Get started Bring yourself up to speed with our introductory content.

Folder redirection

Folder redirection enables files to be centrally secured and audited on the server, eliminating the need to worry about local folders on a client's computer. This excerpt from The Definitive Guide to Securing Windows in the Enterprise explains how to redirect folders using various techniques and tools, including Group Policy, Windows Distributed File System (DFS) and ScriptLogic Desktop Authority.

The Definitive Guide to Securing Windows in the Enterprise The following excerpt series from Chapter 2 of the free eBook "The Definitive Guide to Securing Windows in the Enterprise" (Realtimepublishers) is written by Don Jones. To obtain all eBook chapters from this guide, go to

Folder redirection

The idea behind folder redirection is simple, and is illustrated in Figure 2.12. Users access what appears to be a local folder, but that access is redirected to a server-based folder. Users typically never realize that the files are located on a server rather than their local computers. The benefit is that files can be centrally secured and audited on the server, eliminating the need to worry about consistent security on the client. The client doesn't actually contain the files, and therefore doesn't need special security considerations. Files can also be more easily backed up and restored on the server than on a client.

Figure 2.13: Using DFS along with folder redirection.

There is a downside to folder redirection for portable computers because users think they have all the files locally and don't realize folder redirection is in effect. When they disconnect from the network, their files "vanish." Using Windows' Offline Files feature can help mitigate this problem.

Folder redirection for certain special folders -- most commonly, users' profile folder, which contains the My Documents folder -- can be accomplished through Group Policy. Larger organizations often need to redirect folders based on the user so that different users' redirected folders can be housed on various file servers, providing sufficient storage for everyone. Group Policy accomplishes this task most easily if you can have file servers that correspond with AD OUs. In this case, you create a unique GPO for each OU and redirect that OU's users (or rather, those users' folders) to a particular server. Otherwise, you might need to use a technology such as Windows Distributed File System (DFS), which can provide a non-server-centric view of the network, allowing users' folders to be redirected to an arbitrary server, as Figure 2.13 illustrates.

Figure 2.14: Redirecting the My Documents folder.

Another technique is to use a desktop configuration tool such as ScriptLogic Desktop Authority. As Figure 2.14 shows, this tool can redirect many different shell folders to an arbitrary location. It can also copy any files that already exist locally in the to-be-redirected-folder to the new location, ensuring a transparent cutover to the redirection scheme. Desktop Authority 6.05 can redirect the following folders:

  • Start menu folder

  • Programs folder

  • Startup folder

  • Desktop folder

  • Favorites (Internet Explorer bookmarks) folder

  • Personal (My Documents) folder

  • My Pictures folder

  • Cookies folder

  • History folder

  • Recent folder

  • Send To folder

  • Temporary Internet Files folder

Figure 2.14: Redirecting the My Documents folder.

Desktop Authority also provides for more granular application of settings than Group Policy offers. For example, this setting might be applied to all desktop computers, but not to portable computers (for whom redirection can be problematic because the computer isn't always on the network).

A single Desktop Authority profile -- roughly analogous to a GPO -- can contain multiple elements; each element can, for example, redirect a single shell folder. Desktop Authority can also redirect the so-called common folders -- including common Application Data -- that are shared by all users of a computer.

Folder redirection is a crucial security tactic, allowing you to maintain ease-of-use for your users while consolidating files onto more easily secured and easily audited file servers. Folder redirection can also help enforce system configurations. For example, if all users' desktop folders are redirected to a single shared location, and users are not given write permissions to that location, then all users will have a consistent, locked desktop configuration. Such a configuration can make it more difficult for users to introduce external software -- such as viruses -- by locking down some portion of the file system where Web browsers and other applications try to save files.

Click for the next excerpt in this series: Removable storage

Click for the book excerpt series or visit for the entire eBook, "The Definitive Guide to Securing Windows in the Enterprise."

Dig Deeper on Windows Server troubleshooting