Folder redirection overview for GPMC
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Folder redirection
User settings and user files are normally stored in the local user profile, under the Documents and Settings folder. The files in local user profiles are only accessible from the current computer, which makes it difficult for users who use more then one computer to work with their data and synchronize settings between multiple computers. Two different technologies exist to address this problem: Roaming Profiles and Folder Redirection. Both these technologies have their advantages and they can be used separately or together to create a seamless user experience from one computer to another. They also provide additional options for administrators managing user data.
Folder Redirection allows administrators to redirect the path of a folder to a new location. The location can be a folder on the local computer or a directory on a network file share. Users have the ability to work with documents on a server as if the documents were based on a local drive. The documents in the folder are available to the user from any computer on the network. Folder Redirection is located under Windows Settings in the console tree of the Group Policy Object Editor.
Where?
- Group Policy object name/User Configuration/Windows Settings/Folder redirection
There are five folders that can be redirected:
My Documents
My Pictures (Redirection of My Pictures is provided for backward compatibility reasons, and not as a primary feature. You can only redirect the My Pictures folder using the Windows XP or Windows Server 2003 operating system if you are editing GPO that was originally created on Windows 2000 computer and that redirected My Pictures.)
Application Data
Desktop
Start Menu (Only for Terminal Server users.)
Advantages of Folder Redirection
When roaming user profiles are used, only the network path to the folder is part of the roaming user profile, not the folder. Therefore, its contents do not have to be copied back and forth between the client computer and the server each time the user logs on or off, and the process of logging on or off can be much faster.
Even if a user logs on to various computers on the network, their documents are always available.
Offline File technology gives users access to the folder even when they are not connected to the network. This is particularly useful for people who use portable computers.
Data that is stored in a shared network folder can be backed up as part of routine system administration. This is safer because it requires no action on the part of the user.
As an administrator, you can use Group Policy to set disk quotas, limiting the amount of space that is taken up by users' special folders.
Data that is specific to a user can be redirected to a different hard disk on the user's local computer from the hard disk that holds the operating system files. This makes the user's data safer in case the operating system has to be reinstalled.
The Volume Shadowcopy Service feature of Windows Server 2003 can be used by users to recover older copies of the files in their redirected folders without intervention of technical support personnel.
Folder Redirection is a secure way to keep user data on a network, provided that the option Grant the user exclusive rights is turned on.
Selecting a Folder Redirection target
The Target tab of the folder's Properties dialog box allows the administrator to select the location of the redirected folder on a network or in local user profile. You can choose between Basic and Advanced settings. Basic redirection will be applied to all users affected by the GPO. The Advanced setting allows you to provide different redirection locations for users based on the users' security group membership. Using either advanced or basic redirection you can set different targets for folder redirection:
Create a folder for each user under the root path. This option will create a folder in the form \\server\share\User Account Name\Folder Name. Each user will get a unique path to their redirected folder. This option is not available for the Start Menu folder.
Redirect to the following location. This option will use an explicit path to the redirection location. This can cause multiple users to share the same path to the redirected folder.
Redirect to the local user profile location. This option will move the location of the folder to the local user profile under Documents and Settings.
The My Documents folder has one more option: Redirect to the user's home directory. To use this option, the administrator needs to use Active Directory Users and Computers to set the home directory attribute on the user objects for each user affected by the policy.
Note
- The Redirect to the user's home directory option causes the value of the Grant the user exclusive rights option on the settings tab to be ignored.
Granting exclusive rights to special folders
The Settings tab in the Properties dialog box contains a check box labeled Grant the user exclusive rights to My Documents. This option controls permissions on the newly-created redirected folder. If this option is selected, and the target directory doesn't yet exist, Folder Redirection will create the directory and set permissions on this directory to allow only the user and the local system full control over the folder. If this option is selected, and the target directory already exists, then Folder Redirection will verify ownership of the directory. If the directory is owned by someone else, Folder Redirection will fail. Whatever permissions are in effect by default remain in effect. If you clear this check box, no changes are made to the permissions on the folder. Whatever permissions are in effect by default remain in effect. The Start Menu folder can only be redirected with this option turned off.
It is recommended to secure the contents of all folders except the Start Menu by selecting the Grant the user exclusive rights option on the Settings tab. The Start Menu folder is special in this respect, because redirection of the Start Menu is recommended to be used only for Terminal Server users, with all users sharing the same Start Menu folder. Therefore, the Start Menu folder doesn't have an option to select Grant the user exclusive rights.
Policy removal considerations with regard to Folder Redirection
The following table summarizes what happens to redirected folders and their contents when the Group Policy object no longer applies.
Move the contents of the special folder to the new location setting | Policy Removal option | Results when policy is removed |
---|---|---|
Enabled |
Redirect the folder back to the user profile location when policy is removed |
|
Disabled |
Redirect the folder back to the user profile location when policy is removed |
Caution
|
Either Enabled or Disabled |
Leave the folder in the new location when policy is removed |
|
Important
- Changing the redirection option to Not Configured does not redirect the folder to the local profile, this option means that Folder Redirection no longer controls the location of the folder-if a folder was previously redirected it will continue to be redirected to the previous location. If an administrator wanted to return the folder to the local user profile they should use the Redirect to the local user profile setting.
Folder Redirection and Offline Files
The Offline Files technology applies to any mounted or mapped drive that contains documents or data that a user might want to use offline. Offline Files does not depend on Folder Redirection. It is set up and configured on shared network servers separately from the Folder Redirection snap-in. Offline Files enables the user to do useful work even when not connected to the network, for example, on a portable computer or in the event of router failure.
If you use redirected folders of any type, it is recommended that you set up Offline Files as described in the following table.
Special Folder | Offline File configuration |
---|---|
My Documents |
Autocaching for documents (or manual caching for documents, if you want users to have to manually make files and folders available for offline use) |
My Pictures |
Autocaching for documents (or manual caching for documents, if you want users to have to manually make files and folders available for offline use) |
Application Data |
Autocaching for programs |
Desktop |
Autocaching for programs if the desktop is Read Only |
Start Menu |
Autocaching for programs |
Folder Redirection permissions
It is recommended to let Folder Redirection create folders for you. If you let Folder Redirection create folders for you, correct permissions are set automatically. Usually, knowledge of these permissions is not necessary. However, there are three reasons the permissions might be of interest:
An administrator must always secure the network file share used for keeping redirected folder data by setting correct share level (SMB) permissions and NTFS file system permissions.
Sometimes administrators create the redirected folders before Folder Redirection creates them. The directories created by administrators cannot be used together with the Grant the user exclusive rights option because Folder Redirection verifies ownership of the directories before allowing the folder to be redirected. The following table shows what permissions have to be set for Folder Redirection to work with the Grant the user exclusive rights option turned off.
Redirection of My Documents to the home directory provides more relaxed security than standard folder redirection. The following table shows what security is in effect in the standard case.
NTFS permissions required for the root folder
User account | Folder Redirection defaults | Minimum permissions needed |
---|---|---|
Creator Owner |
Full Control, subfolders and files only |
Full Control, subfolders and files only |
Administrators |
No permissions |
No permissions |
Everyone |
No permissions |
No permissions |
Local System |
Full Control, this folder, subfolders, and files |
Full Control, this folder, subfolders, and files |
Security group of users who need to put data on the shared network server |
N/A |
List Folder/Read Data, Create Folders/Append Data - This folder only |
Share-level (SMB) permissions required for the root folder
User Account | Folder Redirection defaults | Minimum permissions needed |
---|---|---|
Everyone |
Full Control |
No permissions (Use security group) |
Security group of users who need to put data on the shared network server |
N/A |
Full Control |
NTFS permissions required for each user's redirected folder
User account | Folder Redirection defaults | Minimum permissions needed |
---|---|---|
UserName |
Full Control, owner of folder |
Full Control, owner of folder |
Local System |
Full Control |
Full Control |
Administrators |
No permissions |
No permissions |
Everyone |
No permissions |
No permissions |
See Also
Concepts
Group Policy Object Editor Extensions
Group Policy Management Console Overview