Configuring Windows Profile Folder Redirections: Difference between revisions

From SambaWiki
(Rewrote documentation. Added more details and missing steps. The procedures are now clearer what to set.)
Line 1: Line 1:
= Introduction =
__TOC__


Using the default settings, roaming Windows user profiles include folder that can contain a large amount of data, such as <code>Documents</code>, <code>Downloads</code>, and <code>Pictures</code>. When logging in, the data is transferred from the Server to the domain member and back when the user logs out. Folder redirection enables you to redirect paths of folders outside of the Windows user profile to reduce the size of the profile.
= Configure folder redirection in an AD environment =


Because the user profile can contain sensitive information, you should redirect the folder to a secured area that only the profile owner can access, such as the [[User Home Folders|user's home folder]].
To keep the following guide simple, we setup the policy in the „Default Domain Policy“. If you have different requirements, adapt it to your needs.


* Open the Group Policy Management console.



* Right-click to your AD domain and select "Create a GPO in this domain, and Link it here".


= Setting Folder Redirections =

== In an Active Directory ==

Using group policies, you can assign settings to organizational units (OU) or to a domain. This enables you, for example, to automatically set folder redirections to all users in the OU or domain. If you move the account to a different OU or domain, the settings are removed or updated. Using this way, you do not have to set the redirection manually for each user account.



=== Using Group Policy Folder Redirection ===

Using a group policy object (GPO) is the preferred way to set folder redirections.

{{Imbox
| type = note
| text = Windows does not support dynamically-generated user home folders provided by the Samba <code>[homes]</code> section. If you used this way to provide home folders, set up a group policy preference instead. See [[#Using_a_Group_Policy_Preference|Using a Group Policy Preference]].
}}

To create a group policy object (GPO) for the domain that automatically redirects profile folders to user's home folder:

* Log in to a computer using an account that is allowed you to edit group policies, such as the AD domain <code>Administrator</code> account.

* Open the <code>Group Policy Management Console</code>. If you are not having the Remote Server Administration Tools (RSAT) installed on this computer, see [[Installing RSAT|Installing RSAT]].

* Right-click to your AD domain and select <code>Create a GPO in this domain, and Link it here</code>.


:[[Image:GPMC_Create_GPO.png]]
:[[Image:GPMC_Create_GPO.png]]


* Enter a name for the GPO, such as "Folder redirection". The new GPO is shown below the domain entry.
* Enter a name for the GPO, such as <code>Folder Redirections</code>. The new GPO is shown below the domain entry.


* Right-click to the newly-created GPO and select "Edit" to open the "Group Policy Management Editor".
* Right-click to the newly-created GPO and select <code>Edit</code> to open the <code>Group Policy Management Editor</code>.


* Navigate to the <code>User Configuration</code> &rarr; <code>Policies</code> &rarr; <code>Windows Settings</code> &rarr; <code>Folder Redirection</code> entry.
* Navigate to „User Configuration“ / „Policies“ / „Windows Settings“ / „Folder Redirection“, right-click to „Documents“ and choose „Properties“.


* Right-click to the folder to redirect, such as <code>Documents</code>, and select <code>Properties</code>.
* Redirect the folder to your needs and adjust the values on the „Settings“ tab, too.
:[[Image:Folder_Redirection_Documents.png]]


* Set the following:
* In the „Folder redirection“ sub-tree you can redirect other folders, too.
:* On the <code>Target</code> tab:
::* Setting: <code>Basic - Redirect everyone's folder to the same location</code>
::* Target folder location: <code>Redirect to the user's home directory</code>
:* On the <code>Settings</code> tab:
::* Unselect <code>Grant the user exclusive rights.</code>
::* Unselect <code>Move the contents of Documents to the new location.</code>
::* Select <code>Also apply redirection to Windows 2000, Windows 2000 Server, Windows XP, and Windows Server 2003 operating systems.</code>
::* Select <code>Leave the folder in the new location when policy is removed.</code>


::[[Image:GPME_Folder_Redirection_Documents.png]]
* Save the changes by closing the Group Policy Management Editor.


:* Click <code>OK</code>.


* Optionally, redirect other folders in the same way.


* Close the <code>Group Policy Management Editor</code>. The GPOs are automatically saved on the <code>Sysvol</code> share on the domain controller (DC).
== GPO work around for Samba "homes" directive ==


* Close the <code>Group Policy Management Console</code>.
The smb.conf [homes] directive creates an auto share \\SERVER\some_user for the user home directory.

The policy is applied to users in domain at the next log in.







=== Using a Group Policy Preference ===

When you use the Samba <code>[homes]</code> section to dynamically generate user home folders, you must set registry keys using a group policy preference to redirect folders. If you provide home folders using a different share name, see [[#Using Group Policy Folder Redirection|Using Group Policy Folder Redirection]].

To create a group policy preference for the domain that automatically redirects profile folders to user's home folder:

* Log in to a computer using an account that is allowed you to edit group policies, such as the AD domain <code>Administrator</code> account.

* Open the <code>Group Policy Management Console</code>. If you are not having the Remote Server Administration Tools (RSAT) installed on this computer, see [[Installing RSAT|Installing RSAT]].

* Right-click to your AD domain and select <code>Create a GPO in this domain, and Link it here</code>.

:[[Image:GPMC_Create_GPO.png]]


* Enter a name for the GPO, such as <code>Folder Redirections</code>. The new GPO is shown below the domain entry.
The Vanilla Windows Folder Redirection GPO insists on having the following share/folder structure for the location of user home folders on the server:


* Right-click to the newly-created GPO and select <code>Edit</code> to open the <code>Group Policy Management Editor</code>.
\\SERVER\someshare\some_user


* Navigate to the <code>User Configuration</code> &rarr; <code>Preferences</code> &rarr; <code>Windows Settings</code> entry.
The following steps provide a workaround. (Tested in a Windows 2012 Domain with Windows 7 and 2012 clients)


* Right-click to the <code>Registry</code> entry in the navigation and select <code>New</code> &rarr; <code>Registry Item</code>.
* Open the Group Policy Management Console


* Set the following:
* Completely disable the folder redirection GPO.
:* Action: <code>Replace</code>
:* Hive: <code>HKEY_CURRENT_USER</code>
:* Key Path: <code>Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders</code>
:* Value name: For example, to redirect the <code>Documents</code> folder, enter: <code>Personal</code>
:: For a list of other registry keys of folders you can redirect, see the <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders</code> entry in your local Windows registry.
:* Value type: <code>REG_EXPAND_SZ</code>
:* Value data: For example: <code>\\server\%USERNAME%\Documents</code>
:: Windows automatically replaces the <code>%USERNAME%</code> variable with the name of the current user when the policy is applied.


:[[Image:GPME_Folder_Redirection_GP_Preference_Documents.png]]
* Create a new GPO
Expand the folder heirarchy:


* Optionally, redirect other folders in the same way.
User Configuration
Preferences
Windows Settings
Registry


* Close the <code>Group Policy Management Editor</code>. The GPOs are automatically saved on the <code>Sysvol</code> share on the domain controller (DC).


* Close the <code>Group Policy Management Console</code>.
Right click on "Registry" and select "New" then "Registry Item"


The policy is applied to users in domain at the next log in.
* Action: Replace
* Hive: HKEY_CURRENT_USER
* Key path: Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
* Value name: Personal
* Value type: REG_EXPAND_SZ
* Value data: \\SERVER\%username%\My Documents


Apply changes. Reboot Windows 7 clients.


Note that this does NOT work for XP clients unless they have the GPP extension installed (allegedly)


Screenshot:


[[File:Folder_redirection_via_reg_gpo.png]]






== In an NT4 Domain ==


NT4 policies are only supported by the following Windows versions:
* Windows NT 4.0 - Windows XP
* Windows NT Server 4.0 - Windows Server 2003 R2


To create a folder redirection for the <code>Default User Policy</code> entry:
= In a NT4 domain =


* Log in to a computer using an account that is allowed you to edit NT4 policies, such as the NT4 domain <code>Administrator</code> account.
NT4 policies can only be applied to Windows NT4 up to XP machines. Newer Windows versions only support group policies.


* Open the <code>System Policy Editor</code> (poledit.exe). This application is stored on the Windows Server CD-ROM and part of the MS Office 2000 Resource Kit. For further details, see [http://support.microsoft.com/kb/910203 KB910203].
To keep this guide simple, we set the folder redirection in this example on the default user policy.


* Select <code>Options</code> &rarr; <code>Policy Template</code> and open an <code>*.adm</code> file that contains policies for folder redirection.
* Open the System Policy Editor (poledit.exe).
:[[Image:Poledit_Opening_an_ADM_File.png]]
:You find PolEdit e.g. on your Windows Server CD-ROM or in the Ms Office 2000 Resource Kit (ORK). Please look here for more informations: [http://support.microsoft.com/kb/910203 KB-910203]


* Create a new policy or open an existing one.
* Go to „Options“ / „Policy Template“ and open an ADM file that contains policies for folder redirection (you may download such an ADM file from Novell's website: [http://www.novell.com/coolsolutions/tools/downloads/redirect.zip http://www.novell.com/coolsolutions/tools/downloads/redirect.zip])
:[[Image:Poledit_opening_adm.png]]


* Double-click <code>Default User</code>.
* Create a new policy or open an existing.


* Navigate to the folder redirection. The location depents on the structure of the ADM file you use.
* Double-click on „Default User“.


* Select the folder to redirect and enter the path to the destination. For example, to redirect the <code>Documents</code> folder to <code>H:\My Documents</code>:
* Follow the tree to the folder redirection (the way depends on the ADM file you use).
:[[Image:Poledit_folder_redirection.png]]
:[[Image:Poledit_Folder_Redirection_Documents.png]]


* Optionally, redirect other folders in the same way.
* Set a location where you want to redirect the folder to.


* Click <code>OK</code>
* Redirect other folders too, if necessary.


* Save the policy in the <code>\\''PDC_name''\netlogon\ntconfig.pol</code> file. Note that all domain users must have permissions to read the file.
* Close the „Default User Properties“ window.


The policy is applied to users in domain at the next log in.
* Save the policy to \\PDC\NetLogon\ntconfig.pol (the file must be placed on your PDC's NetLogon share with the name „ntconfig.pol" and should be world-readable).





Revision as of 03:01, 11 March 2017

Introduction

Using the default settings, roaming Windows user profiles include folder that can contain a large amount of data, such as Documents, Downloads, and Pictures. When logging in, the data is transferred from the Server to the domain member and back when the user logs out. Folder redirection enables you to redirect paths of folders outside of the Windows user profile to reduce the size of the profile.

Because the user profile can contain sensitive information, you should redirect the folder to a secured area that only the profile owner can access, such as the user's home folder.



Setting Folder Redirections

In an Active Directory

Using group policies, you can assign settings to organizational units (OU) or to a domain. This enables you, for example, to automatically set folder redirections to all users in the OU or domain. If you move the account to a different OU or domain, the settings are removed or updated. Using this way, you do not have to set the redirection manually for each user account.


Using Group Policy Folder Redirection

Using a group policy object (GPO) is the preferred way to set folder redirections.

To create a group policy object (GPO) for the domain that automatically redirects profile folders to user's home folder:

  • Log in to a computer using an account that is allowed you to edit group policies, such as the AD domain Administrator account.
  • Open the Group Policy Management Console. If you are not having the Remote Server Administration Tools (RSAT) installed on this computer, see Installing RSAT.
  • Right-click to your AD domain and select Create a GPO in this domain, and Link it here.
GPMC Create GPO.png
  • Enter a name for the GPO, such as Folder Redirections. The new GPO is shown below the domain entry.
  • Right-click to the newly-created GPO and select Edit to open the Group Policy Management Editor.
  • Navigate to the User ConfigurationPoliciesWindows SettingsFolder Redirection entry.
  • Right-click to the folder to redirect, such as Documents, and select Properties.
  • Set the following:
  • On the Target tab:
  • Setting: Basic - Redirect everyone's folder to the same location
  • Target folder location: Redirect to the user's home directory
  • On the Settings tab:
  • Unselect Grant the user exclusive rights.
  • Unselect Move the contents of Documents to the new location.
  • Select Also apply redirection to Windows 2000, Windows 2000 Server, Windows XP, and Windows Server 2003 operating systems.
  • Select Leave the folder in the new location when policy is removed.
GPME Folder Redirection Documents.png
  • Click OK.
  • Optionally, redirect other folders in the same way.
  • Close the Group Policy Management Editor. The GPOs are automatically saved on the Sysvol share on the domain controller (DC).
  • Close the Group Policy Management Console.

The policy is applied to users in domain at the next log in.




Using a Group Policy Preference

When you use the Samba [homes] section to dynamically generate user home folders, you must set registry keys using a group policy preference to redirect folders. If you provide home folders using a different share name, see Using Group Policy Folder Redirection.

To create a group policy preference for the domain that automatically redirects profile folders to user's home folder:

  • Log in to a computer using an account that is allowed you to edit group policies, such as the AD domain Administrator account.
  • Open the Group Policy Management Console. If you are not having the Remote Server Administration Tools (RSAT) installed on this computer, see Installing RSAT.
  • Right-click to your AD domain and select Create a GPO in this domain, and Link it here.
GPMC Create GPO.png
  • Enter a name for the GPO, such as Folder Redirections. The new GPO is shown below the domain entry.
  • Right-click to the newly-created GPO and select Edit to open the Group Policy Management Editor.
  • Navigate to the User ConfigurationPreferencesWindows Settings entry.
  • Right-click to the Registry entry in the navigation and select NewRegistry Item.
  • Set the following:
  • Action: Replace
  • Hive: HKEY_CURRENT_USER
  • Key Path: Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
  • Value name: For example, to redirect the Documents folder, enter: Personal
For a list of other registry keys of folders you can redirect, see the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders entry in your local Windows registry.
  • Value type: REG_EXPAND_SZ
  • Value data: For example: \\server\%USERNAME%\Documents
Windows automatically replaces the %USERNAME% variable with the name of the current user when the policy is applied.
GPME Folder Redirection GP Preference Documents.png
  • Optionally, redirect other folders in the same way.
  • Close the Group Policy Management Editor. The GPOs are automatically saved on the Sysvol share on the domain controller (DC).
  • Close the Group Policy Management Console.

The policy is applied to users in domain at the next log in.




In an NT4 Domain

NT4 policies are only supported by the following Windows versions:

  • Windows NT 4.0 - Windows XP
  • Windows NT Server 4.0 - Windows Server 2003 R2

To create a folder redirection for the Default User Policy entry:

  • Log in to a computer using an account that is allowed you to edit NT4 policies, such as the NT4 domain Administrator account.
  • Open the System Policy Editor (poledit.exe). This application is stored on the Windows Server CD-ROM and part of the MS Office 2000 Resource Kit. For further details, see KB910203.
  • Select OptionsPolicy Template and open an *.adm file that contains policies for folder redirection.
Poledit Opening an ADM File.png
  • Create a new policy or open an existing one.
  • Double-click Default User.
  • Navigate to the folder redirection. The location depents on the structure of the ADM file you use.
  • Select the folder to redirect and enter the path to the destination. For example, to redirect the Documents folder to H:\My Documents:
Poledit Folder Redirection Documents.png
  • Optionally, redirect other folders in the same way.
  • Click OK
  • Save the policy in the \\PDC_name\netlogon\ntconfig.pol file. Note that all domain users must have permissions to read the file.

The policy is applied to users in domain at the next log in.