Post Configuring Folder Redirection in Windows Server 2008

Folder redirection can be used to redirect certain special folders on the end user’s desktop to server shares. Special folders such as the My Documents or Documents, which is the default folder for users to store and access their data, can be redirected to server shares.

The following are some basic rule-of-thumb guidelines when using this Group Policy extension:

1) Allow the system to create the folders: If the folders are created by the administrator, they will not have the correct permissions. But properly configuring the share and NTFS permissions on the server share is essential in providing a functional folder redirection experience.

2) Enable client-side caching or offline file synchronization: This is important for users with portable computers but is not the desired configuration for folder redirection on Terminal Servers. Furthermore, when storing data on end-user workstations, it is not desired or might violate regulatory and/or security requirements.

3) Use fully qualified (UNC) paths or DFS paths for server share locations: For example, use \\\UserProfiles or \\\UserProfiles\ if DFS shares are deployed.

Before folder redirection can be expected to work, share and NTFS (New Technology File System) permissions must be configured appropriately.

For folder redirection to work properly, configure the NTFS as follows:

1) Configure the folder to not inherit permissions and remove all existing permissions.
2) Add the file server’s local Administrators group with Full Control of This Folder, Subfolders, and Files.
3) Add the Domain Admins domain security group with Full Control of This Folder, Subfolders, and Files.
4) Add the System account with Full Control of This Folder, Subfolders, and Files.
5) Add the Creator/Owner with Full Control of Subfolders and Files.
6) Add the Authenticated Users group with both List Folder/Read Data and Create Folders/Append Data – This Folder Only rights. The Authenticated Users group can be replaced with the desired group, but do not choose the Everyone group as a best practice.

The share permissions of the folder can be configured to grant administrators Full Control and authenticated users Change permissions.

To redirect the Documents folder to a network share, follow the steps given below:

1. Log on to a designated Windows Server 2008 administrative server.
2. Click Start and then All Programs and then Administrative Tools and then select Group Policy Management.
3. Add the necessary domains to the GPMC as required.
4. Expand the Domains node to reveal the Group Policy Objects container.
5. Create a new GPO called UserFolderRedirectGPO and open it for editing.
6. After the UserFolderRedirectGPO is opened for editing in the Group Policy Management Editor, expand the User Configuration node, expand Policies, expand Windows Settings, and select the Folder Redirection node to display the user profile folders that are available for redirection. If Windows 2000, Windows XP, or Windows Server 2003 profiles require folder redirection, configuring even the Documents folder will require additional testing and might not function correctly. For these operating systems, create a folder redirection GPO using the Windows Server 2003 GPMC.
7. In the Settings pane, right-click the Document folder and select Properties.
8. On the Target tab, click the Setting drop-down list arrow, and select Basic – Redirect Everyone’s Folder to the Same Location, which reveals additional options. There is another option to configure folder redirection to different locations based on group membership, but for this example, select the basic redirection option.
9. In the Target Folder Location section, there are several options to choose from and should be reviewed for functionality; for this example, select Create a Folder for Each User Under the Root Path. This is very important if multiple folders will be redirected; more details are explained in the following steps.
10. In Root Path field, type in the server and share name, for example \\Server\UserProfiles. Notice how the end-user name and Document folder will be created below the root share folder. This requires that the end users have at least Change rights on the share permissions and they must also have the Create Folder and Create File NTFS permissions on the root folder that is shared.
11. At the top of the page, select the Settings tab and uncheck the Grant the User Exclusive Rights to Documents check box. Leave the remaining check boxes unchanged.
12. Click OK to complete the folder redirection configuration. A pop-up opens that states that this policy will not display the Folder Redirection node if an administrator or user attempts to configure or view this group policy using policy management tools from Windows 2000, Windows XP, or Windows Server 2003. Click Yes to accept this warning and configure the folder redirection.
13. Back in the Group Policy Management Editor window, close the GPO.
14. In the GPMC, link the new UserFolderRedirectGPO policy to an OU with a user account that can be used to test this policy. This user must log on to a Windows Vista computer to allow proper processing of this policy.
15. Log on to a Windows Vista system with the test user account. After the profile completes loading, click the Start button, and locate and right-click the Documents folder and then select Properties. Select the Location tab and verify the path. For example, for a user named XYZ, the path should be \\Server\UserProfiles\XYZ\Documents.

If the folder is not redirected properly, the Windows Vista system might need to have a domain policy applied that forces Synchronous Foreground Refresh of group policies. Also a very common configuration error is the NTFS and share permissions on the root folder.

Each of the folder redirection folders will automatically be configured to be synchronized with the server and be available offline. When additional server folders need to be configured to be available offline, follow the below steps:

1. Locate the shared network folder that should be made available offline.
2. Right-click the folder and select Always Available Offline

As long as the server share allows offline synchronization and the client workstation also supports this, as they both do by default, which is all that is necessary.




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s