How To Configure Folder Redirection

by Patrick Rouse [Published on 22 Aug. 2007 / Last Updated on 22 Aug. 2007]

How to use Group Policy to redirect the "Desktop", "My Documents", "Start Menu" and "Application Data" folders.

Introduction

Folder redirection can limit the amount of data that is copied between the Roaming Profile Share and the Terminal Server at each logon and logoff.  This is accomplished by redirecting folders like Desktop, My Documents, and Application Data to a Network Share outside of the Roaming Profile Share, so it is not copied at each logon and logoff. 

Folder redirection can also provide locked down Desktop and Start Menu Folders by redirecting to Network Shares from which the end users can only read, or it can be set up so users' individual Start Menu and Desktop folders reside on a File Share instead of being copied back and forth with the rest of the roaming profile. This reduces the amount of data being transferred at each logon/logoff and provides a more stable environment for users that log on to multiple terminal server sessions at the same time. This is because there is no risk of data loss by one copy of the roaming profile’s Desktop Folder overwriting a previously saved copy, as they are always referring to the directory on the file share, not to a local profile folder.

Terminal Server Group Policy Best Practice

Before we dig into configuring Folder Redirection, let’s review how to configure Group Policies for use with Terminal Services. Best Practice for applying Settings to Users only when they log on to Terminal Servers would be to:

  1. Create an OU to contain a set of Terminal Servers
  2. Block Policy Inheritance on the OU (Properties -> Group Policy). This prevents settings from higher-up in AD from affecting your Terminal Servers.
  3. Move the Terminal Server Computer Objects into the OU. Do NOT place User Accounts in this OU.
  4. Create an Active Directory Security Group called “Terminal Servers” (or something similar that you’ll recognize) and add the Terminal Servers from this OU to this group.
  5. Create a GPO called “TS Machine Policy” linked to the OU
  6. Check “Disable User Configuration settings” on the GPO
  7. Enable Loopback Policy Processing in the GPO
  8. Edit the Security of the Policy so Apply Policy is set for “Authenticated Users” and the Security Group containing the Terminal Servers
  9. Create additional GPOs linked to this OU for each user population, i.e. “TS Users”, “TS Administrators”.
  10. Check “Disable Computer Configuration settings” on these GPO
  11. Edit the Security on these User Configuration GPOs so Apply Policy is enabled for the target user population, and Deny Apply Policy is enabled for user to which the policy should not apply.

With GPOs configured this way the Machine Policy applies to everyone that logs on to the Terminal Server (only the Computer Configuration Settings of the Machine Policy are processed) in addition to the appropriate User Configuration GPO (only the User Configuration portion of the GPO is processed) for the target user population.

Folder Redirection GPO Settings

Since Folder Redirection is in the User Configuration portion of a GPO, one can create multiple different policies and apply one to each distinct user population by filtering the security settings in the properties of the GPO. This allows administrators to redirect some users' folders to pre-configured directories, that the users do not have sufficient NTFS Permission to alter, and to redirect other users to folders that are self maintained.

Folder Redirection settings are located in User Configuration-> Windows Settings -> Folder Redirections.  In that node one will find:

To configure an item, right-click and select “Properties”.  This exposes the configuration UI for the specified folder.  In a single GPO one can either configure the folder to redirect to a specified location for all users to which the GPO applies, or one can configure the folder to redirect to a specified location based upon group membership.

NTFS and Share Permissions

For folder redirection to work properly, the destination shared folder NTFS and Share Permissions must be properly configured.  If redirecting a folder to a location that the end user should not change, i.e. the Start Menu or Locked Down Desktop the following permissions should be applied:

  • Share Permissions:
    • Everyone – Full Control
    • Administrators – Full Control
    • System – Full Control
  • NTFS Permissions:
    • Everyone – Read and Execute
    • Administrators – Full Control
    • System – Full Control

If Group Policy is configured to redirect to a location where the GPO will automatically create the destination folder, i.e. user’s individual Application Data, Desktop or My Documents folders the following permissions should be applied to the parent folder:

  • Share Permissions:
    • Everyone – Full Control
    • Administrators – Full Control
    • System – Full Control
  • NTFS Permissions:
    • Everyone - Create Folder/Append Data (This Folder Only)
    • Everyone - List Folder/Read Data (This Folder Only)
    • Everyone - Read Attributes (This Folder Only)
    • Everyone - Traverse Folder/Execute File (This Folder Only)
    • CREATOR OWNER - Full Control (Subfolders and Files Only)
    • System - Full Control (This Folder, Subfolders and Files)
    • Domain Admins - Full Control (This Folder, Subfolders and Files)

It’s important to note that when redirecting folders such as My Documents to a location that already exists, i.e. the User’s Home Folder there is another setting to consider, ownership. If the user is not the owner of the destination directory, folder redirection will fail with the default Folder Redirection settings. When this is the case, one must deselect “Grant the user exclusive rights to My Documents”

If this is not configured, folder redirection will fail and the following will be written to the Terminal Server’s Event Log:

Event ID: 101
User: username
Computer: computername
Description:
Failed to perform redirection of folder foldername. The new directories for the redirected folder could not be created. The folder is configured to be redirected to \\servername\sharename\%username%, the final expanded path was \\servername\sharename\username. The following error occurred:
Access is denied.

Notes:

  • User Configuration Settings in Group Policy take effect upon the first logon after the policy is saved and replicated to the user’s logon server.
  • Computer Configuration Settings in Group Policy take effect when the machine boots and logs on to Active Directory. With this in mind, one needs to reboot a terminal server before Computer Configuration setting changes will be applied.
  • Folder Redirection does not exist in Local Policy. If one wants to redirect folders without using Active Directory they should investigate redirecting folders by editing the registry at:
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
  • If redirecting the Start Menu, one should be aware that “by default” users right clicking on Start Button to Explore will explore starting at the redirected folder’s network location, even if you have restricted access to My Network Places. To avoid this, one can edit the following registry entry:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shell\explore\ddeexec]
    @="[ExploreFolder(\"DriveLetter:\\\", DriveLetter:\\, %S)]"

Summary

Folder Redirection is a powerful and fairly flexible set of configuration settings in group policy. As with anything in Group Policy, settings should be tested in a controlled environment, and piloted with a small set of users before deploying to a production environment.

References

How to dynamically create security-enhanced redirected folders by using folder redirection in Windows 2000

Folder Redirection feature in Windows

Security Recommendations for Folder Redirection

Featured Links