In many organizations, workers use or have access to more than one computer on a daily basis. They might have both a portable computer and a PC in their office. They might have a PC in their office and log on to other computers to do development or test work. They might have to log on to another user’s computer while theirs are being repaired, or they might check out a loaner before traveling to a remote office. Whatever the reason, ensuring that users have consistent access to their data is essential, and this is where redirected folders come in handy. Not only do redirected folders make it possible for users to consistently access their data regardless of the computer they use to log on to the network, but redirected folders also make the administrator’s job easier by providing a centralized repository for user profile folders and data that can be more consistently managed and more easily backed up. The key reason for this is that with redirected folders, user data resides on a central server or servers rather than on individual user computers.
As discussed previously in "Understanding User Profiles and Group Policy," redirected folders allow for seamless redirection of folders and data that would otherwise be a part of a user’s profile. In the case of roaming profiles, redirected folders reduce network traffic during logon and logoff because the redirected folders do not need to be retrieved or updated, which also can speed up logon and logoff. So, in a sense, users and administrators get the best of both worlds. Users get better access to their data, experience faster logon and logoff, and have fewer profile-related problems overall. Administrators get centralized management and better control over user data, which in turn makes the data easier to backup and restore.
You can configure folder redirection for domain users at the domain or OU level through User Configuration settings. As Figure 7-7 shows, you can redirect the following user profile folders:
Application Data. The per-user data store for applications under %SystemDrive%Documents and Settings\%UserName%Application Data rather than the per-computer data store for applications under %SystemDrive%Documents and Settings\%UserName%Local SettingsApplication Data. Many applications have per-user data stores, which can grow very large. With Office, the per-user data store contains the user’s custom dictionaries, address book, and more, so it often makes sense to have a single Application Data folder for all the computers a user logs on to.
Desktop. The user’s complete desktop including the configuration settings, shortcuts, and any files or folders stored on the desktop. Users often store files and folders on their desktop, so it often makes sense to redirect their desktop data as well as their My Documents data. With a roaming profile, redirecting the desktop also ensures that any desktop shortcuts and setting preferences, such as wallpaper and the quick access toolbar, remain when a user moves from computer to computer. As long as a shortcut points to a valid location, such as a file in a user’s profile folder or on a network share, it will work. For example, if the user has a shortcut to a document stored in My Documents, the shortcut will work. On the other hand, a shortcut to a document in a D drive folder, which is only on the user’s laptop, will not work.
My Documents. The complete contents of My Documents including all files and folders. By default, all automatically created subfolders are included in this folder. You do have the option of excluding My Pictures, but all other subfolders of My Documents are redirected, including My Data Sources, My Deliveries, My DVDs, My eBooks, My Music, My Received Files, My Videos, My Virtual Machines, and My Web Sites.
Start Menu. The complete Start menu including the Programs menu and its related menu items, shortcuts pinned to the Start menu, and any applications in the Startup folder. You might want to redirect the Start menu when, for example, users access applications over the network or you have identically configured workstations deployed throughout a department or office. With redirection, you can be certain that users have access to the appropriate applications on their Start menus.
Note
Unlike other types of folder redirection, Start menu redirection does not copy the contents of a user’s local Start menu. Instead, users are directed to a standard Start menu that the administrator previously created and stored on a server.
No other user profile folders can be redirected. This means the following user profile folders cannot be redirected:
NetHood
PrintHood
My Recent Documents
SendTo
Templates
Behind the scenes, redirected folders are connected via network shares. You should consider several other configuration options whenever you redirect folders:
Using offline files. Redirected folders aren’t available for offline use by default. Users can make files available offline by right-clicking a file in My Documents or another folder and selecting Make Available Offline. Administrators also can configure offline file usage on the server-stored shared folder. Right-click the share and then select Properties. In the Properties dialog box, click the Sharing tab and then click Caching. Select All Files And Programs That Users Open From The Share Will Be Automatically Available Offline, and then click OK twice. For more information, see Chapter 37 in Microsoft Windows Server 2003 Inside Out.
Using shadow copies. Shadow copies of shared folders make it easier to recover previous versions of files and restore accidentally deleted files. If you configure shadow copies on the file shares associated with the redirected folders, users have access to previous versions of all their data files and folders. This allows them to go back and recover files on their own without an administrator’s help. For more information, see Chapter 22 in Microsoft Windows Server 2003 Inside Out.
Folder redirection is configured under User ConfigurationWindows SettingsFolder Redirection. There are separate policy settings for Application Data, Desktop, My Documents, and Start Menu. These can be configured in several ways. If you don’t want to redirect a particular folder for the selected site, domain, or OU, you can use the Not Configured setting to disable redirection of the selected folder in the site, domain, or OU whose GPO you are currently working with.
If you want to redirect a particular folder for a designated site, domain, or OU, you can use one of two top-level settings:
Basic. Used to redirect affected users to the same base location
Advanced. Used to redirect affected users according to security group membership
The sections that follow discuss how these top-level settings and their related options can be used in various scenarios.
The Basic setting is used to redirect all users in a site, domain, or OU to the same base location. Basic redirection is primarily for small organizations or organizations whose OU structure is based on physical location—for example, a small business group or department that is autonomous might want to use basic redirection. An organization in which employees in an OU are in the same physical location might also want to use basic redirection.
To configure basic folder redirection, follow these steps:
Access the GPO with which you want to work. Access User ConfigurationWindows SettingsFolder Redirection.
The four folders that can be redirected are listed separately. Right-click the folder you want to redirect, and then select Properties.
In the Settings list, choose Basic - Redirect Everyone’s Folder To The Same Location, as shown in Figure 7-8.
Under Target Folder Location, choose one of the following options:
Redirect To The User’s Home Directory. Applies only to redirection of a user’s My Documents Folder. If you have configured the user’s home folder in her account properties, you can use this setting to redirect the My Documents folder to the same location as the home folder. For example, if the user’s home drive is X, the network drive X and the My Documents folder will point to the same location (as set in the user’s domain account properties).
Create A Folder For Each User Under The Root Path. Appends the user’s name to a designated network share. Individual user folders then become subfolders of the designated network share. For example, if you want the My Documents folder to be redirected to \NYServer08UserData, this folder will contain subfolders for each user, based on the user’s account name (%UserName%), and the user’s My Documents data will be stored in the appropriate subfolder. This option is not available with redirection of the Start menu.
Redirect To The Following Location. Allows you to specify a root path to a file share and folder location for each user. If you do not include a user-specific environment variable, all the users are redirected to the same folder. If you add %UserName% to the path, you can create individual folders for each user, as in the previous option.
Note
For classrooms, kiosks, and some office settings, you might want to ensure that all users in an OU or all users who are members of a particular security group have exactly the same folder. In this case, you can redirect to the same folder location. For example, if you want everyone logging on to a classroom computer to have the same Start menu and Desktop even though they use different logon accounts, you can do this by redirecting the Start menu and Desktop to a specific folder. To ensure that only administrators can make changes to the Start menu and Desktop, you can change the security on the redirected folders so that the Administrators groups has Full Control and the Authenticated Users group (or a specific security group) has Read access only.
Redirect To The Local User Profile Location. Causes the default location of the user’s profile to be used as the location for the user data. This is the default configuration if no redirection policies are enabled. If you use this option, the folders are not redirected to a network share and you essentially undo folder redirection.
Under Root Path, enter the root path to use, as necessary. If you chose Create A Folder For Each User Under The Root Path, you can enter \NYServer08UserData to redirect the selected folder to a user-specific folder under \NYServer08UserData.
Any necessary folders and subfolders are created automatically by Windows the next time an affected user logs on. Any currently logged-on user must then log off and log back on. By default, users are granted exclusive access to their redirected data and the contents of the existing folder are moved across the network to the new location the next time they log on. To change these or other configuration behaviors, click the Settings tab and then configure additional settings, as discussed in the "Configuring Setup, Removal, and Preference Settings for Redirection" section in this chapter.
Click OK.
The Advanced setting is used to redirect user data based on security group membership. If you select this option, you can set an alternative target folder location for each security group you want to configure. For example, you can redirect My Documents separately for the Sales, Engineering, and Customer Service groups. Sales users can have their My Documents redirected to \NYServer12Sales. Engineering users can have their My Documents redirected to \NYServer04Engineering. Customer Service users can have their My Documents redirected to \NYServer02Services. As with basic redirection, the designated folder contains subfolders for each user.
In most cases, the advanced configuration scales better for the large enterprise because it allows you to zero in on security groups within sites, domains, or OUs. Thus rather than assigning a single location for all users within an OU, you can assign each security group within an OU a separate location. However, keep in mind that the group policy you are working with applies only to user accounts that are in the container for which you are configuring Group Policy. So if you set a redirection policy for a group that isn’t defined in the site, domain, or OU you are working with, folder redirection is not applied.
To configure advanced redirection of user profiles, follow these steps:
Access the GPO with which you want to work. Access User ConfigurationWindows SettingsFolder Redirection.
The four folders that can be redirected are listed separately. Right-click the folder you want to redirect, and then select Properties.
In the Settings list, choose Advanced - Specify Locations For Various User Groups, as shown in Figure 7-9. The Target tab is updated so that you can configure redirection settings by security group membership.
Click Add to display the Specify Group And Location dialog box (Figure 7-10).
Click Browse to display the Select Group dialog box. Type the name of a group account in the selected container, and then click Check Names. When a single match is found, the dialog box is automatically updated as appropriate and the entry is underlined. When you click OK, the group is added to the Security Group Membership list in the Specify Group And Location dialog box.
Under Target Folder Location, choose one of the following options:
Redirect To The User’s Home Directory. Applies only to redirection of a user’s My Documents Folder. If you have configured the user’s home folder in his account properties, you can use this setting to redirect the My Documents folder to the same location as the home folder. For example, if the user’s home drive is X, the network drive X and the My Documents folder will point to the same location (as set in the user’s domain account properties).
Create A Folder For Each User Under The Root Path. Appends the user’s name to a designated network share. Individual user folders then become subfolders of the designated network share. For example, if you want the My Documents folder to be redirected to \NYServer08UserData, this folder will contain subfolders for each user, based on the user’s account name (%UserName%), and the user’s My Documents data will be stored in the appropriate subfolder. This option is not available with redirection of the Start menu.
Redirect To The Following Location. Allows you to specify a root path to a file share and folder location for each user. If you do not include a user-specific environment variable, all the users are redirected to the same folder. If you add %UserName% to the path, you can create individual folders for each user as in the previous option.
Redirect To The Local User Profile Location. Causes the default location of the user’s profile to be used as the location for the user data. This is the default configuration if no redirection policies are enabled. If you use this option, the folders are not redirected to a network share and you essentially undo folder redirection.
Under Root Path, type the root path to use as necessary. If you chose Create A Folder For Each User Under The Root Path, you can type \NYServer08UserData to redirect the selected folder to a user-specific folder under \NYServer08UserData.
When you are finished configuring these options, click OK. You can then repeat steps 4 through 7 to configure redirection of the selected folder for other groups.
Any necessary folders and subfolders are created automatically by Windows the next time an affected user logs on. Any currently logged on user must log off and then log back on. By default, users are granted exclusive access to their redirected data and the contents of the existing folder are moved across the network to the new location the next time they log on. To change these or other configuration behaviors, click the Settings tab and then configure additional settings as discussed in the next section.
Click OK.
When you are configuring folder redirection, the Settings tab (Figure 7-11) provides additional configuration options. In the default configuration shown, several things happen the next time a user logs on to the network:
Any necessary folders and subfolders are created automatically.
Folder security is set so that only the user has access.
The contents of the existing folder are moved across the network to the new location. If you redirected My Documents, My Pictures is copied as well.
If you later stop redirecting the folder, the data stays in the shared folder and the user continues to access the data in this location.
You can control the redirection behavior by modifying the settings:
Grant The User Exclusive Rights To. When this option is selected, any necessary folders and subfolders are created automatically the next time a user logs on. The folder security is set so that the user has exclusive access. This means Windows creates the directory and gives the user Full Control to the folder.
When this option is not selected, any necessary folders and subfolders are created automatically the next time a user logs on. The existing security on the folder is not changed. Because of inheritance, the newly created folder has the same permissions as the parent folder.
Note
Through Group Policy, you have two basic configuration options for redirected folder security. You can tell Windows to either give the user exclusive access or accept the inherited security permissions of the parent folder. With exclusive access, all other users (even administrators) are blocked from accessing the redirected folders and their data. One way an administrator can gain access to a redirected folder is to take ownership of it. If you want the user and administrators to have access, you can use a technique described in Microsoft Knowledge Base Article 288991. Basically, you clear Grant The User Exclusive Access and then configure permissions on the redirected folder as follows:
Authenticated Users have Create Folders/Append Data, Read Permissions, Read Attributes and Read Extended Attributes for This folder only
Administrators, System, and Creator Owner have Full Control for This folder, subfolders and files
Move The Contents Of. When this option is selected, the next time the user logs on the contents of the existing folder are moved across the network to the new location. If a user has a local profile on multiple machines, the contents are moved at logon on a per-computer basis.
When this option is not selected, the existing folder contents are copied across the network rather than moved. This means a local copy of the folder still exists. On a portable computer, this might seem like a good way to ensure that a local copy of data exists, but it is generally better to move the data and then configure offline file caching.
Leave The Folder In The New Location When Policy Is Removed. When this option is selected, if you later stop redirecting the folder or the user account is moved out of the GPO for which redirecting is configured, the data stays in the shared folder. The user continues to access the data in this location.
Redirect The Folder Back. When this option is selected, if you later stop redirecting the folder or the user account is moved out of the GPO for which redirection is configured, a copy of the data is sent to the user’s profile location when the user logs off the network. With a roaming profile, this means that a copy is sent to the profile server when the user logs off the network. If the user has a local profile, a copy is sent to the local computer when she logs off (and if she logs on to multiple computers, each will eventually get a copy). If the user account is moved to a GPO where redirection is configured, the data is moved according to the redirection settings.
Make My Pictures A Subfolder Of My Documents. When this option is selected, if you redirected My Documents, My Pictures is copied as a subfolder of My Documents.
Do Not Specify Administrative Policy For My Pictures. When this option is selected, if you redirected My Documents, My Pictures is not copied as a subfolder of My Documents.