Wednesday, January 30, 2013

Folder Redirection wIth Group Policy



Folder Redirection


Folder Redirection in Group Policy allows a systems administrator to redirect certain folders from a user’s profile to a file server.


Part 1: Introduction



If you’re like me, you’ve probably gotten a frantic call from a customer because they have a computer that won’t boot and they have irreplaceable files on their local hard drive. Try adding clicking or grinding sounds coming from that computer along with no recent backup to the mixture. Sound familiar? That combination can add up to a very upset customer and possibly a very expensive bill if you have to get data restored from that failed hard drive.


The good news is that there is something you can start doing today to start combatting that problem: Folder Redirection in Group Policy. To get started with Folder Redirection, you’ll need to be running Active Directory (any functional level), have an available file server, and a management station running the Group Policy Management Console. As with most Group Policy, the latest version of the GPMC is preferred, but most of these settings are available in older versions.


So what exactly does Folder Redirection do? Folder Redirection takes common user profile folders from C:\Users (or C:\Documents and Settings\ in Windows XP) like the Desktop or Documents and puts them on a UNC path instead of the local hard drive of the computer. I


In addition to the immediate benefit of having that data on a file server that is much easier to keep backed up, the user also gets the benefit of being able to go to multiple computers in your organization and still have access to their data. Using the default Windows settings and the default share settings on your file server, these redirections will be even made available offline automatically for your users. (Don’t worry, this can be controlled separately in Group Policy, which we’ll cover in a later article.)





Documents Redirected in Windows 7


In the GPMC, the Folder Redirection settings can be found in User Configuration > Policies > Windows Settings > Folder Redirection. If you’re using the GPMC in Windows XP, you can redirect Application Data, Desktop, My Documents, and the Start Menu. In addition, folders in Windows XP that are inside the My Documents folder like My Music and My Pictures will follow My Documents when it is redirected.





GPMC in Windows XP Showing Folder Redirection


If you’re using the GPMC in either Windows 7 or Windows Server 2008 R2, you’ll see that the list of folders that can be redirected is much longer. AppData (Roaming), Desktop, Start Menu, Documents, Pictures, Music, Videos, Favorites, Contacts, Downloads, Links, Searches, and Saved Games can all be redirected in Vista, 7, Server 2008, and Server 2008 R2.





GPMC in Windows 7 Showing Folder Redirection

 PART 2: SETTING UP YOUR FILE SERVER



Before you set up Group Policy for Folder Redirection, you need a properly configured file server. In my examples, I’ll be using Windows Server 2008 R2, but earlier versions will have the same settings, more or less.


The first decision you’ll need to make is on the share name. My preference is typically to use “Users” since we’ll be redirecting user folders. As an added step, you can make this a hidden share (by adding a $ to the end of the share name) if you think that is necessary for your file server. It is fairly easy for users to discover where their folders are being redirected. Personally, I’m not a big fan of hiding shares unless they are being used in DFS or there is another good reason to hide them; but, that is typically a personal (or organizational) preference.


Starting with the Sharing tab, you’ll want to share the folder by clicking the Advanced Sharing button. Click the “Share this folder” checkbox and the share name should fill in automatically. Caching should default to “Only the files and programs that users specify are available offline.” Click the Permissions tab. In Permissions, you can probably check the Full Control checkbox and OK, but make sure that works for your environment. If you provision Guest accounts or have users that don’t need access to the Folder Redirection share, consider limiting the share to Domain Users or smaller groups of users.





Share permissions


The easiest method for provisioning new folders for users is to allow the logon process to create all of the folders automatically as they are redirected to the file server. To do this, you’ll need to set the file permissions so that users can create folders, but not access the folders of other users. This can all be done in the GUI, but I prefer using the icacls.exe utility to set the file permissions for something like this so I can be sure I don’t miss something. Here are the commands you’ll need:


icacls.exe C:\Shares\Users /inheritance:d


This removes inheritance on the folder and copies the existing permissions. We want to do this for two reasons: first off, any permission changes to the volume or top-level folder will propagate down to your shared folder which we don’t want. Second, the default file permissions will give “Users” access to read everything in the folder… we don’t want that either.


icacls.exe C:\Shares\Users /remove:g Users


Remove “Users” access to the folder so that users can’t get nosey and go through other users’ files.


icacls.exe C:\Shares\Users /grant Everyone:(x,ra,ad)
Give “Everyone” execute/traverse (x), read attributes (ra), and append data/add subdirectory (ad). After running the command, your permissions should look like this:
Administrators (Full Control) – This folder, sub-folders, and files
SYSTEM (Full Control) – This folder, sub-folders, and files
CREATOR OWNER (Full Control) – Sub-folders, and files
Everyone (Special – Traverse Folder/Execute File, Read Attributes, Create Folders/Append Data) – This folder only





File permissions

PART 3: EXPLANATION OF FOLDER PERMISSIONS



At this point, you may have noticed that we didn’t give our users very many permissions on the Users folder. First and foremost, we made sure that one user can’t see inside of another user’s folder. It’s also pretty obvious that we don’t want to give users the ability to do things like take ownership, delete files/folders, or change permissions, but a few of the other missing permissions take a little more explanation.


First off, you don’t want users to have Create files/write data permissions or they can save files into the root of the shared folder. Since we’re redirecting folders, we only want the users to be able to create folders in the root Users folder, but not individual files. Once the user creates a folder named %username%, the CREATOR OWNER permission will take over (since it is a sub-folder of Users) and will give the account full control over the %username% folder and everything inside of it.


Second, List folder/read data is also missing because we don’t want users to be able to enumerate folders in the share. Here’s what it will look like to the end user if they try to go to \\fileserver\Users:





User can’t enumerate folders


However, if the user tries to go to \\fileserver\Users\%username%, he can see all of his folders:





User CAN see inside username folder


To the Administrator, you’ll still be able to see everything on the server:





Redirected folders on server


Why would you want to do it this way? The biggest reason is that we’re giving the user the ability to create folders in the Users share. That means that there is nothing to stop a user from creating a few hundred folders and then saving files into those folders inside of Users. By removing the ability to enumerate folders in the Users share, you eliminate the ability of the user to see what is in the folder. It doesn’t stop the user from being able to create other folders or copy data into them, but it makes is much more difficult to use should they decide to try.


The other big benefit you get is that users can’t see the other user account folders that are stored in the Users share. Can’t I do that with Access Based Enumeration? Yes… Access Based Enumeration will essentially hide any files/folders to a user that he/she doesn’t have permissions to see; but, it doesn’t solve the problem of the user being able to create new folders in your Users share. If you enable Access Based Enumeration and allow users to enumerate the contents of the share, they’ll just see their %username% folder and all of the other folders they’ve created there.

  PART 4: GROUP POLICY CONFIGURATION


Now that we have a server with a share configured, we’re ready to set up the Folder Redirection in Group Policy. Folder Redirection is User configuration. Because of that, you’ll need to either create a new Group Policy Object (GPO) or edit an existing GPO that is linked to an OU for your users.

 Go to User Configuration > Policies > Windows Settings > Folder Redirection.





GPMC in Windows 7 Showing Folder Redirection


Right-click on one of the folder names and click Properties. In my example, I’ll be using Documents. The first thing you’ll want to set in the Target tab is how you want to redirect folders: Basic or Advanced. If you’re planning on directing every user to your new User share, then Basic will probably do for you. If you have multiple shares for Folder Redirection (possibly for departments or geographical locations), you can choose Advanced and assign specific folders for groups.





Folder Redirection Properties


Next, you’ll need to determine where you want to redirect the user folders. In most circumstances, you’ll probably want to use “Create a folder for each user under the root path.” However, you can also use a user’s home directory (if you have that attribute configured in AD), a specific path (for labs or common area computers where every user should share certain folders), and the local user profile (useful if you don’t want users reconfiguring folder locations).





Target folder location


Type in the name of your server and the path to your Users share. If you used the option to create a folder for each user under the path, you’ll see that your folder structure should be in the format \\fileserver\Users\%username%\redirectefoldername for each Folder Redirection you configure.





Root Path setting


Go to the Settings tab. Uncheck the checkbox by “Grant the user exclusive rights to Documents.” If you don’t uncheck this setting, the permissions will be configured so that even Administrators won’t be able to access the files without changing the folder permissions.





Settings Tab


Choose the settings for the remaining options that work for your environment and click OK.


That’s it! All you need to do is go to your test system, refresh Group Policy, log off, and log back in. Just be aware that when you run gpupdate, you’ll get a reminder that you need to log out and back in for the changes to take place.


  PART 5: BEST PRACTICES


After implementing this in several organizations, I’ve discovered several issues that may be of interest if you’re planning on implementing Folder Redirection.
TEST, TEST, TEST


If you’ve read other Group Policy articles I’ve read, I harp on testing. Sorry, but way too many people make a change in a production environment before trying it out on test systems first.
COMMUNICATE TO END USERS


If Folder Redirection is new for your users, make sure they know the change is coming. Most users will never notice until they accidentally delete a file or have a machine die and you become their hero.
SLOW LOGONS AFTER IMPLEMENTATION


One of the things you’ll need to communicate with users if you have pre-Windows 7 computers is that they may see slow logons the first time they log into their computers after Folder Redirection is implemented. Not only are everyone’s files being copied to the file server, but the server’s NIC and the network will probably be saturated with file transfer traffic. (Microsoft improved this in Windows 7 with Fast First Logon.


 BROKEN SHORTCUTS AND RECENT DOCUMENTS


If users have created shortcuts to documents or folders inside of folders that you’re redirecting, they may end up with broken shortcuts. The same is true for the Recent Documents feature in applications like Word and Excel.

 WHICH FOLDERS TO REDIRECT


Decide beforehand what you want to redirect vs. what you really need to redirect. Is it really important to redirect Downloads? How about Saved Games? Everything you redirect is going to have an impact on how much storage you need.


 PLANNING STORAGE


For your shared folder, you’ll want to make sure that the share is on a volume that is large enough to handle the amount of data that your users will be storing. There are a few ways to accomplish this, but most of them depend on your server environment. If your file server is a virtual machine, you can always expand your virtual disk and then expand the volume in Windows if you start to run low on disk space later. In the event you’re using a physical server connected to some kind of Fiber Channel or iSCSI SAN, you can do pretty much do the same thing: Expand the volume on the SAN and then expand the volume in Windows.


The amount of storage you’ll need can vary widely depending on the types of users you’re supporting. I’ve seen administrative users (accountants, HR, etc.) users use as little as a few hundred megabytes and engineers use hundreds of gigs. Plan accordingly!


 FILE SERVER CONFIGURATION


File server configuration can have an impact on Folder Redirection. Just be aware that things like antivirus or an IDS application can impact your users. Also be aware of whether or not File Screening is being used to block files on your file server since this will impact Folder Redirection also.

 CONSIDER USING DFS


If you’re already using DFS, seriously consider using DFS for your folder redirections. In the event you need to change servers or create a more redundant file server, everything you need is already built in to DFS.

 STOPPING FOLDER REDIRECTION FOR LABS AND KIOSKS


If you have training facilities, kiosks, or other computers where you don’t want user folders being redirected, you’ll need to use loopback processing. In most cases, using Replace will be the easiest since it will just ignore all of the User Configuration. In the event you do decide to use Merge, make sure you set a User policy that redirects all of the folders to the local user profile.

 OFFLINE FILES


In most circumstances, the default settings for Offline files will probably be adequate. In the event you need to change those settings, Offline Files can be configured for the entire computer in the GPMC at Computer Configuration > Policies > Administrative Templates > Network > Offline Files. On the user side, it is located in User Configuration > Policies > Administrative Templates > Network > Offline Files. By default, Redirected Folders will be made available offline. On both sides, you can disable Offline Files by setting “Prevent use of Offline Files” to Enabled.





Folder Redirection – Prevent use of Offline Files

 DISABLED OFFLINE FILES AND SERVER AVAILABILITY


In the event you need to disable Offline Files for security reason, you’ll want to make sure that your file server is as highly available as possible. In the event your file server does need to be offline or reboot, just be aware that any logged in users will immediately lose access to their files until the file server becomes available again.


No comments:

Post a Comment