Folder Redirection GPO runs before script has ended.

[pvanos]

I have 2 GPO's in the same OU.
One general GPO has a LOGON-script, that is supposed to create a homedirectory if it doesn't exist yet.

The problem is that the second GPO that takes care of Folder Redirection (My Documents and Application Data) is running and completed way BEFORE the script has completed, so at the time the script checks on the existance of the homefolder, it does exist already (with wrong security).

Is there any way of holding back the Folder Redirection-GPO until the script of the other GPO has completed ?

I already played with the GPO's link order sequence: no cure.
Also specifying START /WAIT in my script-file didn't make any difference...

 

[baddos]

I haven't found a way around this... One thing you could do though, is create a home drive for the user in the "Active Directory Users and Computers" console. With a user's account open, click on the "Profile" tab. On there, select a drive letter for the home drive and a path for it.

\\myserver\homeshare\%username%

If the folder that matches the login name doesn't exist, Windows will create a folder for them that matches their login name and give them permissions to it.

 

[markdmac]

Set your system to run scripts Asyncronously. It will slow down login for everyone but should do the trick.

Your other option would be to switch things around and have a process that runs at night that enumerates your users and builds those directories if they don't exist. That way you could remove that part from the logon process and it would improve logon speed.

I can help with such a script if you want ot go that route. Let me know.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[mlichstein]

I agree with baddos. Don't map the drive with a script, define it in the user account properties.

 

[pvanos]

Baddos,
What are the default permissions on your share HOMESHARE ?
Especially for the group USERS ? You can mail me a screenprint if you want... (p.vanos@hivt.ha.be)

I observed that the home directory is NOT created at first logon, while the drive letter H: and the path are correctly entered in the account's tab "profile", and the corresponding home directory does indeed not yet exist.

I could work around this problem by assigning group USERS special rights: Allow
- Traverse Folder / Execute File
- Read Attributes
- Read Extended Attributes
- Create Folders / Append Data
- Read Permissions

The problem is that this USERS group will continue to have these rights on all home directories, which is unacceptable.
Without it, the homedir is NOT created due to "Access Denied".

Another problem: the actual user, for which the homedir is created, has FULL CONTROL, but: to THIS FOLDER ONLY !!!
And I really need full control for THIS FOLDER, SUBFOLDERS AND FILES.
Is there no way to have that permission assigned when the home dir is actually created ?

BTW: for my testings, I temporarily disabled the folder redirection GPO, to avoid false interferences...

 

[pvanos]

I forgot to mention: I assume the CONTEXT under which the home directory is created, is the USER's credentials ?
And what if the group USERS has no permissions on the folder HOMESHARE ?

The thing is, I would like to avoid having to create the home directories for all users upfront, as there are many (students), and some might never actually use their login whatsoever... Hence my attempts to have the home directory created only upon first logon.

 

[baddos]

If you enter the %username% instead of the login name, it will create the folder after hitting apply.

Basically the home share is setup this way:

Share Permissions:
Domain Admins - Full Control
Domain Users - Modify

File Permissions:
Domain Admins - Full Control
Domain Users - Read / List / Execute

When a home folder is create on that share it's permissions should look something like this:

Domain Admins - Full Control
NewlyCreatedUser - Full Control