Windows 7 / Security and Privacy

---

Managing User Data

It is important that users have access to the business data, software code, or accounting data on the network. They need access to the data to get their work done, and the organization needs to be operational 24 hours a day, seven days a week. Managing user data using folder redirection, group policy, offline files, and synchronization can help increase the network reliability and the availability of data. It can also reduce the time it takes to restore data in the event of hardware or software failures.

You want to make access to the data that each user and group requires invisible and seamless, and at the same time provide the most efficient process for restoring the data in case of a failure. Managing user data for fault tolerance and to reduce the amount of administrative load is accomplished using the IntelliMirror technology. This technology allows users to have their data available to them regardless of which operating system and computer they log on. Using a combination of folder redirection, offline files, group policy, and synchronization, user data can be made available efficiently and reliably.

Using Folder Redirection

One useful approach to managing user data is folder redirection. In this process, the administrator uses group policy to configure where on the network the user's data, for example the Documents folder, is saved. This data is synchronized between the network storage site and the local copies in the background. This allows the user to change machines or to work offline and always have the same data available.

Using Group Policy, the ways in which you can redirect folders depends on the operating system. For Windows Server 2003, Windows XP Professional, and earlier releases of Windows, the special folders you can centrally manage are Application Data, Start Menu, Desktop, My Documents, and My Pictures. For Windows Vista and Windows Server 2008, the special folders you can manage are AppData(Roaming), Desktop, Start Menu, Documents, Pictures, Music, Videos, Favorites, Contacts, Downloads, Links, Searches, and Saved Games.

Before configuring the policy, however, you must first create a share to hold the user data. Create the share on a file server and configure the share so that the special group Everyone has the List Contents, Read, and Write permissions to it. After you do this, you can configure Group Policy settings in order to implement folder redirection.

Note:
Are you wondering what happens if the user's computer fails and folder redirection is in effect? Because the data is stored on the network server, if the user's local computer has a disk failure, the network-stored data will not be lost, This data can be accessed from a different machine or from the original machine after it is rebuilt.

Folder redirection for domain users can be set in the domain policy or at an OU level. In the GPMC, right-click the GPO for the site, domain, or organizational unit you want to work with and then select Edit. This opens the Group Policy Management Editor for the GPO. In the policy editor, expand the following nodes: User Configuration, Windows Settings, and then select Folder Redirection. The folders that can be redirected are listed separately. This allows you to configure redirection of each folder separately.

In the Group Policy Management Editor, right-click the folder you want to redirect, and then select Properties. The default tab for the Properties dialog box is the Target tab. The Setting option of this tab provides three choices for configuring how folder redirection behaves. You can select from the following choices:

• Not Configured: Use this setting to disable redirection of the selected folder.
• Basic-Redirect Everyone's Folder To The Same Location: Use this setting to designate one location where all the related folders for users will be redirected. This would normally be a share on a server that is part of the daily backup schedule. The redirected folder data would then be available in the event of a disk crash. In most cases, the individual user folders will then be a subfolder of the designated folder. For example, if you wanted the Documents folders for all users to be redirected to \\CorpSvr15\UserData, this folder would contain subfolders for each domain user, and the user's Documents data would be stored in the appropriate subfolder.
• Advanced-Specify Locations For Various User Groups: Use this setting if you want to set different user data locations for various groups. If you select this option, you can set an alternative target folder location for each group. Depending on the size of your network and domain, and its business model, this may be beneficial. You could, for example, set different folders for the Sales, Engineering, and Customer Service groups.

Note:
Remember, the group policy you are working with applies only to user accounts that are in the container for which you are configuring Group Policy. So if you set a redirection policy for a user account that isn't defined in the domain or OU you are working with, the user's data will not be redirected.

If you choose Basic redirection, the Target tab is updated and you have the following options:

• Redirect To The User's Home Directory: This setting applies only to redirection of a user's Documents folder. If you have configured the user's home folder in their account properties, you can use this setting to redirect the Documents folder to the home folder. Use this setting only if the home folder has already been created.
• Create A Folder For Each User Under The Root Path: This is a common setting. It appends the user's name to the file share created on a file server, allowing a folder to be created automatically under the file share root path for each user. The folder name is based on the %UserName% variable. This option is not available with redirection of the Start Menu folder.
• Redirect To The Following Location: This setting allows you to specify a root path to a file share and folder location for each user. If you add %UserName% to the path, you can create individual folders for each user as in the previous option. If you do not include a user-specific environment variable, all the users are redirected to the same folder.
• Redirect To The Local User Profile Location: This setting causes the default location of the user's profile to be used as the location for the user data. This is the default configuration if no redirection policies are enabled. If you use this option, the folders are not redirected to a network share and you essentially undo folder redirection. This option is not available with redirection of the Start Menu folder.

If you choose Advanced redirection, the Target tab is updated so that you can define different redirection settings for different groups of users. Click Add to display the Specify Group And Location.

In the Specify Group And Location dialog box, click Browse to display the Select Group dialog box. Type the name of a group account in the selected container, and then click Check Names. When a single match is found, the dialog box is automatically updated as appropriate and the entry is underlined. When you click OK, the group is added to the Security Group Membership list in the Specify Group And Location dialog box. You now have the same options for setting the Target Folder Location and the Root Path as you have with Basic redirection. When you are finished configuring these options, click OK. You can then repeat this process to configure the redirection of the selected folder for other groups.