Folder Redirection GPO fails with 502 "Can't create folder" error for folders that already exist

Question

For a very long time now, we have relied on a registry setting to handle folder redirection for our Documents folders. Part of the login script sets HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Personal to use \\fileserver\%username%. We have other scripts that automatically create and share those folders with working permissions at the same time user accounts are created.

This works, but I know it's not the typical way to handle this. Especially with Windows 10, the semi-annual feature updates have occasionally broken the process. Therefore I'd like to start using the built-in (and supported) Folder Redirection GPOs.

My test policy is setup with these options:

Basic - Redirect everyone to the same location
Redirect to the user's home direction
Grant the user exclusive rights: UNCHECKED
Move the contents of Documents: UNCHECKED
Also apply redirection to Windows 2000 etc: CHECKED, but we have no systems like this
Leave the folder in the new location when the policy is removed

I have a test account with the old registry change removed from the login script. For other details, I'm testing from a Windows 10x64 1909 Enterprise computer. We have Server 2019 DCs, but we're at the 2012 functional level because I have one stinking Windows XP machine left I have to support :(

I have this almost working, but unfortunately I get a 502 error in Event Viewer:

Failed to apply policy and redirect folder "Documents" to "\\fileserver\testuser\".
Redirection options=0x80009210
The following error occurred: "Can't create folder "\\fileserver\testuser"".
Error details: "This security ID may not be assigned as the owner of this object.".

The thing is... the folder already exists, and while the user is indeed not the owner, they do have modification rights. I do not want individual users to have rights to create new folders in the root of this share. I do not want to let Folder Redirection create these folders. We are comfortable with our existing user creation scripts. I just want it to use the folder that is already there.

Is this possible, or will I have to make extensive modifications to our account creation scripts, file share structure, and update a few thousand existing shares? (Each of our current folders are their own shared, and not simply a directory in a parent shared folder).

Answer 1

As far as I know, and as described in Microsoft documentation, you need the user to be the owner.

I understand your concerns about not giving users more permissions, but with the appropiate permissions in the parent folder, you should not worry: I've a share set it up on 2015 as MS recommends, with more than 7000 users now (more than 100 created this month), and it's gave me 0 problems while the time for managing new users has been 0.