Print - Folder Redirection

Point users in the right direction

Most administrators know that no matter how stern your company's policies and warnings, believing that users will back up their document files is tantamount to believing in Santa Claus. Windows 2000's new folder redirection feature lets you move special user folders—the Application Data, Desktop, My Documents, and Start Menu subfolders under the user's Documents and Settings folder—from local computers to servers, thereby ensuring regular backup of user files.

Backup insurance isn't the only advantage you gain from folder redirection. When you implement redirection, roaming users no longer need to download their documents during logon and upload the files during logoff. Instead, Win2K sends the pointer to the server-based folder during the logon, thereby speeding the logon and logoff processes. (See the sidebar "Folder Redirection vs. Offline Folders," page 144, for an explanation of how this feature differs from offline folders.) Additionally, you can impose disk quotas against the server that holds user documents, thus "encouraging" users to clean out their My Documents folders occasionally.

The downside of folder redirection is that it requires a lot of disk space on the server. Also, users can't get to documents when the server is unavailable. Because redirection is server-configured, however, you can easily move the pointers to another server (or even back to users' local computers) when the original server is scheduled for maintenance. If a server goes down unexpectedly, you can restore its backup to another server and change the pointers. This option lets users get back to work in a reasonably short time.

Best Practices
The best practice is to redirect only the My Documents subfolder. You shouldn't, however, redirect My Pictures, which resides under My Documents: The size of the graphics files in My Pictures can overwhelm your server's disk-space capacity. I can't think of any good reasons to redirect the other available subfolders, and doing so might prevent users from employing local applications when the server is down. To protect user documents, you must redirect folders to servers that use NTFS.

Setting Up Folder Redirection for My Documents
Folder redirection is a Group Policy feature, so Win2K implements redirection through Active Directory (AD). Before you start the policy configuration process, create a parent folder on each server that will hold redirected folders, and share that folder. By default, the new folder will provide Full Control for the Everyone group; you can keep this default because individual user folders will maintain individual permission schemes. If you have some reason to deny Full Control, you must provide at least Modify permissions for the Everyone group.

If you're redirecting folders for users in a domain or organizational unit (OU), open the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in. You can use the MMC Active Directory Sites and Services snap-in to apply Group Policy at the site level. However, common practice is to establish a basic set of policies on a domainwide basis, then establish policies that apply to individual OUs. Another reason to start at the domain level is that the domain's Default Domain Policy provides one place to view or edit policies. (Sites don't have a Default Site Policy.) However, if you've created a site-based architecture for your enterprise, applying policies on a site-by-site basis might make sense.

In the console pane of the appropriate MMC, right-click the domain, OU, or site container that contains the user accounts for which you want to redirect folders. Choose Properties from the shortcut menu to open the container's Properties dialog box.

Move to the Group Policy tab. From this tab, you can add the folder redirection policy to an existing policy or create a new policy, depending on the way you like to organize your AD. (You might prefer to put all policies in one policy object or keep similar policies in individual policy objects.) Select the new or existing policy object and click Edit to open the Group Policy Editor (GPE) snap-in. Expand the User Configuration object in the GPE's console pane, expand Windows Settings, and select the Folder Redirection node.

Separate My Pictures from My Documents
To eliminate My Pictures from the redirected folder settings, you must first separate the My Pictures subfolder from the My Documents folder. Otherwise, these folders behave as one unit.

Expand My Documents in the console pane and right-click My Pictures. Choose Properties to open the My Pictures Properties dialog box. The Target tab shows the current location for My Pictures; by default, the setting is Follow the My Documents folder. Click the arrow at the right of the Setting box and select No administrative policy specified. Click OK to separate My Pictures' policies and My Documents' policies.

Redirect My Documents
Right-click My Documents in the GPE's console pane, select Properties, and move to the Target tab. My Documents' default Target setting is No administrative policy specified. Click the arrow at the right of the Setting box to display the following redirection choices:

BasicRedirect everyone's folder to the same location. Choose this option to redirect My Documents for all users in the selected container (e.g., the domain, the OU) and to use the same server for all redirected folders.
AdvancedSpecify locations for various user groups. Choose this option to redirect My Documents for only mem-bers of particular groups or to specify different servers for different groups' folders.

The Basic redirection option is straightforward; all you need to do is establish the target folder on the server. The Advanced redirection option lets you be selective about the target users and target folders. You can use this option to redirect folders for specific users according to their group memberships. For example, if you've created a security group for mobile users, this option provides a way to exclude those users from the redirected folders policy. (If you haven't created a security group for mobile users, you should create one or more OUs for them and apply the redirected folders policy at the OU level.) The Advanced option requires more steps, so I'll describe the process for configuring this option. If you choose the Basic option, simply follow the step for specifying the target folder.

When you select the Advanced option, a Security Group Membership section appears on the Target tab. To add a group to the list, click Add. This action opens the Specify Group and Location dialog box, which you use to select groups and to specify the location of each group's redirected folders.

Click Browse in the Security Group Membership section to open the Select Group dialog box. Select the security group to which you want to apply folder redirection and click OK. The group's name appears in the Security Group Membership section's text box.

In the Target Folder Location section's text box, type the Uniform Naming Convention (UNC) path to the server share you created to hold the redirected folders. To this path, add the variable %username%. If you don't remember the UNC path, you can click Browse and select the folder, but the Target Folder Location box then displays the folder's path with a drive letter instead of a UNC path. Delete the drive letter and use the UNC path format instead. Figure 1, page 144, shows the specifications to redirect folders for my domain's accounting department (i.e., members of the Accntg group in the WESTERN domain) to a parent folder (i.e., the Userdocs folder on the server west).

Repeat these steps to continue adding groups. You can place each group's redirected folders on different servers or in different parent shares, or you can put all the redirected folders into the same share on the same server. When you've added all the groups you want to target, move to the Properties dialog box's Settings tab to configure the redirection settings for the policy. Figure 2, page 144, shows the recommended options.

If you didn't previously separate My Pictures and My Documents, the options in the Settings tab's My Pictures Preferences section are inaccessible. Wherever you redirect My Documents, My Pictures comes along for the ride.

Automatically Creating User Subfolders
The next time an affected user logs on, the system automatically creates the \%username% subfolder on the server and copies all existing user documents to that subfolder. As the user saves and opens documents, the user's system transparently accesses the server-based folder.

If you want to verify the creation of a user's folder, you (or the user) can right-click the My Documents folder on the client desktop and select Properties. The Target box under the Folder Location section should display the UNC path for the server-based folder (instead of the user's subfolder under the local Documents and Settings folder). You can also check the server to make sure the folder you created adds a \%username% subfolder as each affected user logs on.

Protecting User Privacy
As I mentioned earlier, the folder redirection feature provides safeguards for user privacy: The redirected documents are available only to the user. (Even an administrator who tries to open a user's subfolder on the server receives an error message stating that access is denied.) Each \%username% subfolder has the following default permissions:

%username% (i.e., the user)—Full Control
Everyone—No Access
System—Full Control

Everyone Wins
I use folder redirection because it's the only surefire scheme for backing up user-created documents. The additional advantages of freeing up disk space on client computers and giving roaming users the ability to quickly get to their documents makes redirection a worthwhile feature that every administrator should investigate.

I want to set up folder redirection to speed up the log on process for my roaming users. They have folders all over their desktops, not just in My Documents. Is there some reason I shouldn't redirect the desktop? I have plenty of space on my server. SMG

I am running folder redirection policies for the start menu which is centrally managed from a server. A problem I am having is that users can double click "Programs" and when the programs window loads, they can go up a level to open the next window, up a level again, and finally hit the LAN where they can browse freely among all workstations and compromise any un-secured shares. is there anyway of setting the share from which the start menu is located as a root? We have managed to crack a similar problem with a shortcut to the home area on the start menu using explorer.exe with the /root switch, among others. However there does not seem to ba a way of setting this in group policy, can you help?

I have followed those steps and folder redirection is not working. I have placed a user miketest in a yes ou and set a group policy for that ou. What could I be doing wrong?

i'm having the same problems as richard has any one cured this yet? need help please

I have followed all the steps mentioned, but no user folder is created and no transfer of documents occurs. When I create a user I do not specify a profile location. What am I doing wrong?

I have implemented folder redirection, and it works beautifully. One thing I do not like is the fact of a locally cached version of all the documents. Is there anyway I can structure folder redirection so that the documents are only stored on the server, and *not* the local machine? We are using a Win2K server for a folder redirection target, and most of our clients are XP, with a few 2K thrown in.

Jenn, you can fix this by using group policy. The setting you are looking for is: User Configuration->Administrative Templates->Network->Offline Files->Do not automatically make redirected folders available offline

Start Menu Redirection Policy Opens BackDoor to My Network Places. My name is Richard, I may even be the same Richard who posted in November 2003. This is a real security flaw and i have emailed Microsoft about it. I will post on here when I have some answers. If anyone knows a patch or updated Group Policy that can be implemented NOW to patch this - what I would term GAPING hole in the system, I would be much obliged.

I have now filed a Vulnerability Report at Microsoft.Com regarding the start menu redirection flaw and expect a reply with some information on the flaw in the next few days....

Well - I thought i might let you all know 0 the start menu redirection hole is fixable, I did it with Microsoft's help, unfortunaltey they charged me £185.00 plus vat UK Sterling Pounds for the privilege of finding out how to do it, so if you want me to help you. you can email me and I will tell you how its done, but it will cost you around $150 US dollars or £85.00 UK Sterling to find out. I have to charge this to make the money back that I paid Microsoft. Nochex only.

Pre-Orders are now being accepted for a CDROM based Ebook I am writing to explain how to patch the Start Menu Redirection Vulberability. Paypal and credit / debit card payments accepted.

Sorry I also forgot to give the URL. Its http://www.richardforth.co.uk, scroll to the bottom to see the payment link. The e-book should be ready for sale by the end of July. On CDROM only.

The following registry hack will prevent a user from being able to double click on Programs to launch explorer. Not as good as a GPO, but seems to be pretty effective. REGEDIT4 [HKEY_CURRENT_USER\Software\Classes\Folder\shell\open] "BrowserFlags"=dword:00000010 "ExplorerFlags"=dword:00000012 [HKEY_CURRENT_USER\Software\Classes\Folder\shell\open\command] @=hex(2):00,00 [HKEY_CURRENT_USER\Software\Classes\Folder\shell\open\ddeexec] @="[ViewFolder(\"%l\", %I, %S)]" "NoActivateHandler"="" [HKEY_CURRENT_USER\Software\Classes\Folder\shell\open\ddeexec\application] @="explorer.exe" [HKEY_CURRENT_USER\Software\Classes\Folder\shell\open\ddeexec\ifexec] @="[]" [HKEY_CURRENT_USER\Software\Classes\Folder\shell\open\ddeexec\topic] @="AppProperties"

I just started using Folder Redirection and it works great. However, is there a way to synchronize only those documents that have been modified?

i'm having the same problems as richard has any one cured this yet? need help please. Danish Miyan

We had an issue where Folder Redirection was accidentally enabled for a group of users that previously had Roaming Profiles. When the GPO that contained the Folder Redirection was removed, the redirection remained for those users - it was not reversed. This was probably due to the setting in the Folder Redirection object in the GPO for 'Leave Folder in New Location When Policy is Removed' still being selected. Local registry settings had to be altered manually to correct this.

I am using GPO @ an OU level to implement \\My Documents folder redirection. Using the "basic" setting I've inputted the following values \\servername\home directory share\%username% in attempts to redirect the \My Documents folder & its contents to the users home directory. This setting only redirects the contents to the home dir and NOT the My Documents folder itself. To make it easier for the user I want them to be able to see the \My Documents folder structure when going to their home directory. I would also like to have this same folder synchronized when the mobile user logs on/off. I have looked through the entire GPO and have not found a well defined setting to have make this happen. Pls let me know if anyone has the perfect setting I am looking for. Thanks

pederonvil - There's no GPO setting (as you've found) to do this. What you can do to easily recreate this effect is to make a "My Documents" subfolder within each user's home directory (you can easily do this with a command script or batch file). Then, modify the redirection policy to point to "\\servername\home directory share\%username%\My Documents."

Man, I find it lame that Richard needs to charge money to explain the problem he solved. What kind of a community would we have if everyone were Richards? All those forums where we all help eachother solve problems...... Visa, mastercard and paypal?? Man oh man, that's lame lame lame.

right on The setting you are looking for is: User Configuration->Administrative Templates->Network->Offline Files->Do not automatically make redirected folders available offline cheers for this too :)

This is all well and good, but the My Music folder that resides under My documents is a far greater problem than My Pictures. There needs to be a way to stop folder redirection on ANY subfolder that exists under My documents.

I am having the same issue as the anonymous post-er above. I have SBS 2003 and my documents re-direction is turned on but our owner has a huge My Music folder so I moved it into the root of C: and next time he logged on the folder re-direction moved the whole thing back into my documents. I DO NOT want 30GB of music sitting on our server. Help?

pooreugene, explain to your owner that unless he saves his mp3's in a different folder, they will be removed. be nice though. :)