection ("Access denied") and the other for Userenv stating that the folder redirection policy was unable to be applied.
Staff using the same GPO linked against their OU can log in fine, and get their redirected desktop and start menu - albeit very sluggishly but I think this is more to do with Symantec carrying out a boot-time scan and me not being patient enough with the workstations than with the network.
The access denied message initially suggested a permissions issue on the source directory the redirected folders are stored in - but when checked, they are identical for pupils and staff: Domain Admin and SYSTEM user contexts have full control, pupils and staff groups have "read only" - both at file and share level.
Users are correctly assigned to either group and to rule out a local permissions issue on the workstation, I added my test pupil user to the local administrators group to see what it did. There was no change - folder redirection did not work.
I discovered while I was experimenting with permissions that adding the pupil users group to the BUILTIN\Administrators group then allowed the folders to be redirected correctly.
I know this is "a touch insecure" so it's not been left like that but it does suggest a permissions issue - however I can't for the life of me find where the trouble may be. I've checked the permissions on the GPO itself to confirm the user groups can read and apply it, the share and file permissions on the directories where I want the redirections to go. I've even checked the ownership of the bloody folders in case that had some bearing on it!
But no luck so far. I even went as far as applying SP3 to a workstation and then re-imaging it completely using a fresh WDS image with SP3 slipstreamed in to avoid any SP2->3 upgrade issues - but this did not cure the problem.
It seems the only way I can possibly make it work is to leave the pupils user group a member of Administrators.... Noooooooooo!
Now this network has been inherited so I wouldn't be in the least bit surprised to have missed something blatently obvious but I've spent all afternoon staring at the problem and can now no longer see the wood for the trees so a fresh perspective is required.
Thanks in advance! :)