[Samba] GPO redirected folders reg path issue

Philippe LeCavalier support at plecavalier.com
Thu Feb 20 14:10:00 UTC 2020

Hi all,

I have an issue at multiple sites that has been plaguing me for a while. My
goto setup for AD w/windows desktops is to employ roaming profiles with
redirected folders and a few mapped drives; all via GPO. And that's pretty
much it. 3 GPOs linked to the entire domain with authenticated users as
security filter. The file servers are a domain member and serve both the
file shares and redirected folders shares.

The issue: every now and then I get a user reaching out to say that their
redirected folders "have disappeared". When I login I can see that they're
getting access denied on all the redirected folders (Documents, Favorites,
Cookies and Downloads). When I look at the User Shell Folders registry keys
I can see that the path is directed at the DC rather than the file server
as it should be. The path is exactly the same except instead of the file
server domain member name it is the name of the DC. Almost every time, I
second guess myself and go check the GPO to ensure the path is in fact the
file server and not the DC and of course, it is as it should be;
pointing to the file server. My solution thus far is to delete the keys,
sign-out/in and voila! Fixed. Until it happens again which is very
disruptive and one of those recurring issues we all live to hate.

So...How is it possible that the GPO isn't respected under whatever
circumstance is occurring to cause this? I guess I'm also wondering if
there is such a thing as to redirect to the %logonserver% if the path fails
maybe? What's odd (and this is obviously circumstantial) I can always
navigate to the users redirected folders using the path(copy/paste) that is
supposed to be applied in the GPO in question. So I can only conclude that
somehow during a brief period of time the path was perhaps not available,
hence some sort of failsafe or self preservation is applied. I wouldn't
speculate if it wasn't for the registry keys. There is *nothing* I
configured telling windows to revert the redirected folders to the DC.
Remember, this is happening in multiple sites with totally independent
config. The only common link between is me and  there is nothing I'm
intentionally doing to have this "failsafe" occur. The only thing I can
think of is that these configs have existed for a very long time. They even
pre-date Samba AD DC so they had roaming profiles and redirected folders(to
the samba3 server at the time). That may seem like the obvious source of
the problem however, the thing is, the old smb.conf files would have been
moved aside at the time of promoting to DC AND back in samba3 days, I was
not using GPOs. Everything was either scripted and offered up at
login(which I have confirmed has been removed) or manually entered locally.
Is it possible there is some sort of caching function that could possibly
live that long OR somehow the users registry that was manually edited can
be resurrected? I don't know if that makes any sense even...
Sorry for the novel and thanks in advance, Phil

More information about the samba mailing list