Folder Redirection in Group Policy allows a systems administrator to redirect certain folders from a user’s profile to a file server. In part 3 of this series, I’ll discuss the folder permissions we set on the file server along with justifications for those settings and alternatives.

Kyle Beckman works as a systems administrator in Atlanta, GA supporting Office 365 in higher education. He has 17+ years of systems administration experience.

Latest posts by Kyle Beckman (see all)

Managing shared mailboxes in Office 365 with PowerShell - Thu, May 5 2016
Managing shared mailboxes in Office 365 with the GUI - Wed, May 4 2016
Installing and configuring the Enhanced Mitigation Experience Toolkit (EMET) - Wed, Mar 16 2016

At this point, you may have noticed that we didn’t give our users very many permissions on the Users folder. First and foremost, we made sure that one user can’t see inside of another user’s folder. It’s also pretty obvious that we don’t want to give users the ability to do things like take ownership, delete files/folders, or change permissions, but a few of the other missing permissions take a little more explanation.

First off, you don’t want users to have Create files/write data permissions or they can save files into the root of the shared folder. Since we’re redirecting folders, we only want the users to be able to create folders in the root Users folder, but not individual files. Once the user creates a folder named %username%, the CREATOR OWNER permission will take over (since it is a sub-folder of Users) and will give the account full control over the %username% folder and everything inside of it.

Second, List folder/read data is also missing because we don’t want users to be able to enumerate folders in the share. Here’s what it will look like to the end user if they try to go to \\fileserver\Users:

User can't enumerate folders

However, if the user tries to go to \\fileserver\Users\%username%, he can see all of his folders:

User CAN see inside username folder

To the Administrator, you’ll still be able to see everything on the server:

Redirected folders on server

Why would you want to do it this way? The biggest reason is that we’re giving the user the ability to create folders in the Users share. That means that there is nothing to stop a user from creating a few hundred folders and then saving files into those folders inside of Users. By removing the ability to enumerate folders in the Users share, you eliminate the ability of the user to see what is in the folder. It doesn’t stop the user from being able to create other folders or copy data into them, but it makes is much more difficult to use should they decide to try.

The other big benefit you get is that users can’t see the other user account folders that are stored in the Users share. Can’t I do that with Access Based Enumeration? Yes… Access Based Enumeration will essentially hide any files/folders to a user that he/she doesn’t have permissions to see; but, it doesn’t solve the problem of the user being able to create new folders in your Users share. If you enable Access Based Enumeration and allow users to enumerate the contents of the share, they’ll just see their %username% folder and all of the other folders they’ve created there.

In the next post I will show you how to configure folder redirection in Group Policy.

Want to write for 4sysops? We are looking for new authors.

Read 4sysops without ads and for free by becoming a member!

Articles in series