The purpose of folder redirection is simply to move the user files, such as “my documents”, away from the local computer and onto a network share. There are several advantages to this:
- The user data can easily be included in the centralized backup.
- The users can use different computers, and still have their data available.
- Offline files are configured by default for any redirected folder, so the user will still have access to their data, while away from the network.
The following folders can be redirected:
From Windows Vista and forward, the synchronization is done, when changes occur, so you won’t have to wait for a complete synchronization, when you log on and off. The requirements to set this up, are pretty straight forward, you will need to have a file server, Active Directory and Group Policy management available.
The first thing to set up is the file server. As it is user data, we are redirecting, it would be obvious to use the home drive of the users, if such exists. Most companies already have this in place. If not, you will have to set up a network location, which can be used.
If user home drives already are in place, no changes are necessary, and the system can use the existing folders, as shown later. The procedure for creating new user home drives is unchanged, and the folder creation can be handled by whichever method is already in place, often an identity management system, such as IDM365.
If it is not in place, the easiest method is to let the logon procedure handle the folder creation, when folders are redirected. This way, when a user without a folder, logs on, one is automatically created. This needs very specific permissions on the share, to allow the users accounts to create their own folder, while still not having access to look in the other user folders. Set the following permissions on the share, where the user folders will be created.
- Remove permission inheritance.
- Remove the group “users” from the security list.
- Administrators – full control
- System – full control
- Creator/owner – full control
Everyone – special permissions: traverse folder/Execute file, read attributes, create folders / append data. These permissions are set on “this folder only”.
When the file server is set up correctly, you can go on to the next part, the setup of group policy.
To set up the actual redirection of user folders, we need a GPO. Either use an existing or create a new one. Edit the policy and go to user configuration – policies – Windows settings and folder redirection. Select the folder, you wish to redirect and click properties.
Select basic setup, if you wish to store all the user data on the same server. If you select advanced, you can redirect folders to different servers, based on security group membership.
If you want the logon process to create folders, then select “create a folder for each user under the root path” and point it to the \\server\sharename of the file server. If the Active Directory already has the home drive attribute configured for each user, you can use that, or you can specify a location, such as \\server\sharename \%username%. Go to the settings tab and select the settings that you want. You would only rarely select “grant the user exclusive rights” since this setting will remove access even for administrators.
Now all you have to do is link the group policy to the OU in Active Directory, where your test users are located and start testing.