Group Policy Central

Thanks to a tip off from fellow MVP Darren Mar-Elia about fairly common issues with Folder Redirection in Windows 7. In short there is a pretty significant issue in Folder Redirection if configured incorrectly that could result in a loss of data for users. There is a mitigation of this issues however this is broken in Windows 7 Service Pack 1. This form post on the SDM Software web site goes into some very specific details about the problem but  below I am going to attempt to summaries the problem and fix for the issue so you can get Folder Redirection working more reliably in your organisation…

Folder Redirection Problem

You have Windows 7 with folder redirection enabled with the “Move contents to new location” option enabled and you then configure a new UNC path for redirection. This NEW path is simply a variation of the path the server that actually points to the exact same location. e.g. \\servername\share to \\DFSNAME\Share . Then when the computer tries to moves the contents of folder to the new (same) location it deletes what it thinks is the old (same) location and thus the users files are deleted. This is BAD! (I hope you have a recent backup)

How to prevent the Folder Redirection from deleting files on move

So to prevent this from happening in Windows there is a Group Policy setting called Verify old and new Folder Redirection targets point to the same share before redirecting that checks if the new and old locations are the same before moving the files. In theory if it detects the source and destination are the same it only move the registry pointer to the new location on the server and leaves all the files in place… However… In Windows 7 Service Pack 1 this option is broken…. BOTHER!!!

Side Note: As pointed out in the forum post it is CRAZY that this is NOT the default behaviour as if you do not configure this option you could inadvertently delete user data. So… Even if this problem does not affect you I would still be seriously be considering enabling this option for your environment.

How to fix the Verify Old and New Folder redirection option

Thankfully earlier this month Microsoft released a KB that fixes this issue https://support.microsoft.com/kb/2799904 . So you can now implement Folder Redirection in your environment configured in a way that will not result in a loss of data…. Phew…

So what does all this mean… ?

1. If you have folder redirection enable, it is (in my opinion) MANDATORY to enable the Verify old and new Folder Redirection targets point to the same share before redirecting option to prevent the possibility of losing user data.

Thanks again to Darren for the tip… and I hope this helps in your environment in avoiding the issues with using  folder redirection.

2. But you also need to apply KB2799904 to fix the Verify Old and New Folder Redirection Target option if you are running Windows 7 Service Pack 1

If you have have been using the some what simple hack I mentioned to make Group Policy Preference work with Internet Explorer 9 you will be relieved to know that Microsoft have now fixed an official hotfix to make this work.

You can get read the full Microsoft Kb article at http://support.microsoft.com/kb/2530309 .

However you should take special attention at the two notes:

This update does not re-write the version information for existing settings. Instead, you must define a new set of Internet Explorer settings in a new or existing Group Policy Object.

Meaning you will need to re-created the Group Policy Preference before the policy will apply to a computer running IE9.

This update does not create a new Internet Explorer 9 UI item. However, when define new Group Policy Preferences settings, and you select the Internet Explorer 8 option, this setting now applies both to Internet Explorer 8 and to Internet Explorer 9

This means that you will NOT see an Internet Explorer 9 option in the Internet Settings menu (see image below), however using the IE8 option will work with IE9.

If we take a closer look at the “InternetSettings.xml” after the hotfix has been applied shows the maximum version number is now set to “10.0.0.0” where previously this version was “9.0.0.0”. However you existing Internet Explorer Preferences will remain unaffected…

Thanks to Mark Feetham [MSFT] for leaving a comment on my previous blog post about this new hotfix.

Download it now from http://support.microsoft.com/kb/2530309

Microsoft have just released another two a few more Group Policy related hotfixes’. Below is the description of each issue that it resolves and link to the related KB Article.

GetGPOList function does not return all GPOs in Windows 7 or in Windows Server 2008 R2

Consider the following scenario:

• You have a computer that is running Windows 7 or Windows Server 2008 R2.
• You use the LocalSystem account to run a service on the computer.
• The service calls the GetGPOList function to query all Group Policy objects (GPO) that are applied on a computer.
• The Authenticated Users group is removed from the access control list (ACL) in an applied GPO.

In this scenario, the GetGPOList function does not return all applied GPOs. The function returns only GPOs that have the Authenticated Usersgroup in the ACL of the GPO.

When you use a GPO for application deployment in Windows 7 or in Windows Server 2008 R2, the deployment fails

In an Active Directory Domain Services (AD DS) environment, you cannot use a Group Policy Object (GPO) to deploy applications for installation on client computers that are running Windows 7 or Windows Server 2008 R2. When you try to apply the GPO, you receive an error message that resembles the following:

• Windows failed to apply the Software Installation settings

Group Policy logon scripts do not run in Windows 7 or in Windows Server 2008 R2

Consider the following scenario in an Active Directory domain environment:

• You deploy logon scripts by using Group Policy.
• You set logon scripts to run synchronously.
• You try to log on to a client computer that is running Windows 7 or Windows Server 2008 R2.

In this scenario, the logon scripts do not run before the logon process.

A user who has administrator permission can delete printers on a computer that is running Windows 7 or Windows Server 2008 R2 after you deploy the "Prevent deletion of printers" Group Policy

Consider the following scenario:

• You deploy the Prevent deletion of printers Group Policy in your environment.
• You have a client computer that is running Windows 7 or Windows Server 2008 R2.
• A user who has administrator permission logs on to the client computer.

In this scenario, the user can still delete printers in Devices and Printers unexpectedly.

Microsoft has just released a new hotfix to address an issue with slow logon performance when you use AppData folder redirection.

Consider the following scenario in a network environment:

• You configure users to use roaming profiles to log on to a client computer that is running Windows 7 or Windows Server 2008 R2.
• You redirect the %AppData%\Roaming folder to a network share.
• You enable the Do not automatically make redirected folders available offline Group Policy setting on the client computer.
• You enable both of the following Group Policy settings for the %AppData%\Roaming folder:
  • Administratively assigned offline files
  • Turn on economical application of administratively assigned Offline Files
    

  This configuration specifies that only new files or folders in the %AppData%\Roaming folder are synchronized during the logon process.

In this scenario, the users encounter slow logon behavior on the client computer.

In addition to this hotfix you will also need to make some registry changes which of course you can easily deploy this using the Group Policy Preferences Registry Extension. 

Link http://support.microsoft.com/kb/981830

Microsoft today  announced (after what seems to be a very long time) they have RTM’d Windows 7 / Windows Server 2008 R2 Service Pack 1 and it will be released to the public on February 22nd.

Update: Service Pack 1 is now available for download for TechNet and MSDN subscribers.

Previously I had listed the hotfixes in the beta version of the service pack, so I have again combed through the hotfix list for you convenience and I have updated the list to include the release candidate hotfixes. While this is not the final list of hotfixes Ned Pyle [MSFT] says “it’s very doubtful that the lists below will be altered much” so you can pretty much take the following list as final. In any case I will review the list when the final list of fixes is out but for now here is the list of issues.

Updated: The final list of hotfixes is now out ( Here ) and after a quick look they appear to be the same as expected.

If you have anything to do with supporting group policy in your organisation then I recommend that you at least take a look at the articles to see if you have encountered any of the problem described.

You can also see the complete list of Active Directory Hotfix’s at Ask the Directory Services Team blog posting SP1 and Directory Services: What’s New .