When properly configured, Folder Redirection manages itself and untethers the user from their computer. With our DFS Namespace created, it is time create our folder redirection structure and configure our Group Policy Object. Navigate to your namespace (ex: \\Test.local\Data\) and create a new folder named “FR”. All redirected folders will be kept in this sub folder.
How to Correctly Set Security Permissions for Folder Redirection
Edit the security properties on the FR folder and select the advanced button. Disable inheritance and remove all inherited permissions. You should now have zero permissions listed for this folder. We now need to configure four permission entries:
- Give SYSTEM Full Control to this folder, subfolders, and files.
- Give Domain Administrators Full Control to this folder, subfolders, and files.
- Give CREATOR OWNER Full Control to subfolders and files only
- Give Authenticated Users Read/Execute, List folder contents, Create folders, write attributes to this folder only.
These permissions allow for any user to create a folder in the root of \data\FR. When a user (with folder redirection enabled) logs in, their account will create their root folder (ex: \data\FR\Joseph\). Because they are the creator of the folder, the CREATOR OWNER permission entry will give them Full Control to that folder, all subfolders (ex: \data\FR\Joseph\Desktop) and all files. Domain Administrators will still be able to access the redirected folder but all other users are denied access.
If you want to create separate redirected folder locations for different departments or users, you would create sub-root folders under \data\FR. For example, you might create the following folder structure:
- \\Test.local\data\FR\IT
- \\Test.local\data\FR\Staff
- \\Test.local\data\FR\Students
In this case, you would apply the four permission entries on the sub-root folder (ex: IT) instead of at the FR folder level. If you have a dedicated security group for the users, you can remove the authenticated users entry and substitute your dedicated security group. Just be sure to set the Applies to: This folder only setting.
Note: Any distribution group can be changed to a security group. In Active Directory, select the group and change the type from Distribution to Security. That group is now a mail-enabled security group.
How to Configure Group Policy for Folder Redirection
Launch the Group Policy Management Console. Create a new GPO under the Group Policy Objects container and name it. Creating the GPO in this container ensures we don’t accidentally roll out settings before we are ready.
Edit the GPO and navigate to User Configuration\Policies\Windows Settings\Folder Redirection. Right click on Desktop and select properties. Change the setting from Not configured to Basic. Under Root path, type the namespace path to your FR folder. See the screenshot below for an example:
Before pressing OK, select the Settings tab and uncheck Grant the user exclusive rights to Desktop. This will allow administrators to view the desktop folder. Press ok and then Yes to the warning. This folder redirection policy will only apply to devices running Windows Vista and above.
Enable folder redirection on any remaining folders that you wish to store centrally. Personally, I make the following exceptions to three specific folder redirection targets:
- I do not redirect Appdata. I prefer to use UE-V for this feature.
- I do not redirect the Start Menu
- I put Pictures, Music, and Videos into their own folders and do not let them follow the Documents folder.
Configure your GPO to apply to a test user and link it to an OU. Folder redirection should be enabled by the second logon. If you want to make the experience happen on the first logon, you can enable the Always Wait on the Network at Computer Startup or Logon group policy setting.
In our next post, we will extend folder redirection by enabling data deduplication, Volume Shadow Services, and Offline Files!
Hello, Just what i been looking for the last couple of days. I been given a task to use the redirect to our new server. The issue I’m having is all of users files are located on a different server not on the AD server. We have like 8 different dept that when a user log in they see there dept folder, and share folder that everyone has. Once they click on dept folder they see there own folder, and a shared dept folder they have access to only.
From your example above how would you configure when a user log in it know’s where to create the redirect folder based on users permission? is there a variable you would enter like
\\server2008\users\%usersdept%\%username%\Win10items ?
Please let me know my boss does not want anyone saving items on desktop or anything on the local machine.
Thanks,
Are your users in separate OUs based on departments? If so, you could create an FR policy for each OU? If they aren’t, can you put them into department security groups? You could then use an advanced folder redirection policy to redirect to specific locations based on the security group membership.
i quote: ‘Edit the GPO and navigate to User Configuration\Policies\Windows Settings\Folder Redirection. Right click on Desktop and select properties. Change the setting from Not configured to Basic. Under Root path, type the namespace path to your FR folder’
But when i use folders like IT,staff,students, i also can use the default path to the FR folder?
I had to do a bit of research on this one. First, that KB is for Vista/7. With Windows 10 clients, you should not have that specific problem.
On my share, I do have one additional permission listed. I give Everyone Read/Execute to the root folder only. I do not have the offline/online problem that you describe.
Hi Joe,
Your awesome articles have saved my bacon more than once, and I sincerely thank you, sir.
I do have a question about security for Offline Files…
I’m running Server Std 2012 R2 as a file server, authenticating to a native 2012 R2 domain and with all Windows 10 Pro clients. When I set up permissions as you illustrate for the Authenticated Users group (read only for the root share folder) my clients do not automatically reconnect the offline folder/drive upon network availability restoration (the SYNC menu item is not there and Explorer keeps insisting the folder is offline) until the client is rebooted – a logoff is not enough.
According to MS (https://support.microsoft.com/en-us/kb/2512089), the group to which the users belong (for simplicity sake, I use Authenticated Users, although there is also a group explicitly containing my users for the share), has to be granted READ to folders, subfolders, and FILES… while this fixes the offline files issue, and my drives/folders become ONLINE as soon as I plug in the cable or connect to WiFi… everyone can read other user’s folders!
Is there anything that can be done? I want to keep using Offline Files, but not at the cost of everyone having access to everyone’s data. How can I keep OF working while keeping user’s data secure?
Any ideas?
Thanks again, sir.
F.
Hi Francisco,
Did you ever resolve this? Using Win10 Pro I had a user (one only) who saw a similar issue.
If in fact the security principal “Authenticated Users” needs more access than you want to grant, then possibly the only way forward is to double down on the bad practices: create a deny group of all users, and remove only those who legitimately need access, and then of course add the deny permissions.
While that works immediately it creates the new problem of updating the deny group with any new user. My approach would be to create an allow group and a daily/weekly scheduled task to run a powershell script that does:
1 pipe all users into Add-ADGroupMember for the deny group
2 pipe all users in the allow group to Remove-ADGroupMember for the deny group.
Like i said it is doubling down on bad practice creating a lot of opportunities for problems. I would only consider this a as stopgap while you find a real solution.