POLL: POWERSHELL VS. GUI - DO YOU WANT TO BE A DEVOP OR AN ADMIN?
Folder Redirection – Part 2: Setting up your file server
Folder Redirection in Group Policy allows a systems administrator to redirect certain folders from a user’s profile to a file server. In part 2 of this series, I’ll discuss setting up the shared folder and permissions you’ll need on your file server.
By Kyle Beckman - Wed, May 2, 2012 - 10 comments Kyle Beckman works as a systems administrator in Higher Education in the Southeast United States. He is an MCSE and specializes in Group Policy, Windows Server, and client support.
Before you set up Group Policy for Folder Redirection, you need a properly configured file server. In my examples, I’ll be using Windows Server 2008 R2, but earlier versions will have the same settings, more or less.
The first decision you’ll need to make is on the share name. My preference is typically to use “Users” since we’ll be redirecting user folders. As an added step, you can make this a hidden share (by adding a $ to the end of the share name) if you think that is necessary for your file server. It is fairly easy for users to discover where their folders are being redirected. Personally, I’m not a big fan of hiding shares unless they are being used in DFS or there is another good reason to hide them; but, that is typically a personal (or organizational) preference.
Starting with the Sharing tab, you’ll want to share the folder by clicking the Advanced Sharing button. Click the “Share this folder” checkbox and the share name should fill in automatically. Caching should default to “Only the files and programs that users specify are available offline.” Click the Permissions tab. In Permissions, you can probably check the Full Control checkbox and OK, but make sure that works for your environment. If you provision Guest accounts or have users that don’t need access to the Folder Redirection share, consider limiting the share to Domain Users or smaller groups of users.
Share permissions
The easiest method for provisioning new folders for users is to allow the logon process to create all of the folders automatically as they are redirected to the file server. To do this, you’ll need to set the file permissions so that users can create folders, but not access the folders of other users. This can all be done in the GUI, but I prefer using the icacls.exe utility to set the file permissions for something like this so I can be sure I don’t miss something. Here are the commands you’ll need:
icacls.exe C:\Shares\Users /inheritance:d
This removes inheritance on the folder and copies the existing permissions. We want to do this for two reasons: first off, any permission changes to the volume or top-level folder will propagate down to your shared folder which we don’t want. Second, the default file permissions will give “Users” access to read everything in the folder… we don’t want that either.
icacls.exe C:\Shares\Users /remove:g Users
Remove “Users” access to the folder so that users can’t get nosey and go through other users’ files.
icacls.exe C:\Shares\Users /grant Everyone:(x,ra,ad)
- Give “Everyone” execute/traverse (x), read attributes (ra), and append data/add subdirectory (ad). After running the command, your permissions should look like this:
- Administrators (Full Control) – This folder, sub-folders, and files
- SYSTEM (Full Control) – This folder, sub-folders, and files
- CREATOR OWNER (Full Control) – Sub-folders, and files
- Everyone (Special – Traverse Folder/Execute File, Read Attributes, Create Folders/Append Data) – This folder only
File permissions
In my next post I will discuss folder permissions.
Thanks so much Kyle for this excellent post. However, I would like make sure about the icacls.exe before test it out.
In order to achieve all of the secure permissions that you have explained..basically, we have to execute these 3 command line at command prompt.
> icacls.exe C:\Shares\Users /inheritance:d
> icacls.exe C:\Shares\Users /remove:g Users
> icacls.exe C:\Shares\Users /grant Everyone:(x,ra,ad)
Is it right Kyle? Thanks so much.
I wrote this article several months ago… So, I’ll have to refer you (and anyone reading the comments) back to the content of the article for the exact commands. The commands and permissions listed are a good starting point for most people; but, the needs of your customers/organization may require some tweaks. You can always try out the commands on a test share to see if they fit your needs.
Thanks for the reply Kyle.
Just want to ask for some of your opinion about this scenario. Let’s say a shared folder called “FolderRedirect” have been created and already contained bunch of users document redirection data. However, if checked up, the permission is somehow screw up and not follow to the correct permission.
If lets say “FolderRedirect’ is configured back according to the correct permission, will it affect users access on their document’s data? Or it can be assumed to be working fine since it followed the correct settings? Perhaps you have experienced this kind of problem before in dealing with the client. Really appreciate your help. Thanks
If this is a production server customers are actually using, I would try to duplicate the setup in a test environment with test user accounts first. I don’t ever make changes like that in production… especially for something like a user’s redirected folders because you can potentially lock someone our of their files. You can use icacls to backup (and restore) permissions. I would just make sure to test it first, make yourself detailed instructions, and then make the change during a planned maintenance window in production.
Hi guys,
I followed all the steps but I am experiencing some problems.
Users cannot create new folder, only admins can.
These are the security settings of the Shared folder.
C:\Users\gacevski>icacls.exe E:\Korisnici
E:\Korisnici Everyone:(AD,X,RA)
CREATOR OWNER:(OI)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(F)
NLBNPF\NPF_ALL_USERS:(OI)(CI)(RX,AD)
NLBNPF\NPF_IT_USERS:(OI)(CI)(F)
BUILTIN\Administrators:(OI)(CI)(F)
Successfully processed 1 files; Failed processing 0 files
Thanks,
Aleksandar
Just glancing at it, I’m not seeing anything obvious. But, it looks like you’re using a non-English version of Windows… so I’m not totally sure what a few of those groups are and I could be missing something. These instructions are based of a new setup with the default drive permissions in place. If you altered the permissions on the root of your E:\ drive, that could be your problem. Also check the permissions on your share to see that your users have Full Control on the share.
When you say they can’t create folders… how are they trying to create folders? You should be letting the Folder Redirection process create the folders, not the end user. End users will receive an access denied message if they try to enter the folder. However, they should be able to create folders from a command prompt.
Hi and thanks for your answer…
I created a test user and it is in the same OU as I am (the admin)
When I log on to my PC with that test user I can see that the Folder is not redirected.
After that I wanted to test the permission that test user have like this:
md “\\server\e$\share\users\BLABLA” but it says Access is denied.
It is ENG Win version.
Updated permissions…
C:\Users\gacevski>cacls.exe E:\Korisnici
E:\Korisnici Everyone:(special access:)
SYNCHRONIZE
FILE_READ_DATA
FILE_APPEND_DATA
FILE_EXECUTE
FILE_READ_ATTRIBUTES
CREATOR OWNER:(OI)(CI)(IO)F
NT AUTHORITY\SYSTEM:(OI)(CI)F
BUILTIN\Administrators:(OI)(CI)F
Share permissions….
Everyone FULL ACCESS…
Thanks again,
Aleksandar
\\server\e$ is an Administrative share; by default, standard users don’t have access to Administrative shares. Can the user create a folder on the Users share you created?
Hi,
It looks like I solved the problem…Still testing…
In GPO Instead of \\server\E$\Korisnici now I entered
\\server\Korisnici$
Thats it
Thanks
Thanks for your answer that was exactly the problem.
Regards,
Aleksandar