- Managing shared mailboxes in Office 365 with PowerShell - Thu, May 5 2016
- Managing shared mailboxes in Office 365 with the GUI - Wed, May 4 2016
- Installing and configuring the Enhanced Mitigation Experience Toolkit (EMET) - Wed, Mar 16 2016
Before you set up Group Policy for Folder Redirection, you need a properly configured file server. In my examples, I’ll be using Windows Server 2008 R2, but earlier versions will have the same settings, more or less.
The first decision you’ll need to make is on the share name. My preference is typically to use “Users” since we’ll be redirecting user folders. As an added step, you can make this a hidden share (by adding a $ to the end of the share name) if you think that is necessary for your file server. It is fairly easy for users to discover where their folders are being redirected. Personally, I’m not a big fan of hiding shares unless they are being used in DFS or there is another good reason to hide them; but, that is typically a personal (or organizational) preference.
Starting with the Sharing tab, you’ll want to share the folder by clicking the Advanced Sharing button. Click the “Share this folder” checkbox and the share name should fill in automatically. Caching should default to “Only the files and programs that users specify are available offline.” Click the Permissions tab. In Permissions, you can probably check the Full Control checkbox and OK, but make sure that works for your environment. If you provision Guest accounts or have users that don’t need access to the Folder Redirection share, consider limiting the share to Domain Users or smaller groups of users.
Share permissions
The easiest method for provisioning new folders for users is to allow the logon process to create all of the folders automatically as they are redirected to the file server. To do this, you’ll need to set the file permissions so that users can create folders, but not access the folders of other users. This can all be done in the GUI, but I prefer using the icacls.exe utility to set the file permissions for something like this so I can be sure I don’t miss something. Here are the commands you’ll need:
icacls.exe C:\Shares\Users /inheritance:d
This removes inheritance on the folder and copies the existing permissions. We want to do this for two reasons: first off, any permission changes to the volume or top-level folder will propagate down to your shared folder which we don’t want. Second, the default file permissions will give “Users” access to read everything in the folder… we don’t want that either.
icacls.exe C:\Shares\Users /remove:g Users
Remove “Users” access to the folder so that users can’t get nosey and go through other users’ files.
icacls.exe C:\Shares\Users /grant Everyone:(x,ra,ad)
- Give “Everyone” execute/traverse (x), read attributes (ra), and append data/add subdirectory (ad). After running the command, your permissions should look like this:
- Administrators (Full Control) – This folder, sub-folders, and files
- SYSTEM (Full Control) – This folder, sub-folders, and files
- CREATOR OWNER (Full Control) – Sub-folders, and files
- Everyone (Special – Traverse Folder/Execute File, Read Attributes, Create Folders/Append Data) – This folder only
File permissions
In my next post I will discuss folder permissions.
Read the latest IT news and community updates!
Join our IT community and read articles without ads!
Do you want to write for 4sysops? We are looking for new authors.
Thanks so much Kyle for this excellent post. However, I would like make sure about the icacls.exe before test it out.
In order to achieve all of the secure permissions that you have explained..basically, we have to execute these 3 command line at command prompt.
> icacls.exe C:\Shares\Users /inheritance:d
> icacls.exe C:\Shares\Users /remove:g Users
> icacls.exe C:\Shares\Users /grant Everyone:(x,ra,ad)
Is it right Kyle? Thanks so much.
I wrote this article several months ago… So, I’ll have to refer you (and anyone reading the comments) back to the content of the article for the exact commands. The commands and permissions listed are a good starting point for most people; but, the needs of your customers/organization may require some tweaks. You can always try out the commands on a test share to see if they fit your needs.
Thanks for the reply Kyle.
Just want to ask for some of your opinion about this scenario. Let’s say a shared folder called “FolderRedirect” have been created and already contained bunch of users document redirection data. However, if checked up, the permission is somehow screw up and not follow to the correct permission.
If lets say “FolderRedirect’ is configured back according to the correct permission, will it affect users access on their document’s data? Or it can be assumed to be working fine since it followed the correct settings? Perhaps you have experienced this kind of problem before in dealing with the client. Really appreciate your help. Thanks
If this is a production server customers are actually using, I would try to duplicate the setup in a test environment with test user accounts first. I don’t ever make changes like that in production… especially for something like a user’s redirected folders because you can potentially lock someone our of their files. You can use icacls to backup (and restore) permissions. I would just make sure to test it first, make yourself detailed instructions, and then make the change during a planned maintenance window in production.
Hi guys,
I followed all the steps but I am experiencing some problems.
Users cannot create new folder, only admins can.
These are the security settings of the Shared folder.
C:\Users\gacevski>icacls.exe E:\Korisnici
E:\Korisnici Everyone:(AD,X,RA)
CREATOR OWNER:(OI)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(F)
NLBNPF\NPF_ALL_USERS:(OI)(CI)(RX,AD)
NLBNPF\NPF_IT_USERS:(OI)(CI)(F)
BUILTIN\Administrators:(OI)(CI)(F)
Successfully processed 1 files; Failed processing 0 files
Thanks,
Aleksandar
Just glancing at it, I’m not seeing anything obvious. But, it looks like you’re using a non-English version of Windows… so I’m not totally sure what a few of those groups are and I could be missing something. These instructions are based of a new setup with the default drive permissions in place. If you altered the permissions on the root of your E:\ drive, that could be your problem. Also check the permissions on your share to see that your users have Full Control on the share.
When you say they can’t create folders… how are they trying to create folders? You should be letting the Folder Redirection process create the folders, not the end user. End users will receive an access denied message if they try to enter the folder. However, they should be able to create folders from a command prompt.
Hi and thanks for your answer…
I created a test user and it is in the same OU as I am (the admin)
When I log on to my PC with that test user I can see that the Folder is not redirected.
After that I wanted to test the permission that test user have like this:
md “\\server\e$\share\users\BLABLA” but it says Access is denied.
It is ENG Win version.
Updated permissions…
C:\Users\gacevski>cacls.exe E:\Korisnici
E:\Korisnici Everyone:(special access:)
SYNCHRONIZE
FILE_READ_DATA
FILE_APPEND_DATA
FILE_EXECUTE
FILE_READ_ATTRIBUTES
CREATOR OWNER:(OI)(CI)(IO)F
NT AUTHORITY\SYSTEM:(OI)(CI)F
BUILTIN\Administrators:(OI)(CI)F
Share permissions….
Everyone FULL ACCESS…
Thanks again,
Aleksandar
\\server\e$ is an Administrative share; by default, standard users don’t have access to Administrative shares. Can the user create a folder on the Users share you created?
Hi,
It looks like I solved the problem…Still testing…
In GPO Instead of \\server\E$\Korisnici now I entered
\\server\Korisnici$
Thats it 🙂
Thanks
Thanks for your answer that was exactly the problem.
Regards,
Aleksandar
Kyle,
Thanks for this nice post. So after the part 2 setup get over, Would the below be the folder permissions?
E:\>icacls \UserHomes
\UserHomes BUILTIN\Administrators:(OI)(CI)(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(F)
CREATOR OWNER:(OI)(CI)(IO)(F)
Do confirm.
Alex,
As this article is almost 3 years old, I don’t have the lab setup that was used when the article was written to confirm that setup. I can say from performing this setup… a lot… is that if you follow the article series as it is written, you’ll bet set up correctly. Just make sure to test everything before putting it into production.
Hey Alex,
Thanks for the revert. By this setup of permissions, folder redirection works almost perfectly. But still i’d request you to have a check with you lab & confirm.
Hello,
There is a discrepancy with “CREATOR OWNER”. In your article, you say they should have full access, however in the screen shot it clearly says “Special” by the item. Can you please explain?
Thanks.
Just a little FYI, the hidden share using the $ after the name is almost useless as any form of security. The only operating system that really doesn’t show it is Windows. Any Linux distro will happily show you all of the “hidden” shares.
Hello!
Thanks for this article! I need just an info that I didn’t understand reading it: user’s folder is auto-create on the first login or I have to create manually?
Bye
Tato
I have computers (W2012r2, W10Pro) and users organized with Organization Unit and applied the policy to the user’s OU but it seems doesn’t work.
Manual created the user folder in USERS, then forced the propagation from GP Console, with command gpupdate /force and computer restarted but the redirection doesn’t work (Path is local).
What’s wrong?
Tks in advance
Tato
Can you differentiate folder redirection and drive mapping in terms of folder sharing?