Mat's Techblog

Issue

When attempting to remove a namespace server from a domain based DFS namespace, you receive the following error: -

\\fqdn.domain\namespace: The namespace server \\SERVER\NAMESPACE cannot be forcibly removed. The system cannot find the file specified

Cause

This issue is caused due to an inconsistency with the namespace server list maintained in Active Directory.

Resolution

1. Using adsiedit.msc, locate the DFS namespace object under the System\Dfs-Configuration container in the domain partition.
2. Open the properties of the DFS namespace object and locate the remoteServerName attribute
3. Edit the remoteServerName attribute and add the path to the namespace server and namespace folder you are trying to remove, for example \\SERVER\FOLDER
4. Save the object and allow for Active Directory replication time to the domain controllers in the site where your DFS management console is running from
5. Attempt to remove the DFS namespace server again

 If you’ve ever tried to set permissions on a GPO using Powershell, and you’ve encountered an error that the user is “not a valid user” in your domain, you’ve probably also noticed (at least at the current time of writing) that very little information exists about this issue.

I encountered this problem after trying to execute the following Powershell command to make a simple permission change on a GPO: -

Set-GPPermissions -name “My Policy” -PermissionLevel “GpoEditDeleteModifySecurity” -TargetName “MyUser” -TargetType “User”

Running the above command was given me the result below: -

Set-GPPermissions : The operation cannot be completed because “<USER>” is not a valid user in the <FQDN> domain.
Make sure that the TargetName and TargetType parameters specify a valid user for the domain. Then, run the command again.
Parameter name: TargetName
At line:1 char:18
+ Set-GPPermissions <<<<
    + CategoryInfo          : ObjectNotFound: (Microsoft.Group…missionsCommand:SetGPPermissionsCommand) [Set-GPPermissions], ArgumentException
    + FullyQualifiedErrorId : TargetNotFound,Microsoft.GroupPolicy.Commands.SetGPPermissionsCommand

Reading the examples of the Set-GPPermissions command, I just couldn’t see where I was going wrong, so I was sure it had to be a bug. Unfortunately, there’s hardly any information about the problem… Except a hotfix from Microsoft that doesn’t mention the specific issue, however does resolve it!

The hotfix is KB978838, and mentions a different error message and only applied to “non-English” versions of the Windows operating system. I was not having the issue described, and am running an English version of Windows Server 2008 R2, however I think my scenario came close enough to warrant testing the hotfix, for the following reasons: -

• I was having issues with what would likely be the same function in the Powershell cmdlet
• I am in Australia, and have it set as my locale

So if you are wondering if the hotfix will work for you, the chances are “yes” based on my experience.

It seems that there are an increasing number of locale related bugs in Microsoft products since the release of Vista onwards. If anyone from Microsoft stumbles across this, could I suggest passing on a message that the USA isn’t the only English speaking country in the world, and aren’t the only users of your products!

EDIT: I can confirm that Windows 7/Windows Server 2008 R2 Service Pack 1 also corrects this issue.

Today I decided to change the way that my folder redirection policy was applied to my workstations.

Previously, it was the stock-standard folder redirection policy that was targeted to the OU containing my user accounts, however I wanted to have the ability to exclude some machines from this (I build a lot of virtual machines and don’t want folder redirection applying to these).

In order to achieve this, you’ll need to use loopback policy processing so you can apply the user configuration based on computer rather than user.

The two main ways of achieving this are by employing multiple OU’s (my least favourite) or by using security groups. I prefer security groups, because it means you can have one group that contains all of the machines to which folder redirection should be applied, without needing to create a seperate OU in every location/office/branch you may have.

The OU method

1. Generally, you’d want to create a sub-OU under the OU that contains your computer accounts. You might want to call this something like “Folder Redirection Enabled Computers” or whatever makes you happy.

2. Create a policy, and configure your folder redirection settings to your liking, and then under Computer\Administrative Templates\System\Group Policy, enable the setting “User Group Policy loopback processing mode” and set it to “Merge”

3. Now add the machines that you want to apply the folder redirection to, to the OU you created with the policy linked

The security group filtering method

1. Create a security group called something like “Folder Redirection Enabled Computers” and add all of your required machines to this group

2. Create a new policy, and remove Authenticated Users under the Security Filtering tab, then add Domain Users and the group you created in the above step

3. Edit the policy configuring your folder redirection settings to your liking, and then under Computer\Administrative Templates\System\Group Policy, enable the setting “User Group Policy loopback processing mode” and set it to “Merge”

4. Link the policy to the OU that contains your computer accounts

As I mentioned, I prefer the use of security group filtering for this purpose, because I find it more scalable – You just link the policy to the OU(s) that contain your computer accounts, and add the computers to actually apply folder redirection settings to your custom group.

Note that you do need to ensure that the user account can read the policy as well, even though with loopback policy processing, it will be applied based on the computer account. This is because the policy passes through the user security filter to, so if you don’t have Domain Users added to the security filter (or at least a group that will contain the user(s) logging on to your desired machines) then the policy won’t apply.

In Windows 7, there is a fair level of detail in both the Application event log, as well as the dedicated Folder Redirection event log, so I recommend watching these logs remotely during a logon to make sure everything is behaving the way you expect it to.