- Remove From My Forums
Asked by:
Question
-
Hi everybody.
We're experiencing issues with the intire "protect" folder in Windows 7 x64
Overview:
AppData Roaming --> Folder Redirection into Homedirectory is enabled by GPO
Windows 7 Enterprise x64
Windows Server 2012 R2
The intire Folder AppData\Roaming\Microsoft\ is not redirecting into the useres Homedrive, which is causing errors - for example in Google Chrome (User can save passwords and cookies, but their lost after every new login)
Basicly our users keep losing all their DPAPI keys.
Our assumption is, that DPAPI works with %userprofile% which is linked to C:\Users\[Username] and addes the AppData Roaming part to the environment variable instead of using %appdata% pointing to the users homedrive...
New keys are generated locally instead of in redirected place.
We've already startet working with credential roaming (in Active Directory) - but we find it dangerouse since we're a school, inwich teacher and students change their workplace alot - and we must store all passwords etc. for 6 years and longer (its dumb i know). If a new DPAPI file is generated for every PC and every new user password etc. the cute 750 Byte which one of those files approx. has, isnt that cute anymore. We dont want our AD to grow that bad. We then also found a Hotfix - this doesnt solve our Problem either since most Programs we use dont mark their BLOB as used - so we cant use the Filter not to roam unused keys....
So, thats why we're looking for a solution inwich, as everyone would expect, really the intire Appdata\roaming is redirected, without any exceptions.
Tuesday, August 26, 2014 3:57 PM
All replies
-
Hi,
How about the Internet Explorer works here?
Appdata/Roaming folder would be expected to be fully redirected, and for some temp files created by some application, that might be not available to use when roaming. I will make a test and will update here once I have some results.
Besides, make sure we have followed the guide to configure the policy:
Deploy Folder Redirection, Offline Files, and Roaming User Profiles
Best regards
Michael Shao
TechNet Community SupportThursday, August 28, 2014 1:39 AM
-
Hi,
I am currently working on the environment.
Besides, would you might collect the gpresult.log and then upload here for further investigation?
Troubleshooting Group Policy Using Event Logs
Follow the guide here to upload the log files:
Use OneDrive(SkyDrive) to upload collected files and post screen shot/picture. (Updated: 1/16/2012)
Meanwhile, if we are considering somemore suitable deployment plan, I suggest we seek help with experts with good experiences, also we may try to ask in the following forum for the suitable plan:
http://social.technet.microsoft.com/Forums/windows/en-US/home?forum=winserverGP
Best regards
Michael Shao
TechNet Community Support- Edited by Michael_LS Tuesday, September 2, 2014 11:32 AM
Friday, August 29, 2014 7:55 AM
-
Hi,
Thanks for answering :)
First of all we've now worked around our problem by "manually" roaming Appdata/Roaming from homedrive (P:\) to C:\Users and back using logon and logoff scripts (powershell)....
I've checked roaming profile settings in detail many times before. Especially relating to folder redirection;
Folder Redirection; AppData(Roaming) everyones folder to same location; P:\configuration\roaming
Additionally - userconfig\policies\system\userprofiles\roaming profile excludes --> AppData\Roaming;Desktop;Dropbox;Downloads;Eigene Bilder;Eigene Musik;Eigene Videos;Links
I've removed the roaming profile exclude just to see if the mentioned parts would roam with our profileserver - nothing.
-----
What do you mean with gpresult.log? There are only informations (no warnings and errors) in eventviewer - group policy. And a list of all used GPOs wont help you.
thanks
eve
Tuesday, September 2, 2014 1:53 PM
-
Hi,
Thank you for the update.
If I understand the meaning clearly, we have the roaming profile exclude policy removed and together with the scripts configured, right?
I suggest we configure roaming profile and folder redirection together, apart from the scripts, before doing this , better have some tests in lab environment.
For the gpresult.log, I mean the GPO report, with this we will try what we could to figure it out.
Appdata\roaming folder contains data that can move with your user profile from PC to PC. If we configured roaming profile, the data is expected to move with the profile.
Best regards
Michael Shao
TechNet Community SupportWednesday, September 3, 2014 3:29 AM
-
Hi,
To be clear a summary of our current config;
Roaming Profile as far as i can judge is configured correctly - but doesnt have a lot of content - basicaly nearly only ntuser dat ini and pol.
We exclude the following from roaming with profile:
AppData\Roaming;Desktop;Downloads;Eigene Bilder;Eigene Musik;Eigene Videos;Links
This is because we have Folder Redirection set up for those directories- Folder redirections are all set to the users homedrive directly, or subfolders such as P:\Configuration\AppData\Roaming - in which "configuration" is a hidden folder.
I assumed my roaming problem could of been caused by roaming profile excludes, thats why i removed those for testing - they are now active again since it didnt make any difference at all.
Additionally:
I dont quite get why you want a GPO Report, if you mean a normal "gpresult /R" it will not help you in any way - all you see is how we named our GPOs and not their content - am i wrong?
Content from Appdata\Roaming - all other subfolders are redirected into homedrive perfectly fine, and dont create any content in C:\user\[username]\appdata\roaming. The only folders causing us all this trouble are
AppData\Roaming\Microsoft\Protect and .\SystemCertificates
Thanks for asking and helping us out,
best regards Eve
Wednesday, September 3, 2014 9:42 AM
-
I think he is talking about the GPO HTML report. right click the GPO in GPMC, then choose save report, it will generate an HTML report.
the protect and the .\SystemCertificates is for special use, for data encryption.
There may be other settigns preventing those special data from redirection. As those stuff is mostly GP related,
Better ask in the GP forum. Experts there is more familiar with those stuff.
Rgds
Thursday, September 4, 2014 2:50 AM