title | description | ms.custom | ms.date | ms.prod | ms.reviewer | ms.suite | ms.tgt_pltfrm | ms.topic | ms.assetid | author | ms.author | manager |
---|---|---|---|---|---|---|---|---|---|---|---|---|
Configure folder redirection on the Windows Server Essentials Destination Server | na | windows-server-2016-essentials | na | article | nnamuhcs | dongill |
Applies To: Windows Server 2016 Essentials, Windows Server 2012 R2 Essentials, Windows Server 2012 Essentials
Perform this task if folder redirection is enabled on the Source Server.
First, delete the old Folder Redirection Group Policy setting. Then use the Windows Server Essentials Dashboard to enable folder redirection on the Destination Server.
To delete the old Folder Redirection Group Policy setting
- On the Destination Server, open the Group Policy Management administrative tool.
- In Group Policy Management, expand Forest:YourNetworkDomainName, expand Domains, expand YourNetworkDomainName, and then expand Group Policy Objects.
- Right-click SBS Group Policy Folder Redirection, and then click Delete.
- Right-click SBS Group Policy Security Templates, and then click Delete.
- Read the warning, and then click Yes.
- Close Group Policy Management.
To enable folder redirection on the Destination Server
- On the Destination Server, open the Windows Server Essentials Dashboard.
- In the navigation bar, click Devices.
- In the Devices Tasks pane, click Implement Group Policy.
- On the Enable Folder Redirection Group Policy page, select the folders to be redirected, and then click Next.
- On the Enable Security Policy Settings page, click Finish.To apply the change to folder redirection, network users must log off their computer, and then log back on. This ensures the transfer of all redirected folders to the Destination Server.
In an earlier post, we saw why we need 'Roaming Profile' and how to configure 'Roaming Profile' (http://www.adshotgyan.com/2011/07/how-to-configure-roaming-profiles.html). A User Profile contains data - documents, files, folders but.. can also contain movies, songs, etc.. (Even though we as an administrator can restrict them) but still the bottom line is that the profile size can be few MBs to few GBs..
Now think about a situation that Mr. Gappu has a Roaming Profile and the size of his Roaming Profile is 3 GB.. Now you will ask. Whats a big deal. Whats a problem in that.. Think again..
The problem lies in the working and design of Roaming Profiles.. Roaming Profiles download 'ALL' the data from the network location when you log on to a machine where you have not logged in before.. So assuming Mr. Gappu uses a new machine every time/everyday to log on, then every day 3 GB of data is copied from the server to his local machine..
A lot of network bandwidth and above of it might take few mins (5-30 or even more depending upon the network speed) before Mr. Gappu will get the desktop and starts working.. So till that time he has a 'Official' reason to roam around and chat thereby wasting company`s time.. (Now you stop thinking if you could have a huge roaming profile..coz you have a local profile.. so stop dreaming and start working)
Folder Redirection Vs Roaming Profiles
The solution to this is to implement 'Folder Redirection'.. Folder Redirection also saves your data on the network, BUT it does not sync with your local machine every time to log on (Even though you can make it to do).. But the point to stress here is that by default it will not copy the data from the server to your local machine every time you log on to a new machine.. be it a new machine or old machine.. It will simple NOT COPY the data.. You will get your data directly from the server (real time)..
Now lets see how can we implement Folder Redirection..
Before we implement Folder Redirection, I would like you to have a look in the registry to confirm the location of the Users Data
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerShell Folders
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerUsers Shell Folders
Note that the path for My Documents, My Pictures, Desktop, Etc.. is all Local
Now lets configure the Group Policy for Folder Redirection
Basic - Redirect everyone’s folder to the same location
In majority of the cases, you will choose this option
Advanced - Specify locations for various user groupsIn majority of the cases, you will choose this option
You will use this option when you wants to redirect folders depending upon the group membership of the user
Once you choose the option 'Basic - Redirect everyone’s folder to the same location', you have then the following options
1. Create a folder for each user under the root path
2. Redirect to the following location
3. Redirect to the local user profile location
2. Redirect to the following location
3. Redirect to the local user profile location
For this lab, we will choose the option 'Create a folder for each user under the root path'
Lets create a folder in the file system of the server where the data will be stored. make sure you assign appropriate permissions on the folder for the Users
Give the Network Location of that folder which you just created. make sure you do NOT specify the %UserName% variable here as we did in the case of Roaming Profiles
Run gpupdate /force and you will get the following message stating that the Folder Redirection will apply on next reboot..
Event ID as well stating that Folder redirection will apply at next reboot because of 'Logon Optimization'
Also, note that the folder got created for that User on the network Location that was specified in the Folder Redirection Group Policy
Like Roaming Profiles, you as an administrator do not have permissions on the user folders. But unlike Roaming profile, where you could take the ownership of the folder and can view the data, in case of Folder Redirection it is not so easy. And I do not recommend you to play around with the permissions here..
On the client machine, you will get the Event ID 501 stating that the Folder redirection has been successfully applied..
Go into the properties of any folder on the client desktop which is being redirected and you will notice that it points to the network location instead of the local path. That means that the data id being redirected to the Network Location..
The important thing that needs to be noticed is that if now you check the Profile of the User, you will not find the 'Desktop' folder which was earlier present.. This happens because the 'Desktop' is getting redirected and the folder will be 'CUT' from the Profile Share and will be PASTED into the Redirected Folder..
Be it Local profile (Cache Copy of the Roaming Profile in this Case)
Again, not recommended, But since I took the ownership of the user folder which was getting redirected, I am now able to view all the contents (The ownership was taken just to show that the data is getting redirected. Taking the ownership can lead to data been inaccessible to the user)
Just a quick look in the Registry again. This time you will notice that the path for Desktop has been changed from Local -> Network
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerShell Folders
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerUsers Shell Folders
title | description | ms.prod | ms.topic | author | ms.author | ms.technology | ms.date | ms.localizationpriority |
---|---|---|---|---|---|---|---|---|
How to use Windows Server to deploy Folder Redirection with Offline Files to Windows client computers. | article | jgerend | 06/06/2019 |
Applies to: Windows 10, Windows 7, Windows 8, Windows 8.1, Windows Vista, Windows Server 2019, Windows Server 2016, Windows Server 2012, Windows Server 2012 R2, Windows Server 2008 R2, Windows Server (Semi-annual Channel)
This topic describes how to use Windows Server to deploy Folder Redirection with Offline Files to Windows client computers.
For a list of recent changes to this topic, see Change history.
[!IMPORTANT]Due to the security changes made in MS16-072, we updated Step 3: Create a GPO for Folder Redirection of this topic so that Windows can properly apply the Folder Redirection policy (and not revert redirected folders on affected PCs).
Prerequisites
Hardware requirements
Folder Redirection requires an x64-based or x86-based computer; it is not supported by Windows® RT.
Software requirements
Folder Redirection has the following software requirements:
- To administer Folder Redirection, you must be signed in as a member of the Domain Administrators security group, the Enterprise Administrators security group, or the Group Policy Creator Owners security group.
- Client computers must run Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2019, Windows Server 2016, Windows Server (Semi-annual Channel), Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008.
- Client computers must be joined to the Active Directory Domain Services (AD DS) that you are managing.
- A computer must be available with Group Policy Management and Active Directory Administration Center installed.
- A file server must be available to host redirected folders.
- If the file share uses DFS Namespaces, the DFS folders (links) must have a single target to prevent users from making conflicting edits on different servers.
- If the file share uses DFS Replication to replicate the contents with another server, users must be able to access only the source server to prevent users from making conflicting edits on different servers.
- When using a clustered file share, disable continuous availability on the file share to avoid performance issues with Folder Redirection and Offline Files. Additionally, Offline Files might not transition to offline mode for 3-6 minutes after a user loses access to a continuously available file share, which could frustrate users who aren’t yet using the Always Offline mode of Offline Files.
[!NOTE]Some newer features in Folder Redirection have additional client computer and Active Directory schema requirements. For more info, see Deploy primary computers, Disable Offline Files on folders, Enable Always Offline mode, and Enable optimized folder moving.
Step 1: Create a folder redirection security group
If your environment is not already set up with Folder Redirection, the first step is to create a security group that contains all users to which you want to apply Folder Redirection policy settings.
Here's how to create a security group for Folder Redirection:
- Open Server Manager on a computer with Active Directory Administration Center installed.
- On the Tools menu, select Active Directory Administration Center. Active Directory Administration Center appears.
- Right-click the appropriate domain or OU, select New, and then select Group.
- In the Create Group window, in the Group section, specify the following settings:
- In Group name, type the name of the security group, for example: Folder Redirection Users.
- In Group scope, select Security, and then select Global.
- In the Members section, select Add. The Select Users, Contacts, Computers, Service Accounts or Groups dialog box appears.
- Type the names of the users or groups to which you want to deploy Folder Redirection, select OK, and then select OK again.
Step 2: Create a file share for redirected folders
If you do not already have a file share for redirected folders, use the following procedure to create a file share on a server running Windows Server 2012.
[!NOTE]Some functionality might differ or be unavailable if you create the file share on a server running another version of Windows Server.
Here's how to create a file share on Windows Server 2019, Windows Server 2016, and Windows Server 2012:
- In the Server Manager navigation pane, select File and Storage Services, and then select Shares to display the Shares page.
- In the Shares tile, select Tasks, and then select New Share. The New Share Wizard appears.
- On the Select Profile page, select SMB Share – Quick. If you have File Server Resource Manager installed and are using folder management properties, instead select SMB Share - Advanced.
- On the Share Location page, select the server and volume on which you want to create the share.
- On the Share Name page, type a name for the share (for example, Users$) in the Share name box.[!TIP]When creating the share, hide the share by putting a
$
after the share name. This will hide the share from casual browsers. - On the Other Settings page, clear the Enable continuous availability checkbox, if present, and optionally select the Enable access-based enumeration and Encrypt data access checkboxes.
- On the Permissions page, select Customize permissions…. The Advanced Security Settings dialog box appears. Dnd 5e homebrew monsters.
- Select Disable inheritance, and then select Convert inherited permissions into explicit permission on this object.
- Set the permissions as described Table 1 and shown in Figure 1, removing permissions for unlisted groups and accounts, and adding special permissions to the Folder Redirection Users group that you created in Step 1.Figure 1 Setting the permissions for the redirected folders share
- If you chose the SMB Share - Advanced profile, on the Management Properties page, select the User Files Folder Usage value.
- If you chose the SMB Share - Advanced profile, on the Quota page, optionally select a quota to apply to users of the share.
- On the Confirmation page, select Create.
Required permissions for the file share hosting redirected folders
User Account | Access | Applies to |
---|---|---|
User Account | Access | Applies to |
System | Full control | This folder, subfolders and files |
Administrators | Full Control | This folder only |
Creator/Owner | Full Control | Subfolders and files only |
Security group of users needing to put data on share (Folder Redirection Users) | List folder / read data (Advanced permissions) Create folders / append data (Advanced permissions) Read attributes (Advanced permissions) Read extended attributes (Advanced permissions) Read permissions (Advanced permissions) | This folder only |
Other groups and accounts | None (remove) |
Step 3: Create a GPO for Folder Redirection
If you do not already have a GPO created for Folder Redirection settings, use the following procedure to create one.
Here's how to create a GPO for Folder Redirection:
- Open Server Manager on a computer with Group Policy Management installed.Edits are nondestructive and can be changed at any time.Shows all changes you make to the organization of your library as you make them on any iOS device, Mac, or Windows computer where iCloud Photos is turned on. No photos in itunes. Your iOS devices and your Mac or Windows computer don’t need to be connected to each other, as they do when you use iTunes.Optimizes photos and videos on your devices so they take up less space, and keeps originals in their native formats, at full-resolution, in iCloud.Shows all edits, additions, and deletions as you make them on any iOS device, Mac, or Windows computer where iCloud Photos is turned on. ICloud.Automatically uploads your photos and videos from your devices to iCloud whenever you are connected to the Internet through Wi-Fi.
- From the Tools menu, select Group Policy Management.
- Right-click the domain or OU in which you want to setup Folder Redirection, then select Create a GPO in this domain, and Link it here.
- In the New GPO dialog box, type a name for the GPO (for example, Folder Redirection Settings), and then select OK.
- Right-click the newly created GPO and then clear the Link Enabled checkbox. This prevents the GPO from being applied until you finish configuring it.
- Select the GPO. In the Security Filtering section of the Scope tab, select Authenticated Users, and then select Remove to prevent the GPO from being applied to everyone.
- In the Security Filtering section, select Add.
- In the Select User, Computer, or Group dialog box, type the name of the security group you created in Step 1 (for example, Folder Redirection Users), and then select OK.
- Select the Delegation tab, select Add, type Authenticated Users, select OK, and then select OK again to accept the default Read permissions.This step is necessary due to security changes made in MS16-072.
[!IMPORTANT]Due to the security changes made in MS16-072, you now must give the Authenticated Users group delegated Read permissions to the Folder Redirection GPO - otherwise the GPO won't get applied to users, or if it's already applied, the GPO is removed, redirecting folders back to the local PC. For more info, see Deploying Group Policy Security Update MS16-072.
Step 4: Configure folder redirection with Offline Files
After creating a GPO for Folder Redirection settings, edit the Group Policy settings to enable and configure Folder Redirection, as discussed in the following procedure.
[!NOTE]Offline Files is enabled by default for redirected folders on Windows client computers, and disabled on computers running Windows Server, unless changed by the user. To use Group Policy to control whether Offline Files is enabled, use the Allow or disallow use of the Offline Files feature policy setting.For information about some of the other Offline Files Group Policy settings, see Enable Advanced Offline Files Functionality, and Configuring Group Policy for Offline Files.
Here's how to configure Folder Redirection in Group Policy:
- In Group Policy Management, right-click the GPO you created (for example, Folder Redirection Settings), and then select Edit.
- In the Group Policy Management Editor window, navigate to User Configuration, then Policies, then Windows Settings, and then Folder Redirection.
- Right-click a folder that you want to redirect (for example, Documents), and then select Properties.
- In the Properties dialog box, from the Setting box, select Basic - Redirect everyone’s folder to the same location.[!NOTE]To apply Folder Redirection to client computers running Windows XP or Windows Server 2003, select the Settings tab and select the Also apply redirection policy to Windows 2000, Windows 2000 Server, Windows XP, and Windows Server 2003 operating systems checkbox.
- In the Target folder location section, select Create a folder for each user under the root path and then in the Root Path box, type the path to the file share storing redirected folders, for example: fs1.corp.contoso.comusers$
- Select the Settings tab, and in the Policy Removal section, optionally select Redirect the folder back to the local userprofile location when the policy is removed (this setting can help make Folder Redirection behave more predictably for adminisitrators and users).
- Select OK, and then select Yes in the Warning dialog box.
Step 5: Enable the Folder Redirection GPO
Once you have completed configuring the Folder Redirection Group Policy settings, the next step is to enable the GPO, permitting it to be applied to affected users.
[!TIP]If you plan to implement primary computer support or other policy settings, do so now, before you enable the GPO. This prevents user data from being copied to non-primary computers before primary computer support is enabled.
Here's how to enable the Folder Redirection GPO:
- Open Group Policy Management.
- Right-click the GPO that you created, and then select Link Enabled. A checkbox will appear next to the menu item.
Step 6: Test Folder Redirection
To test Folder Redirection, sign in to a computer with a user account configured for Folder Redirection. Then confirm that the folders and profiles are redirected.
Here's how to test Folder Redirection:
- Sign in to a primary computer (if you enabled primary computer support) with a user account for which you have enabled Folder Redirection.
- If the user has previously signed in to the computer, open an elevated command prompt, and then type the following command to ensure that the latest Group Policy settings are applied to the client computer:
- Open File Explorer.
- Right-click a redirected folder (for example, the My Documents folder in the Documents library), and then select Properties.
- Select the Location tab, and confirm that the path displays the file share you specified instead of a local path.
Appendix A: Checklist for deploying Folder Redirection
Status | Action |
---|---|
☐ ☐ ☐ | 1. Prepare domain - Join computers to domain - Create user accounts |
☐ | 2. Create security group for Folder Redirection - Group name: - Members: |
☐ | 3. Create a file share for redirected folders - File share name: |
☐ | 4. Create a GPO for Folder Redirection - GPO name: |
☐ ☐ ☐ ☐ ☐ ☐ | 5. Configure Folder Redirection and Offline Files policy settings - Redirected folders: - Windows 2000, Windows XP, and Windows Server 2003 support enabled? - Offline Files enabled? (enabled by default on Windows client computers) - Always Offline Mode enabled? - Background file synchronization enabled? - Optimized Move of redirected folders enabled? |
☐ ☐ ☐ ☐ | 6. (Optional) Enable primary computer support - Computer-based or User-based? - Designate primary computers for users - Location of user and primary computer mappings: - (Optional) Enable primary computer support for Folder Redirection - (Optional) Enable primary computer support for Roaming User Profiles |
☐ | 7. Enable the Folder Redirection GPO |
☐ | 8. Test Folder Redirection |
Change history
The following table summarizes some of the most important changes to this topic.
Date | Description | Reason |
---|---|---|
January 18, 2017 | Added a step to Step 3: Create a GPO for Folder Redirection to delegate Read permissions to Authenticated Users, which is now required because of a Group Policy security update. | Customer feedback |
More information
In this article, I’ll you how I configure Folder Redirection using Group Policy and store user Data (Desktop, App Data, Documents, Downloads, etc.) on Windows Nano Server 2016.
Configuring Folder Redirection In a two a step process, first we need to configure the File Server permissions and second Is deploying a Group Policy that will store the data on the File Server.
Folder Redirection Is a great technology that allows us to store user data In a Central Location that follows the use to every computer he logs on to.
Angels fall first player count. Windows Nano Sever 2016 File Server Is the perfect candidate for Folder Redirection, because of Its lightweight footprint, Secure Platform, and Low Maintenance service model.
To get started, I’ve Installed the File Server Role on my Nano Server.
Once the File Server Role Is Installed, I’ll use the Computer Management Console from my Management Server to connect to my Nano Server.
Next, I’ll create a New Share Folder
Name the Share Name, Description, etc and click Next
Click next, (later the I’ll change the Share Permission to Full Access for everyone)
Next, Open the properties of the share and set the Share Permissions to:
Everyone – Full Control
When done, I’ll open the properties of the share and use the Security Tab -> Advanced menu to configure the Security permissions
In the Advanced I’ll do the following:
- Disable Inheritance on the Folder – Very Important
- CREATOR OWNER – Full Control (Apply onto: Subfolders and Files Only)
- System – Full Control (Apply onto: This Folder, Subfolders and Files)
- Domain Admins – Full Control (Apply onto: This Folder, Subfolders and Files)
- Everyone – Create Folder/Append Data (Apply onto: This Folder Only)
- Everyone – List Folder/Read Data (Apply onto: This Folder Only)
- Everyone – Read Attributes (Apply onto: This Folder Only)
- Everyone – Traverse Folder/Execute File (Apply onto: This Folder Only)
Next, I’ll Edit my Group Policy by opening User Configuration -> Windows Settings -> Folder Redirection
In each one I’ll set the Settings as shown below
Important – In the AppData Settings Tab untick Grant user…
Next time I log to any server that Is joined to the Domain the Folder Redirection Policy will apply.
When I right click on my Desktop Settings the location Is set to the File Server
Related
- [Voiceover] One of the challenges that our users…actually face when working in large enterprise environments…is that they sit down at the computer and they do things…at that local computer to make their environment…comfortable for themselves.…And then they have to move to another computer,…and everything that they did to customize and make it…comfortable for themselves goes away.…And the reason why is that by default,…user profiles are stored locally.…Now in the old days, we would solve this through the use…of something called roaming user profiles.…
But roaming user profiles come with some significant…challenges of their own, primarily surrounding…network bandwidth in that the entire profile…needs to be downloaded to an individual computer…when a user log in and uploaded when the user logs off.…So the way we resolve this problem in Windows Server 2012…is through something called folder redirection.…So here we are, I'm already on DC01…and I'm looking at the Group Policy Management tool.…And in order to demonstrate folder redirection,…