Windows Server: Down the Rabbit Hole

Re: Windows Server: Down the Rabbit Hole

Note to self: Make sure to backup Active Directory database and avoid this headache in the future.

Re: Windows Server: Down the Rabbit Hole

I went back to the school as soon as I woke up. While I have done a bare metal backup before, I had never done a bare metal recovery. I knew it should work but beacause this was my first time, I didn't know if I was gonna lose all the data or what. It worked fine and it's back like it was before I deleted the user.

I learned a lot from this experience.

- As long as you have a recent bare metal backup, you really can't screw it up.

- Enable the Active Directory Recycle Bin

- How to recover a deleted user via Powershell

- Backup Active Directory database

Re: Windows Server: Down the Rabbit Hole

Rule number one: never delete a user account until you are 100% certain it's no longer needed. Breaking a SID gets really ugly. Generally you can just use an administrator account to grant the replacement account the same level of permission to the data as the now orphaned SID. It can be cleaner than trying to do a restore of a single domain controller.

One of the major rules of AD user management is to generally forget that the option of deleting account exists and to just disable the account. This gives you a safer cool-off period to make sure you're not breaking something that turns out to be mission critical.

This article here also has some good points for removing redirection, which is not necessarily an immediate thing:






Sent from my Pixel 6 Pro using Tapatalk

Re: Windows Server: Down the Rabbit Hole


Thanks for the article. It's much more involved than I realized. And there's some potential pitfalls. I'm gonna make sure I understand that article before moving forward. Thanks again.

Re: Windows Server: Down the Rabbit Hole

I'm watching videos and reading up on moving the redirection data back on the local PC's and what I've learned is that Folder Redirection is flawed and full of potential pitfalls. That's especially true for laptops. I can't wait until I get rid of Folder Redirect and get all the PC's on Known Folders via One Drive. Live and learn.

Re: Windows Server: Down the Rabbit Hole

I have a question for rthonpm:

I ran across a video and what they did was exclude a user(s) from a GPO by creating a group and use the GPO delegation settings to deny access to the GPO. I believe they call it filtering.


Have you ever done this? Does it work? Any potential problems?

Re: Windows Server: Down the Rabbit Hole

I've got a couple of targeted GPO's. Two examples from my own domain:

All devices have a disclaimer before login: company property, standards of use apply, punishment for abuse, etc. For test devices, I have a separate disclaimer stating that the device is for test purposes only and cannot be used for any production work. The regular disclaimer is enforced by our baseline GPO, which applies to all domain bound machines. The test one is set to only apply to the development OU and overrides the settings from the baseline policy.

A second example is BitLocker, which is enabled by GPO and has the recovery keys backed up to AD. Since I only want it on specific computers (those with a TPM), I have a security group, BitLocker Devices, that computers are added to and the policy only affects computers in this security group.

I have other examples as well.

Targeting works well and it's best to either use a group or an OU for the target as opposed to individual users or machines. It's always best to test with a small, but noticeable policy object, like a disclaimer to make sure you have the setting right.

Sent from my Pixel 6 Pro using Tapatalk

Re: Windows Server: Down the Rabbit Hole



Coolio, Julio. You're like a server God. lol

Re: Windows Server: Down the Rabbit Hole

Let me set the stage. My goal is to move all the computers off Folder Redirect. However, I don't want to do this in one move. I don't want to risk something going wrong and affecting all the PC's. I want to start with one computer which happens to be a laptop. This is the only laptop that has folder redirected. Thus far I've been unsuccessful in getting the file back on the local machine.


Here's what I've tried.


- Moving the user to a different OU that doesn't have GPO applied. Didn't work.

- Creating a new group and moving the user to the group and excluding the user from the GPO using delegation settings. Didn't work.


Note: When I originally implement Folder Redirect, I failed to to check the box that said "Move files back to local PC when removing Folder Redirect". I did go back the other day and check this box. Don't know if this is affecting the move or not?

I'm sure I'll get this figured out at some point. In the meantime I'm drilling down into how Folder Redirect actually works. In other words, where are the hidden folders that are used and how does this all work. I think there's a hidden file called "App Data". But not sure. Anyway, there's a lot to learn about Windows server. A LOT.

Re: Windows Server: Down the Rabbit Hole

At it core, folder redirection is very simple. It's an automated way of moving a profile folder like, like Documents, from C:\Users\username\Documents to R:\username\Documents etc. AppData folders are just individual software settings for different applications, like mail signatures for Outlook.

When making drastic GPO changes, it's best to give them a chance to apply. Generally I'll make the change to the policy, do a gpupdate /force on one of the target machines, then reboot it. After logging back in, another gpupdate /force, then another reboot. Those are generally for computer object changes rather than user level changes, however constantly changing policies on a user account, it's possible that they are applying but then losing their 'anchor' with the next change. More than likely, all of the files are still residing wherever you had them set to redirect to.

Try this: apply the original redirect policy to the user. Confirm things work as they should, then change the policy to direct the items back to the local machine. Update local policy, log the user off, log them back on and see if you get any changes. You may also want to run a gpresult to give you a list of all of the policies applying for the user and computer. Something like gpresult /h C:\Temp\gpresult.html so that the results file is created in C:\Temp. Make sure all of the proper policies are applying.

It's been awhile since I had to undo large scale folder redirection, and generally all I'd do was change the redirect back to the local profile, wait a week or two and then implement OneDrive sync.

Re: Windows Server: Down the Rabbit Hole

I got all the files back on the local machine but I had to do it manually: desktop>properties>location>restore defaults. It took a while to migrate back to the local machine but it worked. Since I have the Redirect GPO excluded from the user, it should be golden. Now I can make the move to One Drive.

Re: Windows Server: Down the Rabbit Hole

One last thing that I want to mention and this is only my opinion. If I ever set up Folder Redirect again, I will grant access to the Domain Admin to all Redirect user's shared folders. If something goes wrong, it will be needed. If the customer doesn't trust the Domain Admin, they have bigger problems.