AD Group Policy - can't remove policy for remote users

ITMgr5 1 Reputation point
2021-04-08T15:30:23.717+00:00

Hello:
We have begun to migrate our users to OneDrive. Currently our users sync their Documents folder to an on-prem server using Offline Files and Folder Redirection (OFFR) enabled via a group policy.

The first step in the migration is to turn off OFFR. Normally this is easily done by removing the user from an Active Directory group which enables the group policy controlling OFFR. This should result in restoring their Documents folder to the local user profile on the machine. If we are on-premise, this works consistently, so we know the procedure is correct.

However, our entire company is working remotely, connecting to our on-prem network by VPN. We observe that removing the user from the AD group on the server does not sync to the remote machine. The local machine continues to enforce this particular policy. Therefore we can’t turn off OFFR.

This is baffling because other group policy changes we have made such as network mappings seem to work almost immediately.

Although most users will be returning to the office eventually, we have a percentage of full time remote users (some international) that will not be returning to the home office any time soon. Plus we'd really like to get our OneDrive migration going.

Wondering if anyone else has experienced this problem and found a fix or workaround?

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
5,784 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Fan Fan 15,361 Reputation points Microsoft Vendor
    2021-04-09T00:52:10.693+00:00

    Hi,
    Welcome to share here!

    I have heard some similar cases when users connect to the domain through VPN. They can't refresh the changes for folder redirection policy.
    The situation may not be the same as you, the following comments just for your reference.

    First of all, i would recommend you confirm that the issue was caused by:
    The user can't refresh the group membership
    Or the users can't refresh the policy changes.
    You can check that by run the command :gpresult /h report.html to check the group membership in the report.

    Based on my research, the refresh for the Folder Redirection needs the users to logoff and logon one or 2 times.
    When refresh the policies changes during logon, the VPN should also be connected.
    If the VPN didn't set to connect before user logon, the policy refresh for Folder Redirection can't be completed successfully.

    Best Regards,


  2. ITMgr5 1 Reputation point
    2021-04-13T13:02:39.31+00:00

    Hello again:
    Much thanks for your post.

    The users are definitely getting refreshed as far as policies and group memberships. We've changed memberships and modified other policies and the updates occur almost immediately.

    In our testing we have logged off/on and rebooted many times in an attempt to get the change in policy to "take". It stubbornly remains in effect.

    However your suggestion to connect to the VPN before logging in was helpful. We have enabled that functionality on our test machines and seen some improvement. The policy no longer appears when we do a gpresult on the machines. Unfortunately the machines do not revert to the default settings and are still redirecting and syncing the folder.

    Nevertheless this is progress and we think that the failure to revert to the default settings may be related to the way the policy was implemented. Worst case, with the policy not in effect we can probably disable OFFR manually and copy the files to the right location.

    We'll do a little more testing but I think we are on the right path.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.