How can I erase the traces of Folder Redirection from the Default Domain Policy

I've taken over from an IT outsourcer and have found a struggle now that we're starting a migration to windows 7. Someone decided that they would setup Folder redirection in the Default Domain Policy. I've since configured redirection in another policy at an OU level.

No matter what I do, the windows 7 systems pick up the Default Domain Policy folder redirection settings only. I keep getting entries in the event log showing that the previously redirected folders "need to be redirected" with a status of 0x80000004. From what I can tell this just means that it's redirecting them locally.

Is there a way I can wipe that section of the GPO clean so it's no longer there? I'm hesitant to try to reset the default domain policy to complete defaults.

***UPDATE 6-26

I found that the following condition occurred and was causing the grief here. I've already implemented the new policies for clients, and for some reason, XP was working great, 7 was refusing to process. The DDP was enforced. Because of this, and the fact that the folder redirection policies were set to redirect back to the local profile upon removal, it was forcing clients to pick up it's "redirect to local" settings.

Requirements for to recreate the issue. -Create a new test OU and policy. -Create some folder redirection settings, set them to redirect to local upon removal -Remove settings on that GPO -Refresh your view of the GPO and check the settings. -You'll notice that the settings show "not configured" entries for folder redirection. -Enforce this GPO -Create another sub-OU -Create a GPO linked to this sub-ou and configure some folder redirection settings. -Watch as the enforced GPOs "not configured" setting overrides the policy you just defined.

I've had to relink the DDP to all OU's that have "block inheritance" enabled, and disable the "enforced" option on the DDP as a workaround. I'd love to re-enable enforcement of the DDP, but until I can erase the traces of folder redirection settings from the DDP, I think I'm stuck.


Solution 1:

In order to remove the Folder Redirection settings from a GPO properly, you need to:

  • As mentioned by other people here, remove the Documents and Settings folder under \\domain\sysvol\Policies\{GPO GUID}\User and the fdeploy.ini and fdeploy1.ini files contained within.

However, on its own, this will confuse the GPO Editor as it still thinks there's a Folder Redirection policy attached to the GPO. To solve this, you need to remove the association between the GPO and the Folder Redirection Group Policy Extensions (there are two, one which activates Folder Redirection editing in the GPO Editor, the other activates the actual Folder Redirection policy processing):

  • Open AD Users and Computers. Turn on Advanced Features (View->Advanced Features). Navigate to System->Policies->{GPO GUID}. Right click on {GPO GUID}, choose Properties. In the dialog that pops up, switch to Attribute Editor. Scroll down to gPCUserExtensionNames, and double click it.

  • This will pop up a dialog with a long text entry box, and a bunch of GUIDs. This attribute defines the list of GP Extensions associated with this GPO in the User context. Immediately above it you'll see the related attribute gPCMachineExtensionNames which defines the associated GP extensions in the Machine context of the GPO.

  • Delete the following entry from gPCUserExtensionNames : [{25537BA6-77A8-11D2-9B6C-0000F8080861}{88E729D6-BDC1-11D1-BD2A-00C04FB9603F}]

  • Note that associated GP Extensions are grouped by square brackets [].

  • Do not touch any other entries in the attribute, or you will break other functionality in the GPO.

  • Click OK, and you're done.

  • If you're interested in what GP Extension is associated with each GUID, simply use regedit to search the registry for that GUID - e.g. try searching for 25537BA6-77A8 or 88E729D6-BDC1.

Solution 2:

I had the exact same problem. I also tried deleting fdeploy.ini file and got a message in GPMC that it failed to locate the settings, so clearly they're defined there but some setting elsewhere is enabling those settings and pointing to that file.

While I haven't found a way to completely remove the settings, I did find a better workaround. Instead of unticking Enforce on the DDP, expand the Group Policy Objects folder, right-click the DDP, and under the GPO Status submenu tick User Configuration Settings Disabled.

This will let you leave the DDP enforced without any ill effect since there are no user settings in the DDP. It isn't pretty and I'd still like to know how to get rid of the settings entirely, but it will get the policy to function correctly.