Without Folder Redirection, users might/will save data on their local profile on their computer. If they accidentally delete such a file, you don’t have a backup of it (unless you take backups of workstations which I doubt…).
Configuring Folder Redirection is fairly easy, but you should get it configured correctly.
In this step-by-step I will just use a domain controller (DC) to store the user folders. I always strive to keep DCs dedicated and don’t mix other roles to them. If you don’t have the HW or budget I guess you don’t have a choice.
Open up the “Share and Storage Manager” (that came along with Win2008, which in fact is a great tool).
In the Action frame, choose “Provision Share”:
Click “Browse” and “Make new folder”. Give it a meaningful name like “FolderRedir” or similar:
Edit the NTFS permissions:
Remove the inheritance so it don’t get permissions from its parent folder:
Administrators: Full Control, “This folder, subfolders and files”
System: Full Control, “This folder, subfolders and files”
Users (or a group containing the domain users): READ & Execute + “Create folders / Append data”, “This folder only”
Creator Owner: Full Control, “Subfolders and files only“
Give it a share name and make it administrative (add a $ at the end of the share name):
Enable “Access-based enumeration” (optional). This feature will only list folders the user has access to when browsing:
Set the share permissions:
Domain admins: Full Control
Users (or a group containing the domain users): Full Control
If you use DFS, you should consider placing the folder redirection on the DFS for redundancy. If you don’t have it, just click Next:
Hit Next and Create the good stuff.
With the share and NTFS permissions in place, you have to create a Group Policy Object (GPO):
Open the Group Policy Management Consol:
Create a new GPO, and give it an informative name. I.e. “GPO_FolderRedir”.
Navigate to “User Configuration – Windows Settings – Folder Redirection”. You now have to decide what you want to redirect. You can redirect all, or just a few. “Documents”, “Desktop” and “Favorites” are handsome to pick if you don’t pick all.
If all your users should be on the same share, you should use the “Basic” setting. If you have different shares for different domain groups you can use the “Advanced” setting.
Set “Root Path” = the share path you created earlier.
On the Settings tab, untick the “Grant the users exclusive rights to Documents” if you want domain admins to have access to the redirected folders. If you don’t untick it now and the folders are created, unticking it at a later time will not give domain admins access to the already created folders. You have to take ownership on the folder to gain access. If a user logs on the redirection will not work as the user has to be the owner.
Now you can link the GPO to an OU (not a Container like “Users”) where the users resides.
When the users logs on, the folders are created automatically and the permissions are set correctly. If the user saves i.e. a Word document to My Documents, it’s saved on the file server.
If you have terminal server users, folder redirection in conjunction with Roaming Profiles is a m.u.s.t!
(even though Manchester City bought a Champions League place)