Folder Redirection in Group Policy allows a systems administrator to redirect certain folders from a user’s profile to a file server. In part 2 of this series, I’ll discuss setting up the shared folder and permissions you’ll need on your file server.

Kyle Beckman

Kyle Beckman works as a systems administrator in Atlanta, GA supporting Office 365 in higher education. He has 17+ years of systems administration experience.

Before you set up Group Policy for Folder Redirection, you need a properly configured file server. In my examples, I’ll be using Windows Server 2008 R2, but earlier versions will have the same settings, more or less.

The first decision you’ll need to make is on the share name. My preference is typically to use “Users” since we’ll be redirecting user folders. As an added step, you can make this a hidden share (by adding a $ to the end of the share name) if you think that is necessary for your file server. It is fairly easy for users to discover where their folders are being redirected. Personally, I’m not a big fan of hiding shares unless they are being used in DFS or there is another good reason to hide them; but, that is typically a personal (or organizational) preference.

Starting with the Sharing tab, you’ll want to share the folder by clicking the Advanced Sharing button. Click the “Share this folder” checkbox and the share name should fill in automatically. Caching should default to “Only the files and programs that users specify are available offline.” Click the Permissions tab. In Permissions, you can probably check the Full Control checkbox and OK, but make sure that works for your environment. If you provision Guest accounts or have users that don’t need access to the Folder Redirection share, consider limiting the share to Domain Users or smaller groups of users.

Folder Redirection - Share PropertiesFolder Redirection - Share Permissions

Share permissions

The easiest method for provisioning new folders for users is to allow the logon process to create all of the folders automatically as they are redirected to the file server. To do this, you’ll need to set the file permissions so that users can create folders, but not access the folders of other users. This can all be done in the GUI, but I prefer using the icacls.exe utility to set the file permissions for something like this so I can be sure I don’t miss something. Here are the commands you’ll need:

This removes inheritance on the folder and copies the existing permissions. We want to do this for two reasons: first off, any permission changes to the volume or top-level folder will propagate down to your shared folder which we don’t want. Second, the default file permissions will give “Users” access to read everything in the folder… we don’t want that either.

Remove “Users” access to the folder so that users can’t get nosey and go through other users’ files.

  • Give “Everyone” execute/traverse (x), read attributes (ra), and append data/add subdirectory (ad). After running the command, your permissions should look like this:
  • Administrators (Full Control) – This folder, sub-folders, and files
  • SYSTEM (Full Control) – This folder, sub-folders, and files
  • CREATOR OWNER (Full Control) – Sub-folders, and files
  • Everyone (Special – Traverse Folder/Execute File, Read Attributes, Create Folders/Append Data) – This folder only

Folder Redirection - File Permissions

File permissions

In my next post I will discuss folder permissions.

Win the monthly 4sysops member prize for IT pros

Share
0

17 Comments
  1. wale89 5 years ago

    Thanks so much Kyle for this excellent post. However, I would like make sure about the icacls.exe before test it out.

    In order to achieve all of the secure permissions that you have explained..basically, we have to execute these 3 command line at command prompt.

    > icacls.exe C:\Shares\Users /inheritance:d
    > icacls.exe C:\Shares\Users /remove:g Users
    > icacls.exe C:\Shares\Users /grant Everyone:(x,ra,ad)

    Is it right Kyle? Thanks so much.

    0

  2. Kyle 5 years ago

    I wrote this article several months ago... So, I'll have to refer you (and anyone reading the comments) back to the content of the article for the exact commands. The commands and permissions listed are a good starting point for most people; but, the needs of your customers/organization may require some tweaks. You can always try out the commands on a test share to see if they fit your needs.

    0

  3. wale89 5 years ago

    Thanks for the reply Kyle.
    Just want to ask for some of your opinion about this scenario. Let's say a shared folder called "FolderRedirect" have been created and already contained bunch of users document redirection data. However, if checked up, the permission is somehow screw up and not follow to the correct permission.
    If lets say "FolderRedirect' is configured back according to the correct permission, will it affect users access on their document's data? Or it can be assumed to be working fine since it followed the correct settings? Perhaps you have experienced this kind of problem before in dealing with the client. Really appreciate your help. Thanks

    0

  4. Kyle Beckman 5 years ago

    If this is a production server customers are actually using, I would try to duplicate the setup in a test environment with test user accounts first. I don't ever make changes like that in production... especially for something like a user's redirected folders because you can potentially lock someone our of their files. You can use icacls to backup (and restore) permissions. I would just make sure to test it first, make yourself detailed instructions, and then make the change during a planned maintenance window in production.

    0

  5. Aleksandar 5 years ago

    Hi guys,

    I followed all the steps but I am experiencing some problems.
    Users cannot create new folder, only admins can.
    These are the security settings of the Shared folder.

    C:\Users\gacevski>icacls.exe E:\Korisnici
    E:\Korisnici Everyone:(AD,X,RA)
    CREATOR OWNER:(OI)(CI)(IO)(F)
    NT AUTHORITY\SYSTEM:(OI)(CI)(F)
    NLBNPF\NPF_ALL_USERS:(OI)(CI)(RX,AD)
    NLBNPF\NPF_IT_USERS:(OI)(CI)(F)
    BUILTIN\Administrators:(OI)(CI)(F)

    Successfully processed 1 files; Failed processing 0 files

    Thanks,
    Aleksandar

    0

  6. Kyle Beckman 5 years ago

    Just glancing at it, I'm not seeing anything obvious. But, it looks like you're using a non-English version of Windows... so I'm not totally sure what a few of those groups are and I could be missing something. These instructions are based of a new setup with the default drive permissions in place. If you altered the permissions on the root of your E:\ drive, that could be your problem. Also check the permissions on your share to see that your users have Full Control on the share.

    When you say they can't create folders... how are they trying to create folders? You should be letting the Folder Redirection process create the folders, not the end user. End users will receive an access denied message if they try to enter the folder. However, they should be able to create folders from a command prompt.

    0

  7. Aleksandar 5 years ago

    Hi and thanks for your answer...
    I created a test user and it is in the same OU as I am (the admin)
    When I log on to my PC with that test user I can see that the Folder is not redirected.
    After that I wanted to test the permission that test user have like this:
    md "\\server\e$\share\users\BLABLA" but it says Access is denied.
    It is ENG Win version.
    Updated permissions...

    C:\Users\gacevski>cacls.exe E:\Korisnici
    E:\Korisnici Everyone:(special access:)
    SYNCHRONIZE
    FILE_READ_DATA
    FILE_APPEND_DATA
    FILE_EXECUTE
    FILE_READ_ATTRIBUTES

    CREATOR OWNER:(OI)(CI)(IO)F
    NT AUTHORITY\SYSTEM:(OI)(CI)F
    BUILTIN\Administrators:(OI)(CI)F

    Share permissions....
    Everyone FULL ACCESS...

    Thanks again,
    Aleksandar

    0

  8. Kyle Beckman 5 years ago

    \\server\e$ is an Administrative share; by default, standard users don't have access to Administrative shares. Can the user create a folder on the Users share you created?

    0

  9. Aleksandar 5 years ago

    Hi,

    It looks like I solved the problem...Still testing...
    In GPO Instead of \\server\E$\Korisnici now I entered
    \\server\Korisnici$

    Thats it 🙂
    Thanks

    0

  10. Aleksandar 5 years ago

    Thanks for your answer that was exactly the problem.

    Regards,
    Aleksandar

    0

  11. Alan Jebakumar 3 years ago

    Kyle,

    Thanks for this nice post. So after the part 2 setup get over, Would the below be the folder permissions?

    E:\>icacls \UserHomes
    \UserHomes BUILTIN\Administrators:(OI)(CI)(F)
    NT AUTHORITY\SYSTEM:(OI)(CI)(F)
    CREATOR OWNER:(OI)(CI)(IO)(F)

    Do confirm.

    0

  12. Kyle Beckman 3 years ago

    Alex,

    As this article is almost 3 years old, I don't have the lab setup that was used when the article was written to confirm that setup. I can say from performing this setup... a lot... is that if you follow the article series as it is written, you'll bet set up correctly. Just make sure to test everything before putting it into production.

    0

  13. Alan Jebakumar 3 years ago

    Hey Alex,

    Thanks for the revert. By this setup of permissions, folder redirection works almost perfectly. But still i'd request you to have a check with you lab & confirm.

    0

  14. Wayne 2 years ago

    Hello,

    There is a discrepancy with "CREATOR OWNER". In your article, you say they should have full access, however in the screen shot it clearly says "Special" by the item. Can you please explain?

    Thanks.

    0

  15. Jeremy Hauger 1 year ago

    Just a little FYI, the hidden share using the $ after the name is almost useless as any form of security.  The only operating system that really doesn't show it is Windows.  Any Linux distro will happily show you all of the "hidden" shares.

    0

  16. Tato 8 months ago

    Hello!

    Thanks for this article! I need just an info that I didn't understand reading it: user's folder is auto-create on the first login or I have to create manually?

    Bye

    Tato

    0

    • Tato 8 months ago

      I have computers (W2012r2, W10Pro) and users organized with Organization Unit and applied the policy to the user's OU but it seems doesn't work.

      Manual created the user folder in USERS, then forced the propagation from GP Console, with command gpupdate /force and computer restarted but the redirection doesn't work (Path is local).

      What's wrong?

      Tks in advance

      Tato

      0

Leave a reply

Your email address will not be published. Required fields are marked *

*

CONTACT US

Please ask IT administration questions in the forum. Any other messages are welcome.

Sending
© 4sysops 2006 - 2017

Log in with your credentials

or    

Forgot your details?

Create Account