Académique Documents
Professionnel Documents
Culture Documents
Introduction
User settings and user files are typically stored in the local user profile, under the Users folder. The files in local user profiles can be accessed only from the current computer, which makes it difficult for users who use more than one computer to work with their data and synchronize settings between multiple computers. Two technologies exist to address this problem: Roaming Profiles and Folder Redirection. Both technologies have their advantages, and they can be used separately or together to create a seamless user experience from one computer to another. They also provide additional options for administrators managing user data. Folder Redirection lets administrators redirect the path of a folder to a new location. The location can be a folder on the local computer or a directory on a network file share. Users can work with documents on a server as if the documents were based on a local drive. The documents in the folder are available to the user from any computer on the network. Folder Redirection is located under Windows Settings in the console tree when you edit domain-based Group Policy by using the Group Policy Management Console (GPMC). The path is [Group Policy Object Name]\User Configuration\Policies\Windows Settings\Folder Redirection.
AppData/Roaming Contacts Desktop Documents Downloads Favorites Links Music Pictures Saved Games Searches Start Menu Videos
Application Data Not Applicable Desktop My Documents Not Applicable Not Applicable Not Applicable Not Applicable My Pictures Not Applicable Not Applicable Start Menu Not Applicable
1|Page
2|Page
To configure an item, right-click and select Properties. This exposes the configuration UI for the specified folder. In a single GPO one can either configure the folder to redirect to a specified location for all users to which the GPO applies, or one can configure the folder to redirect to a specified location based upon group membership.
3|Page
Share Permissions: o Everyone Full Control o Administrators Full Control o System Full Control NTFS Permissions: o Everyone Read and Execute o Administrators Full Control o System Full Control
If Group Policy is configured to redirect to a location where the GPO will automatically create the destination folder, i.e. users individual Application Data, Desktop or My Documents folders the following permissions should be applied to the parent folder:
4|Page
Share Permissions: o Everyone Full Control o Administrators Full Control o System Full Control NTFS Permissions: o Everyone - Create Folder/Append Data (This Folder Only) o Everyone - List Folder/Read Data (This Folder Only) o Everyone - Read Attributes (This Folder Only) o Everyone - Traverse Folder/Execute File (This Folder Only) o CREATOR OWNER - Full Control (Subfolders and Files Only) o System - Full Control (This Folder, Subfolders and Files) o Domain Admins - Full Control (This Folder, Subfolders and Files)
Its important to note that when redirecting folders such as My Documents to a location that already exists, i.e. the Users Home Folder there is another setting to consider, ownership. If the user is not the owner of the destination directory, folder redirection will fail with the default Folder Redirection settings. When this is the case, one must deselect Grant the user exclusive rights to My Documents
If this is not configured, folder redirection will fail and the following will be written to the Terminal Servers Event Log:
5|Page
Event ID: 101 User: username Computer: computername Description: Failed to perform redirection of folder foldername. The new directories for the redirected folder could not be created. The folder is configured to be redirected to \\servername\sharename\%username%, the final expanded path was \\servername\sharename\username. The following error occurred: Access is denied. Notes:
o o
User Configuration Settings in Group Policy take effect upon the first logon after the policy is saved and replicated to the users logon server. Computer Configuration Settings in Group Policy take effect when the machine boots and logs on to Active Directory. With this in mind, one needs to reboot a terminal server before Computer Configuration setting changes will be applied. Folder Redirection does not exist in Local Policy. If one wants to redirect folders without using Active Directory they should investigate redirecting folders by editing the registry at: [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ Shell Folders] If redirecting the Start Menu, one should be aware that by default users right clicking on Start Button to Explore will explore starting at the redirected folders network location, even if you have restricted access to My Network Places. To avoid this, one can edit the following registry entry: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shell\explore\ddeexec] @="[ExploreFolder(\"DriveLetter:\\\", DriveLetter:\\, %S)]"
The following are some basic rule-of-thumb guidelines when using this Group Policy extension:
1) Allow the system to create the folders: If the folders are created by the administrator, they will not have the correct permissions. But properly configuring the share and NTFS permissions on the server share is essential in providing a functional folder redirection experience. 2) Enable client-side caching or offline file synchronization: This is important for users with
6|Page
portable computers but is not the desired configuration for folder redirection on Terminal Servers. Furthermore, when storing data on end-user workstations, it is not desired or might violate regulatory and/or security requirements. 3) Use fully qualified (UNC) paths or DFS paths for server share locations: For example, use \\Server1.companyabc.com\UserProfiles or \\companyabc.com\UserProfiles\ if DFS shares are deployed. Before folder redirection can be expected to work, share and NTFS (New Technology File System) permissions must be configured appropriately.
7|Page
redirection. If Windows 2000, Windows XP, or Windows Server 2003 profiles require folder redirection, configuring even the Documents folder will require additional testing and might not function correctly. For these operating systems, create a folder redirection GPO using the Windows Server 2003 GPMC. 7. In the Settings pane, right-click the Document folder and select Properties. 8. On the Target tab, click the Setting drop-down list arrow, and select Basic Redirect Everyones Folder to the Same Location, which reveals additional options. There is another option to configure folder redirection to different locations based on group membership, but for this example, select the basic redirection option. 9. In the Target Folder Location section, there are several options to choose from and should be reviewed for functionality; for this example, select Create a Folder for Each User Under the Root Path. This is very important if multiple folders will be redirected; more details are explained in the following steps. 10. In Root Path field, type in the server and share name, for example \\Server\UserProfiles. Notice how the end-user name and Document folder will be created below the root share folder. This requires that the end users have at least Change rights on the share permissions and they must also have the Create Folder and Create File NTFS permissions on the root folder that is shared. 11. At the top of the page, select the Settings tab and uncheck the Grant the User Exclusive Rights to Documents check box. Leave the remaining check boxes unchanged. 12. Click OK to complete the folder redirection configuration. A pop-up opens that states that this policy will not display the Folder Redirection node if an administrator or user attempts to configure or view this group policy using policy management tools from Windows 2000, Windows XP, or Windows Server 2003. Click Yes to accept this warning and configure the folder redirection. 13. Back in the Group Policy Management Editor window, close the GPO. 14. In the GPMC, link the new UserFolderRedirectGPO policy to an OU with a user account that can be used to test this policy. This user must log on to a Windows Vista computer to allow proper processing of this policy. 15. Log on to a Windows Vista system with the test user account. After the profile completes loading, click the Start button, and locate and right-click the Documents folder and then select Properties. Select the Location tab and verify the path. For example, for a user named XYZ, the path should be \\Server\UserProfiles\XYZ\Documents. If the folder is not redirected properly, the Windows Vista system might need to have a domain policy applied that forces Synchronous Foreground Refresh of group policies. Also a very common configuration error is the NTFS and share permissions on the root folder. Each of the folder redirection folders will automatically be configured to be synchronized with the server and be available offline. When additional server folders need to be configured to be
8|Page
available offline, follow the below steps: 1. Locate the shared network folder that should be made available offline. 2. Right-click the folder and select Always Available Offline As long as the server share allows offline synchronization and the client workstation also supports this, as they both do by default, which is all that is necessary.
9|Page