I have a client who has moved out of their office space and all the employees work exclusively from home. They relocated their on-premises servers to a colo data center, but clients can only access the servers though a VPN connection. There’s no office to go into where the laptops have line-of-sight to a domain controller.
I’m helping them move to M365 and would like to replace their folder redirection GPO with OneDrive for Business. I have created a security group for user that have their folders redirected and applied it to the folder redirection GPO, in place of the Authenticated Users group. This gives me the ability to remove that GPO from individual users.
My issue is the remote laptops don’t pick up that change. My migration process is outlined below:
1. Connect to the client computer with remote access software (e.g. Splashtop).
2. Have the user connect to the VPN.
3. Remove the user from the ‘Folder Redirection Users’ security group.
4. Run GPUpdate.exe /Force and log them off.
a. This unfortunately disconnects their VPN session.
5. Instruct the user to log back on again.
6. Manually move the known folders to OneDrive.
When I try to manually move the Desktop, Documents and Pictures folders, I get an error that says “Your IT administrator has set a policy that prevents changes to known folders. Contact your administrator to resolve this issue. (Capabilities: 0x101)”. Obviously, the client computer still thinks the folder redirection GPO is applied.
Since the folder redirection GPO is processed during logon, but the user is never connected to the network or VPN at that point, that GPO is never removed.
Is there a way to manually remove the GPO from the client side, like through the registry? Or somehow trick the clients into thinking the policy no longer applies to the user? I’d like to avoid deploying an Always On VPN connection for just this one task, as it will be removed once OneDrive is in use. Plus, it’s deployed via a GPO and I’d have to instruct end users to connect to the VPN for that deployment, and I’m trying to get away from the VPN and on-prem infrastructure.
Thanks in advance for any ideas you can share!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 24%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(275.2, 7.000000000000001%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENG%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(288, 98%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBH%3C/text%3E%3C/svg%3E)