Article ID: 2859465 - View products that this article applies to.
Consider the following scenario:
· Home drive is configured for the users (eg: H:)
· Redirecting the folder to home drive using “Redirect to following location” and specify the drive letter (eg: H:\Documents) instead of using UNC path
· The user is an administrator.
In this scenario, folder redirection fails to apply and the below event is logged
Log Name: Application
Source: Microsoft-Windows-Folder Redirection
Date: 6/5/2013 5:35:27 PM
Event ID: 502
Task Category: None
Failed to apply policy and redirect folder "Documents" to "H:\Documents".
The following error occurred: "Cannot create folder "H:\Documents"".
Error details: "The system cannot find the path specified.
When an administrator logs on to Windows Vista or newer, the Local Security Authority (LSA) creates two access tokens. If LSA is notified that the user is a member of the Administrators group, LSA creates the second logon that has the administrator rights removed (filtered). Because LSA created the access tokens during two separate logon sessions, the access tokens contain separate logon IDs. The standard user access token is used to map the drive.
When the policy applies it uses the highest token (admin token) and thus it fails to see the map drive.
It is always recommended to use UNC path, not the drive map letter while redirecting a folder.
To resolve this issue, redirect the folder using UNC path instead of using map drive letter. You may use “Redirect to user’s home directory” option if you want to redirect the folder to home drive
1. Use “EnableLinkedConnections” registry. This value enables Windows Vista to share network connections between the filtered access token and the full administrator access token for a member of the Administrators group. After you configure this registry value, LSA checks whether there is another access token that is associated with the current user session if a network resource is mapped to an access token. If LSA determines that there is a linked access token, it adds the network share to the linked location.
To configure the EnableLinkedConnections registry value, follow these steps:
Collapse this tableExpand this table
Important: This workaround may make your system unsafe. Microsoft does not support this workaround. Use this workaround at your own risk.
2. Disable UAC. Disabling UAC will stop splitting the token, but it is not recommended to disable UAC.
Disabling User Account Control (UAC) on Windows Server
(http://go.microsoft.com/fwlink/?LinkId=151500)for other considerations.
Article ID: 2859465 - Last Review: August 13, 2013 - Revision: 2.0