When properly configured, Folder Redirection manages itself and untethers the user from their computer. With our DFS Namespace created, it is time create our folder redirection structure and configure our Group Policy Object. Navigate to your namespace (ex: \\Test.local\Data\) and create a new folder named “FR”. All redirected folders will be kept in this sub folder.
How to Correctly Set Security Permissions for Folder Redirection
Edit the security properties on the FR folder and select the advanced button. Disable inheritance and remove all inherited permissions. You should now have zero permissions listed for this folder. We now need to configure four permission entries:
- Give SYSTEM Full Control to this folder, subfolders, and files.
- Give Domain Administrators Full Control to this folder, subfolders, and files.
- Give CREATOR OWNER Full Control to subfolders and files only
- Give Authenticated Users Read/Execute, List folder contents, Create folders, write attributes to this folder only.
These permissions allow for any user to create a folder in the root of \data\FR. When a user (with folder redirection enabled) logs in, their account will create their root folder (ex: \data\FR\Joseph\). Because they are the creator of the folder, the CREATOR OWNER permission entry will give them Full Control to that folder, all subfolders (ex: \data\FR\Joseph\Desktop) and all files. Domain Administrators will still be able to access the redirected folder but all other users are denied access.
If you want to create separate redirected folder locations for different departments or users, you would create sub-root folders under \data\FR. For example, you might create the following folder structure:
In this case, you would apply the four permission entries on the sub-root folder (ex: IT) instead of at the FR folder level. If you have a dedicated security group for the users, you can remove the authenticated users entry and substitute your dedicated security group. Just be sure to set the Applies to: This folder only setting.
Note: Any distribution group can be changed to a security group. In Active Directory, select the group and change the type from Distribution to Security. That group is now a mail-enabled security group.
How to Configure Group Policy for Folder Redirection
Launch the Group Policy Management Console. Create a new GPO under the Group Policy Objects container and name it. Creating the GPO in this container ensures we don’t accidentally roll out settings before we are ready.
Edit the GPO and navigate to User Configuration\Policies\Windows Settings\Folder Redirection. Right click on Desktop and select properties. Change the setting from Not configured to Basic. Under Root path, type the namespace path to your FR folder. See the screenshot below for an example:
Before pressing OK, select the Settings tab and uncheck Grant the user exclusive rights to Desktop. This will allow administrators to view the desktop folder. Press ok and then Yes to the warning. This folder redirection policy will only apply to devices running Windows Vista and above.
Enable folder redirection on any remaining folders that you wish to store centrally. Personally, I make the following exceptions to three specific folder redirection targets:
- I do not redirect Appdata. I prefer to use UE-V for this feature.
- I do not redirect the Start Menu
- I put Pictures, Music, and Videos into their own folders and do not let them follow the Documents folder.
Configure your GPO to apply to a test user and link it to an OU. Folder redirection should be enabled by the second logon. If you want to make the experience happen on the first logon, you can enable the Always Wait on the Network at Computer Startup or Logon group policy setting.
In our next post, we will extend folder redirection by enabling data deduplication, Volume Shadow Services, and Offline Files!