One of the most important things I believe that can be done with Group Policy is to redirect the users' folder(s) to locations on a file server. The folders that can be redirected are the My Documents, Desktop, Start Menu, and Application Data folders (although I usually only bother with the My Documents folder). This offers not only the possibility of users "roaming" round the network to keep the same documents wherever they go, but also the ability to backup all users' documents just like you would any other fileserver data. Other benefits include the use of Previous Versions, which will be explained in a future article.
The process of redirecting the users' folder(s) is quite simple in itself, but getting the permissions correct on the share is essential to ensure the redirection is successful. This is the most difficult step in the operation, and will be explained in detail in this article.
Setting the Policy
The first step is to set the policy that defines the redirection. This is a relatively simple process, and involves first either creating a new policy and linking it to the relevant OU, or using an existing policy to define the redirection.
Note: For manipulating group policy objects, I recommend using the Group Policy Management Console (GPMC), which can be downloaded from here.
Firstly, open the GPMC - located in Administrative Tools - and make a new policy in the OU in which your users reside. Note that this policy will affect users and not computers, so it must apply to your user objects. If you already have a policy in place, then open it up for editing (right click, edit).
The policy we are looking for resides in the User Configuration section, under Windows Settings->Folder Redirection.
Here, you can choose which folders to redirect. I will only be redirecting the My Documents folder, as I believe this is most useful - and the most difficult of all. To do this, right click the My Documents folder and choose Properties. Under the Target tab, choose the "Basic - Redirect Everyone's folder to the same location" setting from the drop-down menu. The target folder location should then be set to "Create a folder for each user under the root path". Then, specify a share on your fileserver where you want the users' data to be stored. Mine, for example, is called UserData, and the server is called Zeus - so the path is defined as \\zeus\UserData. Note that a folder will be created for each user, as displayed in the example below the setting.
Note: An important step here is to move to the Settings tab and untick the "Grant the user exclusive rights to My Documents" checkbox. If left selected, this would effectively lock out everyone but the user from their own documents folders. Most administrators wish to have access to the files stored on their servers, so this is a policy I always remove. You can always change the permissions later if you change your mind. If the users already have a large number of documents, then leaving the "Move the contents of My Documents to the new location" would cause massive logon times when the users first receive the policy, as this is when the documents are all moved over. You may wish to leave this unchecked and move the files manually.
Once this process if complete, the permissions on the share must be configured.
Configuring the Permissions
To ensure that the user's redirected folder can be created when they first logon, they must have the correct permission must be granted to them on the root folder. The only permission needed, in theory, is the Create Folder/Append Data entry, but I have found that without read access to the root share, some programs such as Microsoft Word 2003 may crash when saving documents. Enabling this permission is not a security risk, although it does allow the user to see the folders contained in the UserData share (but not enter any of them but their own). These permissions must be assigned to the root folder, and the root folder only, which is achieved using the advanced permission editor, as shown below:
To assign the permissions, right click the root share (in my case this is called UserData), and choose properties - then choose the Security tab. Then, as shown the image above, click the advanced button. Then, click Edit... with the Domain Users permission item selected (if this is not present, add it using the add button). Next, choose This folder only from the drop down menu, and then tick the required items - I recommend choosing List Folder/Read Data, Read Attributes, Read Extended Attributes, and of course Create Folders/Append Data.
Note: Be sure to only have the Administrators, CREATOR OWNER, and SYSTEM groups present aside the Domain Users group, to make sure that no-one has access to your users' data that shouldn't do. You will notice that I have an extra group called Profile Admins - who are the administrators of the users' data on my network - and therefore require access to the UserData root folder. You may want to implement something similar to this in your installation.
First Logon
Now the policy and the permissions are set, you can logon as one of the users that the policy applies to, and their folder should be automatically created in the root share (note that the logon may take slightly longer than normal). Any folders you have configured to redirect will be located in this folder.
Related Articles: