Folder Redirection in Group Policy allows a systems administrator to redirect certain folders from a user’s profile to a file server. In part 2 of this series, I’ll discuss setting up the shared folder and permissions you’ll need on your file server.
Before you set up Group Policy for Folder Redirection, you need a properly configured file server. In my examples, I’ll be using Windows Server 2008 R2, but earlier versions will have the same settings, more or less.
The first decision you’ll need to make is on the share name. My preference is typically to use “Users” since we’ll be redirecting user folders. As an added step, you can make this a hidden share (by adding a $ to the end of the share name) if you think that is necessary for your file server. It is fairly easy for users to discover where their folders are being redirected. Personally, I’m not a big fan of hiding shares unless they are being used in DFS or there is another good reason to hide them; but, that is typically a personal (or organizational) preference.
Starting with the Sharing tab, you’ll want to share the folder by clicking the Advanced Sharing button. Click the “Share this folder” checkbox and the share name should fill in automatically. Caching should default to “Only the files and programs that users specify are available offline.” Click the Permissions tab. In Permissions, you can probably check the Full Control checkbox and OK, but make sure that works for your environment. If you provision Guest accounts or have users that don’t need access to the Folder Redirection share, consider limiting the share to Domain Users or smaller groups of users.
The easiest method for provisioning new folders for users is to allow the logon process to create all of the folders automatically as they are redirected to the file server. To do this, you’ll need to set the file permissions so that users can create folders, but not access the folders of other users. This can all be done in the GUI, but I prefer using the icacls.exe utility to set the file permissions for something like this so I can be sure I don’t miss something. Here are the commands you’ll need:
icacls.exe C:\Shares\Users /inheritance:d
This removes inheritance on the folder and copies the existing permissions. We want to do this for two reasons: first off, any permission changes to the volume or top-level folder will propagate down to your shared folder which we don’t want. Second, the default file permissions will give “Users” access to read everything in the folder… we don’t want that either.
icacls.exe C:\Shares\Users /remove:g Users
Remove “Users” access to the folder so that users can’t get nosey and go through other users’ files.
icacls.exe C:\Shares\Users /grant Everyone:(x,ra,ad)
- Give “Everyone” execute/traverse (x), read attributes (ra), and append data/add subdirectory (ad). After running the command, your permissions should look like this:
- Administrators (Full Control) – This folder, sub-folders, and files
- SYSTEM (Full Control) – This folder, sub-folders, and files
- CREATOR OWNER (Full Control) – Sub-folders, and files
- Everyone (Special – Traverse Folder/Execute File, Read Attributes, Create Folders/Append Data) – This folder only
In my next post I will discuss folder permissions.