Folder redirection tips and tricks
By Jason Rush, Technical Writer, Microsoft Corp.
The Folder Redirection extension to Group Policy is used to redirect such user-specific folders as My Documents from the client to a server to facilitate administrative management of user data.
- Let the system create folders for each user
To ensure that folder redirection works as well as possible, create the root share only on the server, and let the system create the folders for each user. Set the share permissions to Full Control for the security groups you're redirecting, and set the NTFS permissions for Everyone to Full Control, this folder, subfolders and files.
If you must create folders for the users, ensure that you have the correct permissions set. The tables below shows the default and minimum permissions required for folder redirection:
User Account Folder Redirection Defaults Minimum permissions needed Creator/owner Full Control, this folder, subfolders and files Full Control, this folder, subfolders and files Local Administrator Full Control, this folder, subfolders and files Full Control, this folder, subfolders and files Everyone Full Control, this folder, subfolders and files List Folder/Read data, Create Files/Write Data, Create Folders/Append Data - This Folder only Local System Full Control, this folder, subfolders and files Full Control, this folder, subfolders and files
NTFS Permissions required for root folder
User Account Folder Redirection Defaults Minimum permissions needed Everyone Full Control Use security group that matches the users who will need to put data on share
Share level (SMB) Permissions required for root folder
User Account Folder Redirection Defaults Minimum permissions needed %username% Full Control, owner of folder Full Control, owner of folder Local System Full Control Full Control Everyone Traverse Folder, Read Attributes, Read Extended Attributes and Read Permissions Everyone - no permissions
NTFS Permissions required for each user's redirected folder
- Use offline folder settings on the server share where the user's info is stored.
This is especially important for users with laptops. Redirected folders of any type should be coupled with offline files. The recommended configuration for offline files to use is:
MyDocs: Autocaching for Documents or Manual Caching for documents (if you want users to have to "pin" files) AppData: Autocaching for Programs Desktop: Autocaching for Programs if the desktop is read-only StartMenu: Autocaching for Programs
For more info: User Data and User Settings Step-by-Step Guide, to be posted soon on TechNet.
- Incorporate %username% into fully qualified universal naming convention (UNC) paths
This allows the system to easily create folders for users based on their username. For example, \servershare%username%My Documents
- Have My Pictures follow My Documents
This is advisable unless there is a compelling reason not to, such as file share scalability.
- Policy removal considerations
Keep in mind the behavior your folder redirection policies will have upon policy removal. The Folder Redirection section of the online help gives details.
- Accept defaults
In general, accept the default folder redirection settings.
- Don't store roaming profiles on the same server as redirected folders that are enabled for offline use
When a share is unavailable, offline folders considers the whole server to be unavailable until the offline cache is manually synchronized. Roaming profiles will not be synchronized with the server while offline folders considers the server to be unavailable. If you are using offline folders in conjunction with folder redirection and roaming user profiles, you should ensure that the folder redirection share and the profiles share are located on different servers.