Need help with Group Policy

I added a group policy to perform folder redirection. Users login to a Terminal Server called AR-TS.
The Domain controller is AR-SRV. The folder redirection is not taking effect. I’m stumped.

From looking at your picture I would guess you don’t have users in he OU that the policy is connected to. Group policy’s with user settings should be connected to an OU that contains the users you want to target. Your next question will probably be, “but I only want it to apply to those users when they connect to that specific server!”, in which case I would look at loopback policies. I haven’t used them for a very long time, but I think they do what you would want in that situation.

1 Like

Thanks Acestes.

The Group is called “Terminal Server Lockdown” and all the users are part of that group.

What version of Windows Server is the DC?

Windows Server 2012 R2

So it looks like a user based GPO and chances are you don’t have users in your TerminalServerLockDown OU. I would create a test user and put them in that OU to see if it works.

Ok this was built by someone else. So I’m trying to understand it.

Here is the OU

And here is the security group and users
The users are all part of the group Terminal Server Lockdown

As @FredFerrell and I have suggested, you don’t have the policy linked to the correct OU. You need to have the policy linked to the OU that contains the users. The group of users simply allows access to the policy, but the policy must still be applied to the OU that contains the users. In your case the policy should be linked to AR_Users_Groups. If you are going to do that I would highly suggest you create a new OU in the AR_Users_Groups and attach the policy to that to test it works by moving a user to the new OU

Edit: Or as @FredFerrell suggested and I completely missed, just create a user in the TerminalServerLockDown OU


Create a sub folder under AR_Users_Groups called TS Users. Drop the Terminal Server Lockdown security group into that folder you just created. Then go back and apply the GPO to the new folder.

1 Like

I was going to try to help, but Fred has it covered. I’ve had some good luck and some bad luck with folder redirects, but mostly that was on 2008r2 and win7. Now on 2016 (probably 2019 this summer) and win10 it seems to be working better.

One thing I did differently this time was to redirect to a specific folder within the user’s storage space. When I redirected just to the user’s storage, things got messy. Hoping this is part of a much bigger re-do this summer. Example path: \storage server\student share%username%\redirect folder And moved my docs, videos, music, etc. to this folder. I can look up the specific GPO if it would help.

Thanks everybody I’ll give this a shot!

If you need to apply that GPO specific to your terminal servers, you probably need to configure Group Policy loopback mode processing mode, either within the same GPO or a new one applied to your terminal servers.

Computer Configuration->Admin Templates->System->Group Policy “Configure user Group Policy loopback processing mode”. Enable it, and set to Merge.

We utilize this when users connect to our Terminal servers and we need to store their TS profiles on a network share, but otherwise leaves their profiles alone when connecting to a traditional desktop.

So go into active directory and create a subfolder under AR_User_Groups called TS Users?
How do I create a subfolder? Or do you mean Group?
There is already a security group in there called Terminal Server Lockdown that includes all the users.

I appreciate you guys helping!

“So go into active directory and create a subfolder under AR_User_Groups called TS Users?” Yes
“How do I create a subfolder?” You should be able to right click the AR_User_Groups folder and create OU.
After the OU is created move the security group into that folder. Then go over to the GPOs and make sure it is applied to the OU.

1 Like

Oh god please don’t start creating OUs for specific GPOs, the 90s are gone. Change the scope so that all users have read access (default is read + apply), and set it so only those in XYZ security group can apply the GPO. Done. This is done under the delegation tab. If you want to ensure that GPO only applies on the terminal servers, then remove all users entirely - and create a new security group for the terminal servers and give that group read rights. You may want to add in the computer(s) you manage GPOs from, too with read rights - sometimes it can act squirrelly when you go back to edit the GPO.

Both the server and user need read rights to any type of GPO. With this logic in mind, you can really lock in where and to whom the GPO applies.

Ultimately you don’t want to fragment AD and create a mess, it doesn’t scale well. Use security groups properly.

1 Like

Thanks Mike!

So the Delegation tab already has that security group listed in the “TerminalServerLockdown” Group Policy. That policy includes the folder redirection settings. The terminal server (AR-TS) is listed as well.

1 Like

So that group “Terminal Server Lockdown” needs to have both the servers and users, or separately add a group for users. The computer objects only need “read” access, but you need to make sure the users have the agility to “apply” as well.

Ok the confusing thing is the security group is called “Terminal Server Lockdown”. That group includes all my users.
The OU is called "TerminalServerLockdown: (no spaces).

The group and terminal server (AR-TS) are both listed in the scope of the OU. What am I missing?
Now I’m feeling stupid lol

So in delegation - those are security groups no OUs. The only time an OU matters is where you apply the GPO. Your GPO should be applied to the OU “AR_Users_Groups”.

So does the security group “Terminal Server Lockdown” actually contain all the users? Under delegation, could you click Advanced and then click the Terminal Server Lockdown and show me the permissions? Scroll down to the bottom, last permission should be “apply” if memory serves correct.