1. Folder Redirection
You
redirect users’ folders to provide a centralized location for key
Microsoft Windows XP Professional folders on a server or servers. This
centralized location, called a sharepoint,
provides users with an access point for storing and finding
information, and it provides administrators with an access point for
managing information. The Folder Redirection
node in the Group Policy Object Editor console enables you to redirect
certain special folders to network locations, including file shares in
other forests in which two-way forests trusts have been established.
The Folder Redirection node is located under User Configuration\Windows
Settings in the Group Policy Object Editor console. Special folders are
folders such as My Documents and My Pictures, which are located in a
user’s profile.
Note The default storage location for a user profile is %systemdrive%\Documents and Settings\username, where username
is the user logon name. If the computer was upgraded from Windows NT
4.0, Windows 95, Windows 98, or Windows Millennium Edition (Me), the
profile will be in %systemroot%\Profiles\username. |
Windows Server 2003 allows the following special folders to be redirected:
Application Data Desktop My Documents My Pictures Start Menu
Advantages of Redirecting Folders
The
following benefits pertain to redirecting any folder, but redirecting
My Documents can be particularly advantageous because this folder tends
to become large over time.
Even if a user logs on to various computers on the network, his or her documents are always available. When
roaming user profiles are used, only the network path to the My
Documents folder is part of the roaming user profile, not the My
Documents folder itself. Therefore, its contents do not have to be
copied back and forth between the client computer and the server each
time the user logs on or off, and the process of logging on or off can
be much faster than it was in Microsoft Windows NT 4.0. Offline
File technology provides users with access to My Documents even when
they are not connected to the network and is particularly useful for
people who use portable computers. Data
stored on a shared network server can be backed up as part of routine
system administration. This approach is safer because it requires no
action on the part of the user. The
system administrator can use Group Policy to set disk quotas, limiting
the amount of space taken up by users’ special folders. Data
specific to a user can be redirected to a different hard disk on the
user’s local computer from the hard disk holding the operating system
files. This capability makes the user’s data safer if the operating
system needs to be reinstalled.
Redirecting My Documents to Home Folders
In Windows Server 2003 operating systems, a new feature enables you to redirect My Documents to a user’s home folder.
This option is intended only for organizations that have already
deployed home folders and want to maintain compatibility with their
existing home folder environment. The ability to redirect My Documents
to a user’s home folder requires a Windows XP Professional client and
does not function for Microsoft Windows XP Home Edition, Microsoft
Windows 2000, or Windows NT clients.
When
you redirect My Documents to a user’s home folder, the system assumes
that the administrator has set the following items correctly:
Security Security is not checked and permissions are not changed when you redirect My Documents to a user’s home folder. Ownership
No ownership checks are made when you redirect My Documents to a user’s
home folder. Normally, folder redirection fails if a user is not the
owner of the folder to which he or she is being redirected. Home directory property on the user object
When you redirect My Documents to a user’s home folder, the client
computer finds the path for the user’s home directory from the user
object in Active Directory at logon time. If this path is not set
correctly for the affected users, folder redirection fails.
This
relaxed security environment is why redirecting My Documents to a
user’s home folder is recommended only for organizations that have
already deployed home folders and want to provide backward
compatibility.
Note Do
not redirect My Documents to a home directory location that is subject
to encryption by the Encrypting File System (EFS) because only you or a
domain administrator will be able to decrypt it. The user whose My
Documents folder is redirected there will not be able to decrypt it. |
2. Setting Up Folder Redirection
There are two ways to set up folder redirection:
Redirect special folders to one location for everyone in a site, domain, or OU. Redirect special folders to a location according to security group membership.
To redirect special folders to one location for everyone in the site, domain, or OU, complete the following steps:
1. | Open
a group policy object (GPO) linked to the site, domain, or OU
containing the users whose special folders you want to redirect to a
network location.
| 2. | In
User Configuration, open Windows Settings, and then double-click the
Folder Redirection node to view the folder you want to redirect.
| 3. | Right-click the folder you want to redirect (Application Data, Desktop, My Documents, or Start Menu), and then click Properties.
| 4. | In the Target tab in the Properties dialog box for the redirected folder (shown in Figure 1), in the Setting list, select Basic–Redirect Everyone’s Folder To The Same Location.
Off the Record Windows
Server 2003 has more options for redirecting folders than Windows 2000
Server. In Windows 2000 Server, there are no selectable options for
folder redirection in the target folder location section. Instead,
there is only a text box where you can enter the location of the target
folder. While Windows Server 2003 still offers the same features, in
Windows 2000 you would have to use environment variables such as %username% or %userprofile%
instead of being able to select from a drop-down list. Keep this in
mind if you come across troubleshooting documents written for Windows
2000 folder redirection. |
| 5. | In the Target Folder Location list, select the redirect location you want for this GPO from one of the following options:
Create
A Folder For Each User Under The Root Path (not available for the Start
Menu folder), which creates a folder with the user’s name in the root
path. A new feature for Windows Server 2003 operating systems, folder
redirection automatically appends the user name and the folder name
when the policy is applied. Redirect To
The Following Location, which enables you to redirect the folder to a
location represented by the Uniform Naming Convention (UNC) path in the
form \\servername\sharename or a valid path on the user’s local
computer. Redirect
To The Local Userprofile Location, which enables you to redirect the
folder to the default folder location in the absence of redirection by
an administrator. Redirect To The User’s
Home Directory (available for the My Documents folder only), which
enables you to redirect the user’s My Documents folder to the user’s
home directory.
Note Use
the Redirect To The User’s Home Directory option only if you have
already deployed home directories in your organization. This option is
intended only for organizations that want to maintain compatibility
with their existing home directory environment. |
| 6. | If
you have selected the Create A Folder For Each User Under The Root Path
or Redirect To The Following Location option, enter the path to which
the folder should be redirected, either the UNC path in the form
\\servername\sharename or a valid path on the user’s local computer.
| 7. | Click the Settings tab (shown in Figure 2), and then set each of the following options (keeping in mind that the default settings are recommended):
Grant
The User Exclusive Rights To Special Folder Type (in this example, My
Documents), which allows the user and the local system full rights to
the folder—no one else, not even administrators, will have any rights.
If this setting is disabled, no changes are made to the permissions on
the folder. The permissions that apply by default remain in effect.
This option is enabled by default. Note If
you redirect My Documents to the home folder, domain administrators
have Full Control permission over the user’s My Documents folder, even
if you enable the Grant The User Exclusive Rights To My Documents
option. |
Move
The Contents Of User’s Current Special Folder Type (in this example, My
Documents) To The New Location, which redirects the contents of the
folder to the new location. This option is enabled by default.
Off the Record Errors
concerning Folder Redirection appear in the Application Log in the
Event Viewer on the affected computers. For example, if you attempt to
redirect a user’s desktop and select the option Move The Contents Of
Desktop To The New Location, but you fail to give the user permission
to write to that folder, the user’s desktop will not be redirected. If
that happens, you can find errors in the Event Viewer where the user
logged on indicating that the user didn’t have permission to access the
folder. To solve the issue, either give the user Write permission to
the desktop or clear the Move The Contents Of Desktop To The New
Location check box. |
| 8. | Choose one of the following options in the Policy Removal area (keeping in mind that the default setting is recommended):
Leave
The Folder In The New Location When Policy Is Removed, which leaves the
folder in its new location even when the GPO no longer applies. This
option is enabled by default. Redirect
The Folder Back To The Local Userprofile Location When Policy Is
Removed, which moves the folder back to its local user profile location
when the GPO no longer applies.
| 9. | Choose one of the following options (available for the My Documents folder only) in the My Pictures Preferences area:
Make
My Pictures A Subfolder Of My Documents, which redirects My Pictures
automatically to remain a subfolder of My Documents. This option is
enabled by default and is recommended. Do
Not Specify Administrative Policy For My Pictures, which removes My
Pictures as a subfolder of My Documents and has the user profile
determine the location of My Pictures. With this option, the location
of My Pictures is not dictated by Group Policy and a shortcut takes the
place of the My Pictures folder in My Documents.
| 10. | |
To redirect special folders to a location according to security group membership, complete the following steps:
1. | Open
a GPO linked to the site, domain, or OU containing the users whose
special folders you want to redirect to a network location.
| 2. | In
User Configuration, open Windows Settings, and then double-click the
Folder Redirection node to view the folder you want to redirect.
| 3. | Right-click the folder you want (Application Data, Desktop, My Documents, or Start Menu), and then click Properties.
| 4. | In the Target tab in the Properties dialog box for the folder (shown in Figure 1), in the Setting list, select Advanced–Specify Locations For Various User Groups and then click Add.
| 5. | In the Specify Group And Location dialog box (shown in Figure 3), in the Security Group Membership box, click Browse.
| 6. | In the Select Group dialog box, type the name of the security group for which you want to redirect the folder and then click OK.
| 7. | In
the Specify Group And Location dialog box, in the Target Folder
Location list, select the redirect location you want for this GPO from
one of the following options:
Create
A Folder For Each User Under The Root Path (not available for the Start
Menu folder), which creates a folder with the user’s name in the root
path. A new feature for Windows Server 2003 operating systems, folder
redirection automatically appends the user name and the folder name
when the policy is applied. Redirect To
The Following Location, which enables you to redirect the folder to a
location represented by the UNC path in the form \\servername\sharename
or a valid path on the user’s local computer. Redirect
To The Local Userprofile Location, which enables you to redirect the
folder to the default folder location in the absence of redirection by
an administrator. Redirect To The User’s
Home Directory (available for the My Documents folder only), which
enables you to redirect the user’s My Documents folder to the user’s
home directory.
Note Use
the Redirect To The User’s Home Directory option only if you have
already deployed home directories in your organization. This option is
intended only for organizations that want to maintain compatibility
with their existing home directory environment. |
| 8. | If
you have selected the Create A Folder For Each User Under The Root Path
or Redirect To The Following Location option, enter the path to which
the folder should be redirected, either the UNC path in the form
\\servername\sharename or a valid path on the user’s local computer.
| 9. | In the Specify Group And Location dialog box, click OK.
| 10. | If
you want to redirect folders for members of other security groups,
repeat steps 4 through 9 until all the groups have been entered.
| 11. | Click the Settings tab (shown in Figure 2), and then set each of the following options (keeping in mind that the default settings are recommended):
Grant
The User Exclusive Rights To Special Folder Type, which allows the user
and the local system full rights to the folder—no one else, not even
administrators, will have any rights. If this setting is disabled, no
changes are made to the permissions on the folder. The permissions that
apply by default remain in effect. This option is enabled by default. Note If
you redirect My Documents to the home folder, domain administrators
have Full Control permission over the user’s My Documents folder, even
if you enable the Grant The User Exclusive Rights To My Documents
option. |
Move
The Contents Of User’s Current Special Folder To The New Location,
which redirects the contents of the folder to the new location. This
option is enabled by default.
| 12. | Choose one of the following options in the Policy Removal area (keeping in mind that the default setting is recommended):
Leave
The Folder In The New Location When Policy Is Removed, which leaves the
folder in its new location even when the GPO no longer applies. This
option is enabled by default. Redirect
The Folder Back To The Local Userprofile Location When Policy Is
Removed, which moves the folder back to its local user profile location
when the GPO no longer applies.
| 13. | Choose one of the following options (available for the My Documents folder only) in the My Pictures Preferences area:
Make
My Pictures A Subfolder Of My Documents, which redirects My Pictures
automatically to remain a subfolder of My Documents. This option is
enabled by default and is recommended. Do
Not Specify Administrative Policy For My Pictures, which removes My
Pictures as a subfolder of My Documents and has the user profile
determine the location of My Pictures. With this option, the location
of My Pictures is not dictated by Group Policy and a shortcut takes the
place of the My Pictures folder in My Documents.
| 14. | Click OK.
|
Off the Record If
you redirect a user’s Application Data and the user encrypts files or
folders using the Encrypting File System (EFS), the user might not be
able to decrypt his or her EFS encrypted folders when he or she is not
connected to the network. This occurs because the user’s encryption
keys are stored in the Application Data folder structure. For Windows
2000 Professional systems, network connectivity isn’t an immediate
issue because the encryption keys are stored in memory. However, if the
user restarts, network connectivity can become an issue if it is still
not available. For Windows XP Professional systems, loss of network
connectivity could become an immediate issue for users trying to
decrypt EFS encrypted files because the user’s encryption keys are not
stored in memory. |
|
