OK! I have a solution thanks to the brilliant folk at the samba maillist.
As the domain administrator, open a Windows Explorer (Computer) window and enter \\addchost.domain in the address bar. In my case the location is \\mail.hprs.local. Then, right click on sysvol > Properties > Security. Make sure all settings are as follows:
Code:
sysvol FOLDER Permissions:
CREATOR OWNER
special
(Advanced) Subfolders and files only
Full Control - everything is checked)
CREATOR GROUP Subfolders and files only
special
(Advanced) Subfolders and files only
Traverse folder / execute file
List folder / read data
Read attributes
Read extended attributes
Read permissions
Authenticated Users
Read & Execute
List folder contents
Read
(Advanced) This folder, Subfolders and files
Traverse folder / execute file
List folder / read data
Read attributes
Read extended attributes
Read permissions
SYSTEM
Full control
(advanced) This folder, subfolders and files
full control - everything is checked
Administrators (HPRS\Administrators)
Full control
(advanced) This folder, subfolders and files
full control - everything is checked
In addition to these settings, on the 'Permissions > Edit' dialog, I checked "Apply these permissions to objects and/or containers ...", and on the 'Permission' tab (after setting 'Edit') I checked "Replace all child object permissions with inheritable permissions from this object".
I don't know specifically if checking these options is necessary, but it didn't hurt.
Then, I set Share Permissions: In the Start > Search box I typed 'Computer Management' > Action > Connection to another computer, and entered my AD/DC host "mail". Then expand System Tools > Shared Folders > Shares > right-click sysvol > Properties > Share Permissions. Set as follows:
Code:
sysvol SHARE Permissions:
EVERYONE: READ
Authenticated Users: FULL CONTROL
HPRS\Administrators: FULL CONTROL
SYSTEM, FULL CONTROL
At this point I restarted Samba. Again, not sure I had to do that here, but it didn't hurt.
Next, as the domain administrator I ran Administrative Tools > Group Policy Management > expand Group Policy Objects. I clicked on each Policy in turn. Each one gave me a message to the effect that the permissions were inconsistent with the AD -- sorry, I didn't think at the time to get the exact message, but it was something like that. The dialog asked if I wanted to update the permissions and I answered OK to this for each policy. After exiting GPO Management, I restarted Samba4 again and rebooted one of the Windows 7 workstations (with the idea that it would refresh GPOs upon reboot).
Then I tried logging in as a user who I confirmed did NOT have an account on this workstation. Voila! She got her redirected desktop. Computer > Desktop > properties showed the location as \\mail.hprs.local\Users\
userid\Desktop, not C:\Users\...! More importantly, checking the event log showed only this for Group Policy: "The Group Policy settings for the user were processed successfully".
I've spent MONTHS on this and finally, FIXED!
I am glad you have resolved it and thanks for the feedback. I am sure it will help others.
