Have a simple Work Folders setup in Windows Server 2012 R2

Follow these steps to have the easiest Work Folders setup possible and to make the feature an essential part of your enterprise.

Meet Work Folders, a sync option designed to bridge the gap between personally-owned devices like Windows RT and Windows 8.1 devices and corporate-owned data. This is a space no other sync technology, like OneDrive, from Microsoft is currently working in.

In this two-part series, I'll show you how to set up the feature to get it working and discuss some obstacles you'll run into during your evaluation.

Installing the Work Folders feature

First off, you need to install the Work Folders role, which is an integrated part of Windows Server 2012 R2. Through PowerShell, a one-line command gets it done for you (what's not to love about PowerShell?):

Add-WindowsFeature FS-SyncShareService

When the command is finished running, you'll be prompted with a notification within the command line like this:

Success Restart Needed Exit Code   Feature Result
------- -------------- ---------   --------------
True  No       Success    {Work Folders, IIS Hostable Web Core}}

Set up the sync share

The sync share is key to the Work Folders feature, the central bit of how it all works together. The sync share is essentially how Windows Server 2012 R2 manages what files to sync for which users. You set up a sync share by establishing a folder locally accessible to a Windows Server 2012 R2 server and then pointing a wizard to that location. Within that shared folder, each user has a subfolder that contains the files that the Work Folders feature will host and sync. Here's how to do that:

1. Open Server Manager.

2. Navigate to File and Storage Services in the left section and Work Folders in the middle section.

3. From the Task drop-down menu, select the New Sync Share Wizard from the menu.

4. On the first screen, you can either choose an existing file share, which may be appropriate if you redirect user profiles and documents folders to a central file server, or you can enter a local path to create the share. Click Next.

5. The "Specify the structure for user folders" screen appears. Here you can choose how folders will be built under your sync share. Here are your choices:

a. the "user alias" method, which essentially uses the end users' login names only to create subfolders for each person under the sync share to hose their folders, or

b. the "user [email protected]" structure if you are a larger organization that may have multiple domains and therefore an increased chance of collision between alias names.

The "Sync only the following subfolder" feature can also be enabled, which lets you choose one individual subfolder to sync. This lets you not sync music, pictures and videos for every user. You may wish to only sync the Documents folder, or you may wish to create a new subfolder called "Work Folders" and then train your end users to save documents they want synced into that folder. You can choose a subfolder name that does not exist, and the wizard will create it for each end user that has the Work Folders feature enabled (which happens later in the wizard.) Click Next.

6. Enter a name for your sync share and click Next.

7. Choose which groups have access to this sync share. The best practice here is to assign all users that should have access to this particular sync share as group members in a specific security group, and then add that group here. If you want to let an administrator have access to documents with the Work Folders, uncheck the "Disable inherited permissions and grant users exclusive access to their files" box. Then, click Next.

8. The Specify Device Policies screen appears. Here you can choose whether to instruct devices that sync to this sync share to encrypt the files within the Work Folders space and whether to require a PIN on these devices -- much like Exchange ActiveSync. Click Next.

9. A summary screen appears. Verify all of your selections and then click Finish.

Windows Server 2012 R2 will apply your settings and create the sync share.

PowerShell-ing Work Folders

Because I really like PowerShell, I'm fond of learning how to perform tasks with the language even if I ultimately decide to use the GUI to fully understand my options. In the case of Work Folders, one command does all the work.

Take the following example. Entering the command below creates a new sync share named SalesShareCA located at C:\syncshare\SalesCA for the California_Sales security group and requires devices to honor both an encryption and lockout and password policy:

New-SyncShare SalesShareCA –path C:\SyncShare\SalesCA –User DOMAIN\California_Sales -RequireEncryption $true –RequirePasswordAutoLock $true

In part two, I cover more server side setup and then show you how to connect a client and administer the solution, as well as analyze where Work Folders makes sense today and in the near future.

About the author:
Jonathan Hassell is an author, consultant and speaker on a variety of IT topics. His published works include RADIUSHardening WindowsUsing Microsoft Windows Small Business Server 2003 and Learning Windows Server 2003. Jonathan also speaks worldwide on topics ranging from networking and security to Windows administration. He is president of 82 Ventures LLC, based in North Carolina, and is currently an editor for Apress Media LLC, a publishing company that specializes in books for programmers and IT professionals.

Dig Deeper on Microsoft Windows Server 2012 R2