Hi All,

I hope this is the correct forum for this.

I am having a strange problem on a site that has been using Folder Redirection for several years without any significant problems.

A recently created user (UserA) is somehow logging in and having folders redirected to another Users (UserB) redirected folder path.

The DC is a 2008R2, it is currently the only DC.

'My Documents' folder is redirected to \\DomainController\users\%USERNAME%\My Documents

My Pictures, Videos and Music are set to follow 'My Documents'

Security on the root 'users' share is set as standard (as I understand it) for Folder Redirection

All Users have traverse, read and create folder on "This Folder Only"

Creator/Owner have Full Access on "Subfolders and Files"

I checked the UserB folder, the Owner is currently UserA - this would indicate that UserA Logged in, and through the Folder Redirection policy, created the UserB folder, using the %USERNAME% variable?

UserA SID    S-1-5-21-4188890273-337180924-3510778672-2807
UserB SID    S-1-5-21-4188890273-337180924-3510778672-2806

I checked the FolderRedirection events on UserA's PC:

Log Name:      Application
Source:        Microsoft-Windows-Folder Redirection
Date:          09/01/2015 17:07:59
Event ID:      501
Task Category: None
Level:         Information
Keywords:      
User:          DOMAIN\UserA
Computer:      PC.DOMAIN.local
Description:
Successfully applied policy and redirected folder "Documents" to \\DOMAINCONTROLLER01\users\UserB\My Documents  <----???
 Redirection options=0x80009020.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Folder Redirection" Guid="{7D7B0C39-93F6-4100-BD96-4DDA859652C5}" />
    <EventID>501</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2015-01-09T17:07:59.668519200Z" />
    <EventRecordID>5017</EventRecordID>
    <Correlation ActivityID="{AC608459-4916-4F31-A221-0DB73F686C35}" />
    <Execution ProcessID="1156" ThreadID="13364" />
    <Channel>Application</Channel>
    <Computer>PC.DOMAIN.local</Computer>
    <Security UserID="S-1-5-21-4188890273-337180924-3510778672-2807" />
  </System>
  <EventData Name="EVENT_FDEPLOY_SucceededToApplyPolicy">
    <Data Name="FromFolder">Documents</Data>
    <Data Name="ToFolder">\\DOMAINCONTROLLER01\users\UserB\My Documents</Data>
    <Data Name="Options">0x80009020</Data>
  </EventData>
</Event>

There are 3 other succesfully FolderRedirection messages for the Videos, Pictures and Music folders.

I then checked the Security Logs for the login event:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          09/01/2015 17:07:52
Event ID:      4624
Task Category: Logon
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      PC.DOMAIN.LOCAL
Description:
An account was successfully logged on.

Subject:
                Security ID:                         SYSTEM
                Account Name:                 PC$
                Account Domain:                             DOMAIN
                Logon ID:                             0x3e7

Logon Type:                                       2

New Logon:
                Security ID:                         DOMAIN\UserA
                Account Name:                 UserB      <------????
                Account Domain:                             DOMAIN
                Logon ID:                             0x1fc9641
                Logon GUID:                      {b4e87fd7-b860-39fd-e5f4-fce222c5b258}

Process Information:
                Process ID:                          0x344
                Process Name:                  C:\Windows\System32\lsass.exe

Network Information:
                Workstation Name:        PC
                Source Network Address:            -
                Source Port:                       -

Detailed Authentication Information:
                Logon Process:                  Advapi  
                Authentication Package:               Negotiate
                Transited Services:          -
                Package Name (NTLM only):       -
                Key Length:                        0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
                - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
                - Transited services indicate which intermediate services have participated in this logon request.
                - Package name indicates which sub-protocol was used among the NTLM protocols.
                - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4624</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12544</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2015-01-09T17:07:52.478590200Z" />
    <EventRecordID>3814</EventRecordID>
    <Correlation />
    <Execution ProcessID="836" ThreadID="8044" />
    <Channel>Security</Channel>
    <Computer>PC.DOMAIN.LOCAL</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-5-18</Data>
    <Data Name="SubjectUserName">PC$</Data>
    <Data Name="SubjectDomainName">DOMAIN</Data>
    <Data Name="SubjectLogonId">0x3e7</Data>
    <Data Name="TargetUserSid">S-1-5-21-4188890273-337180924-3510778672-2807</Data>
    <Data Name="TargetUserName">UserB</Data>
    <Data Name="TargetDomainName">DOMAIN</Data>
    <Data Name="TargetLogonId">0x1fc9641</Data>
    <Data Name="LogonType">2</Data>
    <Data Name="LogonProcessName">Advapi  </Data>
    <Data Name="AuthenticationPackageName">Negotiate</Data>
    <Data Name="WorkstationName">PC</Data>
    <Data Name="LogonGuid">{B4E87FD7-B860-39FD-E5F4-FCE222C5B258}</Data>
    <Data Name="TransmittedServices">-</Data>
    <Data Name="LmPackageName">-</Data>
    <Data Name="KeyLength">0</Data>
    <Data Name="ProcessId">0x344</Data>
    <Data Name="ProcessName">C:\Windows\System32\lsass.exe</Data>
    <Data Name="IpAddress">-</Data>
    <Data Name="IpPort">-</Data>
  </EventData>
</Event>

I am totally confused as to how this is occurring.

Has anyone had a similar problem before?

I have been using FolderRedirection with this setup at many different sites for many years, and its the first time this particular event has cropped up..

Any suggestions or help would be appreciated.

Cheers,

Craig.

• Edited by Teppic47 3 hours 35 minutes ago Highligting

Hi Craig,

>>Security ID:                DOMAIN\UserA
>>Account Name:             UserB      <------????

How did we create the UserA? Here, we can try to use PowerShell to convert the SID of UserA to account name to check if it is correct.

To do this, the following PowerShell command can be referred to.

Convert SID to User Name using PowerShell

http://blogs.msdn.com/b/mpeder/archive/2014/10/07/convert-sid-to-user-name-using-powershell.aspx

Best regards,

Frank Shen

>                  Security ID:                         DOMAIN\UserA >                  Account Name:                 UserB   Double check all account properties in dsa.msc - seems something screwed UPN, samAccountName etc.  

check out this link to convert SID to user name and user name to SID:

https://technet.microsoft.com/en-us/library/ff730940.aspx

Hi Frank,

I am *told* by the engineer that he created the user directly into ADUC using Action -> New -> User

My first thought was that he perhaps created one user, then Right Click -> Copy, and something went wrong, however cannot see anything to indicate this.

I checked the SIDs, both resolve to the correct usernames.

Cheers,

Craig.

• Edited by Teppic47 1 hour 27 minutes ago typo

Hi Martin,

I have been through all of the Attributes several times, for both UserA and UserB, any reference to account, names, SIDs are correct - including UPN, samAccountName, objectSid and also all exchange attributes.

There is an exchange server on domain, but not running on this server.

UserA has logged into 3 separate machines, all with the incorrect RedirectedFolders

UserB has logged into 2 separate machines, they all *try* to get the correct Folder Path, but it fails due to insufficient rights, as UserA has ownership.

Cheers,

Craig.