Windows 7 / Getting Started

Implementing Folder Redirection

You can use Group Policy to implement Folder Redirection in enterprise environments. The policy settings for configuring Folder Redirection of known folders is found under User Configuration\Policies\Windows Settings\Folder Redirection.

To implement Folder Redirection in an AD DS environment, follow these steps:

  1. Create a share on the file server where you will be storing redirected folders and assign suitable permissions to this share. (See the sidebar titled "Direct from the Source: Securing Redirected Folders" later in this tutorial for information on the permissions needed for this share.)
  2. Create a Folder Redirection Group Policy object (GPO) or use an existing GPO and link it to the organizational unit (OU) that contains the users whose folders you want to redirect.
  3. Open the Folder Redirection GPO in the Group Policy Object Editor and navigate to User Configuration\Policies\Windows Settings\Folder Redirection. Configure each Folder Redirection policy as desired.

Note Group Policy may take up to two processing cycles to apply GPOs that contain Folder Redirection settings successfully. This occurs because Windows XP and later versions have Fast Logon Optimization, which basically applies Group Policy in the background asynchronously. Some parts of Group Policy, such as Software Installation and Folder Redirection, require Group Policy to apply synchronously, however. This means that on first policy application, Folder Redirection policy is recognized, but because it is applied asynchronously, it cannot be processed immediately. Therefore, Group Policy flags synchronous application to occur on the next logon.

Securing Redirected Folders

The following recommendations for secure Folder Redirection permissions are based on Microsoft Knowledge Base article 274443.

When using Basic Redirection, follow these steps to make sure that only the user and the domain administrators have permissions to open a particular redirected folder:

  1. Select a central location in your environment where you want to store Folder Redirection and then share this folder. This example uses FLDREDIR.
  2. Set Share Permissions for the Authenticated Users group to Full Control.
  3. Use the following settings for NTFS Permissions:
    • CREATOR OWNER - Full Control (Apply to: Subfolders And Files Only)
    • System - Full Control (Apply to: This Folder, Subfolders, And Files)
    • Domain Admins - Full Control (Apply to: This Folder, Subfolders, And Files) (This is optional and is needed only if you require that administrators have full control.)
    • Authenticated Users - Create Folder/Append Data (Apply to: This Folder Only)
    • Authenticated Users - List Folder/Read Data (Apply to: This Folder Only)
    • Authenticated Users - Read Attributes (Apply to: This Folder Only)
  4. Authenticated Users - Traverse Folder/Execute File (Apply to: This Folder Only)
  5. Use the option Create A Folder For Each User under the redirection path or the option Redirect To The Following Location and use a path similar to \\Server \FLDREDIR\%Username% to create a folder under the shared folder, FLDREDIR.

When using Advanced Redirection, follow these steps:

  1. Select a central location in your environment where you want to store Folder Redirection and then share this folder. This example uses FLDREDIR.
  2. Set Share Permissions for the Authenticated Users group to Full Control.
  3. Use the following settings for NTFS Permissions:'
    • CREATOR OWNER - Full Control (Apply to: Subfolders And Files Only)
    • System - Full Control (Apply to: This Folder, Subfolders, And Files)
    • Domain Admins - Full Control (Apply to: This Folder, Subfolders, And Files) (This option is required only if you want administrators to have full control.)
    • <each group listed in policy> - Create Folder/Append Data (Apply to: This Folder Only)
    • <each group listed in policy> - List Folder/Read Data (Apply to: This Folder Only)
    • <each group listed in policy> - Read Attributes (Apply to: This Folder Only)
    • <each group listed in policy> - Traverse Folder/Execute File (Apply to: This Folder Only)
  4. Use the option Create A Folder For Each User under the redirection path or use the option Redirect To The Following Location and use a path similar to \\Server \FLDREDIR\%Username% to create a folder under the shared folder, FLDREDIR.

When using advanced Folder Redirection policies, you must complete the last four steps in the preceding list for each group listed in the policy. Most likely, the user will belong to only one of these groups, but for the user folder to create properly, the access control lists (ACLs) on the resource must account for all the groups listed in the Folder Redirection settings. Additionally, one hopes that the administrator will use Group Policy filtering to ensure that only the users listed in the Folder Redirection policy settings actually apply the policy. Otherwise, it's just a waste of time because the user will try to apply the policy, but Folder Redirection will fail because the user is not a member of any of the groups within the policy. This creates a false error condition in the event log, but it's actually a configuration issue.

[Previous] [Contents] [Next]

In this tutorial:

  1. Managing Users and User Data
  2. Understanding User Profiles in Windows 7
  3. Types of User Profiles
  4. User Profile Namespace
  5. User Profile Namespace in Windows XP
  6. User Profile Namespace in Windows Vista and Windows 7
  7. Application Compatibility Issue
  8. Disabling Known Folders
  9. Windows 7 Understanding Libraries
  10. Working with Libraries
  11. Including Indexed Folders in a Library
  12. Adding Nonindexed Remote Locations to a Library
  13. Creating Additional Libraries
  14. Managing Libraries
  15. Implementing Corporate Roaming
  16. Understanding Roaming User Profiles and Folder Redirection
  17. Understanding Roaming User Profiles in Earlier Versions of Windows
  18. Understanding Folder Redirection in Earlier Versions of Windows
  19. Enhancements to Roaming User Profiles and Folder Redirection Previously Introduced in Windows Vista
  20. Additional Enhancements to Roaming User Profiles and Folder Redirection Introduced in Windows 7
  21. Improved First Logon Performance With Folder Redirection
  22. Implementing Folder Redirection
  23. Configuring the Redirection Method
  24. Configuring Target Folder Location
  25. Configuring Redirection Options
  26. Configuring Policy Removal Options
  27. Folder Redirection and Sync Center
  28. Considerations for Mixed Environments
  29. Additional Group Policy Settings for Folder Redirection
  30. Troubleshooting Folder Redirection
  31. Implementing Roaming User Profiles
  32. Creating a Default Network Profile
  33. Configuring a User Account to Use a Roaming Profile
  34. Implementing Mandatory Profiles
  35. Implementing Super-Mandatory Profiles
  36. Managing User Profiles Using Group Policy
  37. Working with Offline Files
  38. Enhancements to Offline Files Introduced Previously in Windows Vista
  39. Additional Enhancements to Offline Files Introduced in Windows 7
  40. Understanding Offline File Sync
  41. Modes of Operation in Offline Files
  42. Managing Offline Files
  43. Managing Offline Files Using Windows Explorer
  44. Managing Offline Files Using the Offline Files Control Panel
  45. Managing Offline Files Using Sync Center
  46. Configuring Offline Files on the Server
  47. Managing Offline Files Using Group Policy
  48. Offline Files Policy Settings Introduced in Windows Vista
  49. Additional Offline Files Policy Settings for Windows 7