Friday, July 13, 2012

Configuring Folder Redirection

On some environment (Terminal Servers or Virtual Desktop Infrastructure), administrators may need to configure the folder redirection for users, because users may log on to different terminal servers or virtual machines.

Using folder redirection, administrators also can create quotas to limit the space of the users' folder.

Lab environment
  • 1 domain controller named DC01 with file server role  is installed Windows Server 2008 R2 for
  • 2 workstations named W701 and W702 are installed Windows 7 ultimate joined
  • 1 workstation named XP01 is installed Windows XP professional joined
  • Create a OU named People in
  • Create 2 users named Peter and Mary under People OU
Configuring and testing folder redirection.

Configuring the folder permission for Folder Redirection
1. On DC01, log in as Domain Administrator.
2. Launch "Windows Explorer".
3. Navigate to C Drive, create a new folder named "Redirect".

4. Right-click "Redirect", select "Properties".
5. Select "Sharing" tab, click "Advanced Sharing".

6. Check "Share this folder".
7. Click "Permissions".
8. Check "Allow - Full Control" for "Everyone".

Remark: To enhance security, we need to create a new domain group for folder redirection users to assign "Allow - Full Control" permissions. On testing environment, I still use "Everyone" group.

9. Click "OK".
10. Under "Share name", add "$" at the end of "Redirect".

11. Click "OK".
12. Select "Security" tab.
13. Click "Advanced".

14. Click "Change Permissions".
15. Clear "Include inheritable permissions from this object's parent", and the click "Add".

To enhance security, we need to modify the permission on this folder.

16. Remove one of the Users in the Advanced Security Settings for Redirect.
17. Select the Users, click "Edit".
18. Next to "Apply to", select "This folder only".
19. Check "Allow - List folder / read data" and "Allow - Create folders /append data".

20. Click "OK".

21. Click "OK" twice.
22. Click "Close".

For more information to configure the permission on Folder Redirection:

Which minimum Share & NTFS permissions do you need for the use of Offline Files and Folder Redirection in Windows 2008 / 2008 R2

23. Launch "Share and Storage Management".
24. Right-click "Redirect", select "Properties".

25. Click "Advanced".
26. Check "Enable access-based enumeration".

27. Click "OK" twice.
28. Close "Share and Storage Management".

Remark: After configuring Access Based Enumerating, users only can see the folders or files which can be accessed. 

For more information:
Access-based Enumeration

Windows 2008: Access Based Enumeration (ABE)

Configure Folder Redirection on Group Policy
1. On DC01, log in as Domain Administrator.
2. Launch "Group Policy Management Console".
3. Expand "Forest: > Domains > > People".

4. Right-click "People", select "Create a GPO in this domain, and Link it here...".
5. Under "Name", type "Folder Redirection - GPO".

6. Click "OK".
7. Right-click "Folder Redirection - GPO", select "Edit".
8. Expand "User Configuration > Policies > Windows Settings > Folder Redirection".

Remark: Some settings under Folder Redirection cannot apply to Windows 2000, Windows 2000 Server, Windows XP and Windows Server 2003 operating systems.

For more information:
Folder Redirection Overview
I will configure the Documents to redirect.
9. Right-click "Documents", select "Properties".
10. Next to "Settings", select "Basic - Redirect everyone's folder to the same location".
11. Under "Target folder location", select "Create a folder for each user under the root path".
12. Under "Root Path", type "\\DC01\Redirect".

Remark: You can configure "Advanced - Specify location for various user groups" to assign different group to different path.

13. Select "Settings" tab.
14. Check "Grant the user exclusive rights to Documents".
15. Check "Move the contents of Documents to the new location".
16. Check "Also apply redirection policy to Windows 2000, Windows 2000 Server, Windows XP, and Windows Server 2003 operating systems".
17. Next to "Policy Removal", select "Redirect the folder back to the local userprofile location when policy is removed".

Remark: After checked "Grant the user exclusive rights to Documents", administrators and other users don't have permission to access.

18. Click "OK".
19. Click "Yes".
20. Close "Group Policy Management Editor" and "Group Policy Management Console".

Test result
1. On W701, log in as Mary.
2. Click "Start" button, right-click "Documents", select "Properties".

3. Click "Cancel".
4. On W702, log in as Peter.
5. Click "Start" button, right-click "Documents", select "Properties".

Folder Redirection is functioning.

6. Click "Cancel".
7. Click "Start" button, enter "\\DC01\Redirect$".

Peter only can see the Peter's folder because Access Based Enumerating is enabled.

8. Log off Peter.
9. Back to W701, navigate to "Documents".
10. Create a document named "Mary's document".

11. Log off Mary.
12. Go to XP01, log in as Mary.
13. Click "Start > My Documents".

Folder Redirection is working on Windows XP and Windows 7 computers.

14. Create a document named "Company document".
15. Log off Mary.
16. Go to W701, log in as Mary.
17. Navigate to "Documents".

18. Go to DC01, log in as Domain Administrator.
19. Launch "Group Policy Management Console".
20. Expand "Forest: > Domains > > People".
21. Right-click "Folder Redirection - GPO", clear "Link Enabled".

22. Back to W701, launch "Command Prompt".
23. Perform "gpupdate".

24. Log off and log on Mary.
25. Click "Start" button, right-click "Documents", select "Properties".

26. Click "Cancel".
27. Navigate to "Documents".

All documents which are created moved to the local user document because "Redirect the folder back to the local userprofile location when policy is removed" is selected.

As a result, the settings of Folder Redirection is functioning.

This posting is provided “AS IS” with no warranties, and confers no rights!