Win2k8 - Folder Redirection

Introduction
User settings and user files are typically stored in the local user profile, under the Users folder. The files in local user profiles can be accessed only from the current computer, which makes it difficult for users who use more than one computer to work with their data and synchronize settings between multiple computers. Two technologies exist to address this problem: Roaming Profiles and Folder Redirection. Both technologies have their advantages, and they can be used separately or together to create a seamless user experience from one computer to another. They also provide additional options for administrators managing user data. Folder Redirection lets administrators redirect the path of a folder to a new location. The location can be a folder on the local computer or a directory on a network file share. Users can work with documents on a server as if the documents were based on a local drive. The documents in the folder are available to the user from any computer on the network. Folder Redirection is located under Windows Settings in the console tree when you edit domain-based Group Policy by using the Group Policy Management Console (GPMC). The path is [Group Policy Object Name]\User Configuration\Policies\Windows Settings\Folder Redirection.

Folders that can be redirected

Folder in Windows 7 and Windows Vista Equivalent Folder in Earlier Windows Operating Systems

AppData/Roaming Contacts Desktop Documents Downloads Favorites Links Music Pictures Saved Games Searches Start Menu Videos

Application Data Not Applicable Desktop My Documents Not Applicable Not Applicable Not Applicable Not Applicable My Pictures Not Applicable Not Applicable Start Menu Not Applicable

1|Page

ICT Trendy Co., Ltd

Prepared By: Kheuangkham Phothisan

Advantages of Folder Redirection

Even if users log on to different computers on the network, their data is always available. Offline File technology (which is turned on by default) gives users access to the folder even when they are not connected to the network. This is especially useful for people who use portable computers. Data that is stored in a network folder can be backed up as part of routine system administration. This is safer because it requires no action by the user. If you use Roaming User Profiles, you can use Folder Redirection to reduce the total size of your Roaming Profile and make the user logon and logoff process more efficient for the end-user. When you deploy Folder Redirection with Roaming User Profiles, the data synchronized with Folder Redirection is not part of the roaming profile and is synchronized in the background by using Offline Files after the user has logged on. Therefore, the user does not have to wait for this data to be synchronized when they log on or log off as is the case with Roaming User Profiles. Data that is specific to a user can be redirected to a different hard disk on the user's local computer from the hard disk that holds the operating system files. This makes the user's data safer in case the operating system has to be reinstalled. As an administrator, you can use Group Policy to set disk quotas, limiting how much space is taken up by user profile folders.

How to Configure Folder Redirection with GPO

Since Folder Redirection is in the User Configuration portion of a GPO, one can create multiple different policies and apply one to each distinct user population by filtering the security settings in the properties of the GPO. This allows administrators to redirect some users' folders to preconfigured directories, that the users do not have sufficient NTFS Permission to alter, and to redirect other users to folders that are self maintained. Folder Redirection settings are located in User Configuration-> Windows Settings -> Folder Redirections. In that node one will find:

2|Page

ICT Trendy Co., Ltd

Prepared By: Kheuangkham Phothisan

To configure an item, right-click and select Properties. This exposes the configuration UI for the specified folder. In a single GPO one can either configure the folder to redirect to a specified location for all users to which the GPO applies, or one can configure the folder to redirect to a specified location based upon group membership.

3|Page

ICT Trendy Co., Ltd

Prepared By: Kheuangkham Phothisan

NTFS and Share Permissions

For folder redirection to work properly, the destination shared folder NTFS and Share Permissions must be properly configured. If redirecting a folder to a location that the end user should not change, i.e. the Start Menu or Locked Down Desktop the following permissions should be applied:

Share Permissions: o Everyone Full Control o Administrators Full Control o System Full Control NTFS Permissions: o Everyone Read and Execute o Administrators Full Control o System Full Control

If Group Policy is configured to redirect to a location where the GPO will automatically create the destination folder, i.e. users individual Application Data, Desktop or My Documents folders the following permissions should be applied to the parent folder:

4|Page

ICT Trendy Co., Ltd

Prepared By: Kheuangkham Phothisan

Share Permissions: o Everyone Full Control o Administrators Full Control o System Full Control NTFS Permissions: o Everyone - Create Folder/Append Data (This Folder Only) o Everyone - List Folder/Read Data (This Folder Only) o Everyone - Read Attributes (This Folder Only) o Everyone - Traverse Folder/Execute File (This Folder Only) o CREATOR OWNER - Full Control (Subfolders and Files Only) o System - Full Control (This Folder, Subfolders and Files) o Domain Admins - Full Control (This Folder, Subfolders and Files)

Its important to note that when redirecting folders such as My Documents to a location that already exists, i.e. the Users Home Folder there is another setting to consider, ownership. If the user is not the owner of the destination directory, folder redirection will fail with the default Folder Redirection settings. When this is the case, one must deselect Grant the user exclusive rights to My Documents

If this is not configured, folder redirection will fail and the following will be written to the Terminal Servers Event Log:

5|Page

ICT Trendy Co., Ltd

Prepared By: Kheuangkham Phothisan

Event ID: 101 User: username Computer: computername Description: Failed to perform redirection of folder foldername. The new directories for the redirected folder could not be created. The folder is configured to be redirected to \\servername\sharename\%username%, the final expanded path was \\servername\sharename\username. The following error occurred: Access is denied. Notes:
o o

User Configuration Settings in Group Policy take effect upon the first logon after the policy is saved and replicated to the users logon server. Computer Configuration Settings in Group Policy take effect when the machine boots and logs on to Active Directory. With this in mind, one needs to reboot a terminal server before Computer Configuration setting changes will be applied. Folder Redirection does not exist in Local Policy. If one wants to redirect folders without using Active Directory they should investigate redirecting folders by editing the registry at: [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ Shell Folders] If redirecting the Start Menu, one should be aware that by default users right clicking on Start Button to Explore will explore starting at the redirected folders network location, even if you have restricted access to My Network Places. To avoid this, one can edit the following registry entry: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shell\explore\ddeexec] @="[ExploreFolder(\"DriveLetter:\\\", DriveLetter:\\, %S)]"

SUMMARY ( SORT FR CONFIGURATION)

Folder redirection can be used to redirect certain special folders on the end users desktop to server shares. Special folders such as the My Documents or Documents, which is the default folder for users to store and access their data, can be redirected to server shares.

The following are some basic rule-of-thumb guidelines when using this Group Policy extension:
1) Allow the system to create the folders: If the folders are created by the administrator, they will not have the correct permissions. But properly configuring the share and NTFS permissions on the server share is essential in providing a functional folder redirection experience. 2) Enable client-side caching or offline file synchronization: This is important for users with

6|Page

ICT Trendy Co., Ltd

Prepared By: Kheuangkham Phothisan

portable computers but is not the desired configuration for folder redirection on Terminal Servers. Furthermore, when storing data on end-user workstations, it is not desired or might violate regulatory and/or security requirements. 3) Use fully qualified (UNC) paths or DFS paths for server share locations: For example, use \\Server1.companyabc.com\UserProfiles or \\companyabc.com\UserProfiles\ if DFS shares are deployed. Before folder redirection can be expected to work, share and NTFS (New Technology File System) permissions must be configured appropriately.

For folder redirection to work properly, configure the NTFS as follows:

1) Configure the folder to not inherit permissions and remove all existing permissions. 2) Add the file servers local Administrators group with Full Control of This Folder, Subfolders, and Files. 3) Add the Domain Admins domain security group with Full Control of This Folder, Subfolders, and Files. 4) Add the System account with Full Control of This Folder, Subfolders, and Files. 5) Add the Creator/Owner with Full Control of Subfolders and Files. 6) Add the Authenticated Users group with both List Folder/Read Data and Create Folders/Append Data This Folder Only rights. The Authenticated Users group can be replaced with the desired group, but do not choose the Everyone group as a best practice. The share permissions of the folder can be configured to grant administrators Full Control and authenticated users Change permissions. To redirect the Documents folder to a network share, follow the steps given below: 1. Log on to a designated Windows Server 2008 administrative server. 2. Click Start and then All Programs and then Administrative Tools and then select Group Policy Management. 3. Add the necessary domains to the GPMC as required. 4. Expand the Domains node to reveal the Group Policy Objects container. 5. Create a new GPO called UserFolderRedirectGPO and open it for editing. 6. After the UserFolderRedirectGPO is opened for editing in the Group Policy Management Editor, expand the User Configuration node, expand Policies, expand Windows Settings, and select the Folder Redirection node to display the user profile folders that are available for

7|Page

ICT Trendy Co., Ltd

Prepared By: Kheuangkham Phothisan

redirection. If Windows 2000, Windows XP, or Windows Server 2003 profiles require folder redirection, configuring even the Documents folder will require additional testing and might not function correctly. For these operating systems, create a folder redirection GPO using the Windows Server 2003 GPMC. 7. In the Settings pane, right-click the Document folder and select Properties. 8. On the Target tab, click the Setting drop-down list arrow, and select Basic Redirect Everyones Folder to the Same Location, which reveals additional options. There is another option to configure folder redirection to different locations based on group membership, but for this example, select the basic redirection option. 9. In the Target Folder Location section, there are several options to choose from and should be reviewed for functionality; for this example, select Create a Folder for Each User Under the Root Path. This is very important if multiple folders will be redirected; more details are explained in the following steps. 10. In Root Path field, type in the server and share name, for example \\Server\UserProfiles. Notice how the end-user name and Document folder will be created below the root share folder. This requires that the end users have at least Change rights on the share permissions and they must also have the Create Folder and Create File NTFS permissions on the root folder that is shared. 11. At the top of the page, select the Settings tab and uncheck the Grant the User Exclusive Rights to Documents check box. Leave the remaining check boxes unchanged. 12. Click OK to complete the folder redirection configuration. A pop-up opens that states that this policy will not display the Folder Redirection node if an administrator or user attempts to configure or view this group policy using policy management tools from Windows 2000, Windows XP, or Windows Server 2003. Click Yes to accept this warning and configure the folder redirection. 13. Back in the Group Policy Management Editor window, close the GPO. 14. In the GPMC, link the new UserFolderRedirectGPO policy to an OU with a user account that can be used to test this policy. This user must log on to a Windows Vista computer to allow proper processing of this policy. 15. Log on to a Windows Vista system with the test user account. After the profile completes loading, click the Start button, and locate and right-click the Documents folder and then select Properties. Select the Location tab and verify the path. For example, for a user named XYZ, the path should be \\Server\UserProfiles\XYZ\Documents. If the folder is not redirected properly, the Windows Vista system might need to have a domain policy applied that forces Synchronous Foreground Refresh of group policies. Also a very common configuration error is the NTFS and share permissions on the root folder. Each of the folder redirection folders will automatically be configured to be synchronized with the server and be available offline. When additional server folders need to be configured to be

8|Page

ICT Trendy Co., Ltd

Prepared By: Kheuangkham Phothisan

available offline, follow the below steps: 1. Locate the shared network folder that should be made available offline. 2. Right-click the folder and select Always Available Offline As long as the server share allows offline synchronization and the client workstation also supports this, as they both do by default, which is all that is necessary.

9|Page

ICT Trendy Co., Ltd

Prepared By: Kheuangkham Phothisan