Configure User’s Folder Redirection with Group Policy

Folder Redirection enables you to store some user profile folders (special folders like Desktop, Documents, Pictures, Downloads, etc.) in a shared network folder on your file server. Redirected folders work similarly to mapped network drives (users access files in their profile over the network on a file server). In this article, we’ll look at how to use Group Policy to enable folder redirection on user computers in an Active Directory domain.

Advantages of using redirected folders:

• You can configure centralized user data backup on your file server (instead of enabling backup on each workstation);
• When a user logs on to any computer, they have access to their personal profile files;
• You can manage allowed content in different files (using the FSRM role in Windows Server) or restrict the size of a user profile using NTFS disk quotas;
• You may use redirected folders both for workstations and terminal servers (Remote Desktop Services/RDS farm);
• You may use Folder Redirection in RDS together with roaming profiles (User Profile Disks or FSLogix profile containers). This can reduce the load on the network and speed up the loading of profiles because you do not have to copy the data from the redirected folders to an RDS host when you log in, and back again when you log out.

You can configure redirected folders in an Active Directory environment in two steps:

1. Create a shared network folder on a file server and grant permissions;
2. Configure Folder Redirection options with Group Policy.

Create a domain group of users you want to enable Folder Redirection for. You may create a new AD group and add users to it using PowerShell or the ADUC mmc snap-in:

New-ADGroup munFolderRedirection -path 'OU=Groups,OU=Munich,dc=woshub,DC=com' -GroupScope Global -PassThru –Verbose
Add-AdGroupMember -Identity munFolderRedirection -Members user1,user2,user3

Create a shared folder share to store the user’s redirected folders on your file server.

To store user folders, it is recommended to use a separate disk (other than the system drive C:). Create and share a network folder with Windows Explorer or using the New-SmbShare PowerShell cmdlet:

New-SmbShare -Name RedirFolder -Path D:\RedirFolder –description "Target location for user's redirected folders"

Then you need to configure correct NTFS permissions on the folder so that each user can access only their own files.

Open the folder properties and navigate to the Security tab. Click Advanced, then click Disable Inheritance. When a warning appears, select Convert inherited permissions into explicit permissions on the object.

Remove Users/Authenticated Users from the list of NTFS permissions, and leave the following permissions:

• Administrators (Full control, This folder, subfolders and files)
• SYSTEM (Full control, This folder, subfolders and files)
• CREATOR OWNER (Full control, Subfolders and files only)

Now add the munFolderRedirection security group and grant the following permissions on the root folder (Applies to -> This folder only):

• Traverse Folder/Execute File
• List Folder/Read Data
• Read Attributes
• Read Extended Attributes
• Create Folder/Append Data
• Read Permissions

Grant Full Control permissions for the Authenticated Users group in the network share properties (Sharing –> Advanced Sharing -> Permissions).

With such a configuration, users are allowed to create folders in the directory root, and only owners can access the contents of subfolders.

Then you can create a Folder Redirection Group Policy for users. Open the domain Group Policy Management console (gpmc.msc), create a new GPO, and link it to the Organizational Unit (OU) with target user accounts.

To apply the policy to specific users only, remove the Authenticated Users group from the Security Filtering and add munFolderRedirection and Domain Computers groups instead.

Edit your new GPO and expand User Configuration -> Policies -> Windows Settings -> Folder Redirection.

Here are options to redirect different user profile folders. In this example, I will configure redirection for the Documents folder only (you can enable folder redirection for other profile folders in the same way).

Open the Documents folder properties and configure the following Folder Redirection options:

• Settings: – Basic, Redirect everyone’s folder to the same location
• Target folder location: Create a folder for each user under the root path
• Root path: \\mun-fs1\RedirFolder (specify a UNC path to the previously created shared folder)

The Settings tab has some options:

• Grant the user exclusive rights to Documents – can be disabled, since we have already configured the correct NTFS permissions in advance;
• Move the contents of Documents to the new location – whether existing files in the user’s documents should be moved to a redirected folder on the file server;
• Redirect the folder back to the local user profile location when the policy is removed – this option enables offline access to the data (using Offline Files in Windows) and determines the behavior when the GPO is disabled.

Add your file server and/or domain to the trusted local intranet using the Site to Zone Assignment List GPO setting under Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page.

In the policy settings, specify the list of trusted servers in the following format:

• The server or domain name (in the format: file://hostname , \\hostame or its IP address)
• A zone number ( 1 – for a local intranet)

If you do not configure this option, running shortcuts and executables from a redirected directory may result in Windows security warnings.

Logout and login to the user’s computer (this will update the Group Policy settings on a device).

Then open the Documents folder properties and make sure that the UNC path to your shared folder on a file server is shown as the Location.

You can create files and folders in the Documents folder and they will be available for a user on any computer in your domain.