With Folder Redirection you can store some standard user profile directories ( special folders like Desktop, Documents, Pictures, Downloads) in a network folder on a file server. Redirected folders work in much the same way as mapped network drives (information is read from and written directly to the file server). In this article, we'll look at how to configure folder redirection on user computers in an Active Directory domain using group policies.
Benefits of using redirected folders:
- The possibility of organizing a centralized backup of user data on a file server (instead of backup on workstations);
- The user at the entrance to any computer can access his personal files;
- Ability to manage allowed content in documents (using the FSRM role in Windows Server) and limit user profile size using NTFS disk quotas;
- Redirected folders can be used for both workstations and terminal servers (Remote Desktop Services);
- When using Folder Redirection in RDS in conjunction with roaming User Profile Disks or FSlogix profiles, you can reduce network load and speed up profile loading due to the fact that data from redirected folders does not need to be copied to the RDS host every time you log in and back when you log out.
Setting up redirected folders is a two-step process:
- Creating a network folder on a file server and setting access rights;
- Setting up folder redirection in a GPO.
New-ADGroup spb-FolderRedirection -path 'OU=Groups,OU=SPB,DC=corp,dc=site,DC=io' -GroupScope Global -PassThru –Verbose
Add-AdGroupMember -Identity spb-FolderRedirection -Members user1,user2,myuser
Create a network folder on the file server where you will store the redirected folders.
For a Windows Server file server that will store users' personal directories, it is desirable to use a failover configuration using Windows Failover Cluster, DFS and / or provide fault tolerance at the virtualization level: VMware HA, Hyper-V cluster, etc.).
It is advisable to use a separate drive for storing user folders (rather than the system drive C:). Create and share a network share on a file server from Windows Explorer or using the New-SmbShare PowerShell commandNew-SmbShare -Name RedirFolder -Path D:\RedirFolder –description “Users Redirected Folders”
Now you need to set up the correct NTFS permissions on the folder so that each user can only access their own files.
On the Security tab, you must click the Advanced button and disable inheritance by clicking the Disable Inheritance button. When prompted, select Convert inherited permissions into explicit permissions on the object.
Remove the Users /Authenticated Users group from the NTFS permission list, and leave the following permissions:
- Administrators (Full control, This folder, subfolders and files)
- SYSTEM (Full control, This folder, subfolders and files)
- CREATOR OWNER (Full control, Subfolders and files only)
Now add the spb-FolderRedirection security group, and grant the following permissions to the root folder (This folder only):
- Traverse Folder/Execute File
- List Folder/Read Data
- Read Attributes
- Read Extended Attributes
- Create Folder/Append Data
- Read Permissions
In the properties of the network folder, provide (Sharing -> Advanced Sharing -> Permissions) provide Full Control.
In this configuration, users are allowed to create folders in the directory, and only user owners have access to the contents of subfolders.
You can now create a folder redirection group policy for users.
Launch the Domain Policy Management Console ( gpmc.msc ), create a new GPO and assign it to the Organizational Unit with users.
In order for the policy to be applied only to the specified users, you need to remove Authenticated Users in Security Filtering and add groups spbFolderRedirection and Domain Computers .
Switch to GPO edit mode and expand the User Configuration -> Policies -> Windows Settings -> Folder Redirection section.
Here are options for redirecting various user profile folders. In this example, I will set up redirects only for the Documents folder (the rest of the folders are set up in the same way).
Redirecting the AppData(roaming) profile directory is rarely used.
Open the properties of the Documents section and specify the following directory redirection options:
- Settings: – Basic, Redirect everyone’s folder to the same location
- Target folder location: Create a folder for each user under the root path
- Root path : \\msk-fs03\RedirFolder (UNC path to previously created network directory)
There are a few more settings on the Settings tab:
- Grant the user exclusive rights to Documents - can be disabled, because we have previously configured the correct NTFS permissions
- Move the contents of Documents to the new location - whether existing files in the user's documents should be moved to a folder on the file server
- Redirect the folder back to the local user profile location when the policy is removed - this option allows you to enable offline access to data (via Windows Offline Files), and determines the behavior when the GPO is disabled
Add your file server and/or domain to the trusted local intranet using the Site to Zone Assignment List GPO setting in Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page;
In the policy settings, you need to specify a list of trusted servers in the format:
- Server or domain name (in the form file://server_name , \\server_name or IP )
- Zone number ( 1 - For local intranet)
Otherwise, when running shortcuts and executables from the redirected directory, Windows security warnings may appear.
Now you can test the folder redirection group policy. Log out of the user's session on the computer and log in again (to update the GPO settings).
Now open the properties of the Documents folder and make sure that Location is now set to the UNC path to your file server.
You can create files and folders in the Documents directory and they will be available to users from any computer in your domain.
On a note.
appdata is pretty thin stuff for a redirect. especially if users have heterogeneous versions of windows on their computers. you can exclude some folders from a roaming profile using the registry value ExcludeProfileDirs (HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon) The following are excluded by default:
AppData\Local;AppData\LocalLow;$Recycle.Bin;OneDrive;Work Folders