Configuring Windows Profile Folder Redirections: Difference between revisions

From SambaWiki
(Slitted folder redirection content from the old profile page to a separate one)
 
(→‎Using Group Policy Folder Redirection: Added link to Microsoft support article addressing application log Event ID 502)
(5 intermediate revisions by one other user not shown)
Line 1: Line 1:
= Introduction =
__TOC__


Using the default settings, roaming Windows user profiles include folder that can contain a large amount of data, such as <code>Documents</code>, <code>Downloads</code>, and <code>Pictures</code>. When logging in, the data is transferred from the Server to the domain member and back when the user logs out. Folder redirection enables you to redirect paths of folders outside of the Windows user profile to reduce the size of the profile.
= Configure folder redirection in an AD environment =


Because the user profile can contain sensitive information, you should redirect the folder to a secured area that only the profile owner can access, such as the [[User Home Folders|user's home folder]].
To keep the following guide simple, we setup the policy in the „Default Domain Policy“. If you have different requirements, adapt it to your needs.


* Open the Group Policy Management console.


* Go to „Forest: your.domain“ / „Domains“ / „your.domain“


* Right-click „Default Domain Policy“ and choose „Edit“ to open the Group Policy Management Editor.
:[[Image:Edit_group_policy.png]]


* Navigate to „User Configuration“ / „Policies“ / „Windows Settings“ / „Folder Redirection“, right-click to „Documents“ and choose „Properties“.


= Setting Folder Redirections =
* Redirect the folder to your needs and adjust the values on the „Settings“ tab, too.
:[[Image:Folder_Redirection_Documents.png]]


== In an Active Directory ==
* In the „Folder redirection“ sub-tree you can redirect other folders, too.


Using group policies, you can assign settings to organizational units (OU) or to a domain. This enables you, for example, to automatically set folder redirections to all users in the OU or domain. If you move the account to a different OU or domain, the settings are removed or updated. Using this way, you do not have to set the redirection manually for each user account.
* Save the changes by closing the Group Policy Management Editor.






=== Using Group Policy Folder Redirection ===
== GPO work around for Samba "homes" directive ==


Using a group policy object (GPO) is the preferred way to set folder redirections.
The smb.conf [homes] directive creates an auto share \\SERVER\some_user for the user home directory.


{{Imbox
The Vanilla Windows Folder Redirection GPO insists on having the following share/folder structure for the location of user home folders on the server:
| type = note
| text = Windows does not support dynamically-generated user home folders provided by the Samba <code>[homes]</code> section. If you used this way to provide home folders, set up a group policy preference instead. See [[#Using_a_Group_Policy_Preference|Using a Group Policy Preference]].
}}


To create a group policy object (GPO) for the domain that automatically redirects profile folders to user's home folder:
\\SERVER\someshare\some_user


* Log in to a computer using an account that is allowed you to edit group policies, such as the AD domain <code>Administrator</code> account.
The following steps provide a workaround. (Tested in a Windows 2012 Domain with Windows 7 and 2012 clients)


* Open the Group Policy Management Console
* Open the <code>Group Policy Management Console</code>. If you are not having the Remote Server Administration Tools (RSAT) installed on this computer, see [[Installing RSAT|Installing RSAT]].


* Right-click to your AD domain and select <code>Create a GPO in this domain, and Link it here</code>.
* Completely disable the folder redirection GPO.


:[[Image:GPMC_Create_GPO.png]]
* Create a new GPO
Expand the folder heirarchy:


* Enter a name for the GPO, such as <code>Folder Redirections</code>. The new GPO is shown below the domain entry.
User Configuration
Preferences
Windows Settings
Registry


* Right-click to the newly-created GPO and select <code>Edit</code> to open the <code>Group Policy Management Editor</code>.


* Navigate to the <code>User Configuration</code> &rarr; <code>Policies</code> &rarr; <code>Windows Settings</code> &rarr; <code>Folder Redirection</code> entry.
Right click on "Registry" and select "New" then "Registry Item"


* Right-click to the folder to redirect, such as <code>Documents</code>, and select <code>Properties</code>.
* Action: Replace
* Hive: HKEY_CURRENT_USER
* Key path: Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
* Value name: Personal
* Value type: REG_EXPAND_SZ
* Value data: \\SERVER\%username%\My Documents


* Set the following:
Apply changes. Reboot Windows 7 clients.
:* On the <code>Target</code> tab:
::* Setting: <code>Basic - Redirect everyone's folder to the same location</code>
::* Target folder location: <code>Redirect to the user's home directory</code>
:* On the <code>Settings</code> tab:
::* Unselect <code>Grant the user exclusive rights.</code>
::* Unselect <code>Move the contents of Documents to the new location.</code>
::* Select <code>Also apply redirection to Windows 2000, Windows 2000 Server, Windows XP, and Windows Server 2003 operating systems.</code>
::* Select <code>Leave the folder in the new location when policy is removed.</code>
(If you choose to set these options differently and run into problems such as Event ID 502 in the application event log when a user logs in, see [https://support.microsoft.com/en-us/help/2493506/redirecting-the-user-s-documents-folder-to-their-home-directory-fails this Microsoft support article] which boils down to either setting both ''Grant user exclusive'' and ''Also apply to Windows 2000'' or neither of them.)


::[[Image:GPME_Folder_Redirection_Documents.png]]
Note that this does NOT work for XP clients unless they have the GPP extension installed (allegedly)


:* Click <code>OK</code>.
Screenshot:


* Optionally, redirect other folders in the same way.
[[File:Folder_redirection_via_reg_gpo.png]]


* Close the <code>Group Policy Management Editor</code>. The GPOs are automatically saved on the <code>Sysvol</code> share on the domain controller (DC).


* Close the <code>Group Policy Management Console</code>.


The policy is applied to users in domain at the next log in.


=== Using a Group Policy Preference ===


When you use the Samba <code>[homes]</code> section to dynamically generate user home folders, you must set registry keys using a group policy preference to redirect folders. If you provide home folders using a different share name, see [[#Using Group Policy Folder Redirection|Using Group Policy Folder Redirection]].
= In a NT4 domain =


To create a group policy preference for the domain that automatically redirects profile folders to user's home folder:
NT4 policies can only be applied to Windows NT4 up to XP machines. Newer Windows versions only support group policies.


* Log in to a computer using an account that is allowed you to edit group policies, such as the AD domain <code>Administrator</code> account.
To keep this guide simple, we set the folder redirection in this example on the default user policy.


* Open the <code>Group Policy Management Console</code>. If you are not having the Remote Server Administration Tools (RSAT) installed on this computer, see [[Installing RSAT|Installing RSAT]].
* Open the System Policy Editor (poledit.exe).
:You find PolEdit e.g. on your Windows Server CD-ROM or in the Ms Office 2000 Resource Kit (ORK). Please look here for more informations: [http://support.microsoft.com/kb/910203 KB-910203]


* Right-click to your AD domain and select <code>Create a GPO in this domain, and Link it here</code>.
* Go to „Options“ / „Policy Template“ and open an ADM file that contains policies for folder redirection (you may download such an ADM file from Novell's website: [http://www.novell.com/coolsolutions/tools/downloads/redirect.zip http://www.novell.com/coolsolutions/tools/downloads/redirect.zip])
:[[Image:Poledit_opening_adm.png]]


:[[Image:GPMC_Create_GPO.png]]
* Create a new policy or open an existing.


* Enter a name for the GPO, such as <code>Folder Redirections</code>. The new GPO is shown below the domain entry.
* Double-click on „Default User“.


* Right-click to the newly-created GPO and select <code>Edit</code> to open the <code>Group Policy Management Editor</code>.
* Follow the tree to the folder redirection (the way depends on the ADM file you use).
:[[Image:Poledit_folder_redirection.png]]


* Navigate to the <code>User Configuration</code> &rarr; <code>Preferences</code> &rarr; <code>Windows Settings</code> entry.
* Set a location where you want to redirect the folder to.


* Right-click to the <code>Registry</code> entry in the navigation and select <code>New</code> &rarr; <code>Registry Item</code>.
* Redirect other folders too, if necessary.


* Set the following:
* Close the „Default User Properties“ window.
:* Action: <code>Replace</code>
:* Hive: <code>HKEY_CURRENT_USER</code>
:* Key Path: <code>Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders</code>
:* Value name: For example, to redirect the <code>Documents</code> folder, enter: <code>Personal</code>
:: For a list of other registry keys of folders you can redirect, see the <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders</code> entry in your local Windows registry.
:* Value type: <code>REG_EXPAND_SZ</code>
:* Value data: For example: <code>\\server\%USERNAME%\Documents</code>
:: Windows automatically replaces the <code>%USERNAME%</code> variable with the name of the current user when the policy is applied.


:[[Image:GPME_Folder_Redirection_GP_Preference_Documents.png]]
* Save the policy to \\PDC\NetLogon\ntconfig.pol (the file must be placed on your PDC's NetLogon share with the name „ntconfig.pol" and should be world-readable).

* Optionally, redirect other folders in the same way.

* Close the <code>Group Policy Management Editor</code>. The GPOs are automatically saved on the <code>Sysvol</code> share on the domain controller (DC).

* Close the <code>Group Policy Management Console</code>.

The policy is applied to users in domain at the next log in.







== In an NT4 Domain ==

NT4 policies are only supported by the following Windows versions:
* Windows NT 4.0 - Windows XP
* Windows NT Server 4.0 - Windows Server 2003 R2

To create a folder redirection for the <code>Default User Policy</code> entry:

* Log in to a computer using an account that is allowed you to edit NT4 policies, such as the NT4 domain <code>Administrator</code> account.

* Open the <code>System Policy Editor</code> (poledit.exe). This application is stored on the Windows Server CD-ROM and part of the MS Office 2000 Resource Kit. For further details, see [http://support.microsoft.com/kb/910203 KB910203].

* Select <code>Options</code> &rarr; <code>Policy Template</code> and open an <code>*.adm</code> file that contains policies for folder redirection.
:[[Image:Poledit_Opening_an_ADM_File.png]]

* Create a new policy or open an existing one.

* Double-click <code>Default User</code>.

* Navigate to the folder redirection. The location depents on the structure of the ADM file you use.

* Select the folder to redirect and enter the path to the destination. For example, to redirect the <code>Documents</code> folder to <code>H:\My Documents</code>:
:[[Image:Poledit_Folder_Redirection_Documents.png]]

* Optionally, redirect other folders in the same way.

* Click <code>OK</code>

* Save the policy in the <code>\\''PDC_name''\netlogon\ntconfig.pol</code> file. Note that all domain users must have permissions to read the file.

The policy is applied to users in domain at the next log in.





----
[[Category:Active Directory]]
[[Category:NT4 Domains]]

Revision as of 19:45, 3 May 2018

Introduction

Using the default settings, roaming Windows user profiles include folder that can contain a large amount of data, such as Documents, Downloads, and Pictures. When logging in, the data is transferred from the Server to the domain member and back when the user logs out. Folder redirection enables you to redirect paths of folders outside of the Windows user profile to reduce the size of the profile.

Because the user profile can contain sensitive information, you should redirect the folder to a secured area that only the profile owner can access, such as the user's home folder.



Setting Folder Redirections

In an Active Directory

Using group policies, you can assign settings to organizational units (OU) or to a domain. This enables you, for example, to automatically set folder redirections to all users in the OU or domain. If you move the account to a different OU or domain, the settings are removed or updated. Using this way, you do not have to set the redirection manually for each user account.


Using Group Policy Folder Redirection

Using a group policy object (GPO) is the preferred way to set folder redirections.

To create a group policy object (GPO) for the domain that automatically redirects profile folders to user's home folder:

  • Log in to a computer using an account that is allowed you to edit group policies, such as the AD domain Administrator account.
  • Open the Group Policy Management Console. If you are not having the Remote Server Administration Tools (RSAT) installed on this computer, see Installing RSAT.
  • Right-click to your AD domain and select Create a GPO in this domain, and Link it here.
GPMC Create GPO.png
  • Enter a name for the GPO, such as Folder Redirections. The new GPO is shown below the domain entry.
  • Right-click to the newly-created GPO and select Edit to open the Group Policy Management Editor.
  • Navigate to the User ConfigurationPoliciesWindows SettingsFolder Redirection entry.
  • Right-click to the folder to redirect, such as Documents, and select Properties.
  • Set the following:
  • On the Target tab:
  • Setting: Basic - Redirect everyone's folder to the same location
  • Target folder location: Redirect to the user's home directory
  • On the Settings tab:
  • Unselect Grant the user exclusive rights.
  • Unselect Move the contents of Documents to the new location.
  • Select Also apply redirection to Windows 2000, Windows 2000 Server, Windows XP, and Windows Server 2003 operating systems.
  • Select Leave the folder in the new location when policy is removed.

(If you choose to set these options differently and run into problems such as Event ID 502 in the application event log when a user logs in, see this Microsoft support article which boils down to either setting both Grant user exclusive and Also apply to Windows 2000 or neither of them.)

GPME Folder Redirection Documents.png
  • Click OK.
  • Optionally, redirect other folders in the same way.
  • Close the Group Policy Management Editor. The GPOs are automatically saved on the Sysvol share on the domain controller (DC).
  • Close the Group Policy Management Console.

The policy is applied to users in domain at the next log in.

Using a Group Policy Preference

When you use the Samba [homes] section to dynamically generate user home folders, you must set registry keys using a group policy preference to redirect folders. If you provide home folders using a different share name, see Using Group Policy Folder Redirection.

To create a group policy preference for the domain that automatically redirects profile folders to user's home folder:

  • Log in to a computer using an account that is allowed you to edit group policies, such as the AD domain Administrator account.
  • Open the Group Policy Management Console. If you are not having the Remote Server Administration Tools (RSAT) installed on this computer, see Installing RSAT.
  • Right-click to your AD domain and select Create a GPO in this domain, and Link it here.
GPMC Create GPO.png
  • Enter a name for the GPO, such as Folder Redirections. The new GPO is shown below the domain entry.
  • Right-click to the newly-created GPO and select Edit to open the Group Policy Management Editor.
  • Navigate to the User ConfigurationPreferencesWindows Settings entry.
  • Right-click to the Registry entry in the navigation and select NewRegistry Item.
  • Set the following:
  • Action: Replace
  • Hive: HKEY_CURRENT_USER
  • Key Path: Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
  • Value name: For example, to redirect the Documents folder, enter: Personal
For a list of other registry keys of folders you can redirect, see the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders entry in your local Windows registry.
  • Value type: REG_EXPAND_SZ
  • Value data: For example: \\server\%USERNAME%\Documents
Windows automatically replaces the %USERNAME% variable with the name of the current user when the policy is applied.
GPME Folder Redirection GP Preference Documents.png
  • Optionally, redirect other folders in the same way.
  • Close the Group Policy Management Editor. The GPOs are automatically saved on the Sysvol share on the domain controller (DC).
  • Close the Group Policy Management Console.

The policy is applied to users in domain at the next log in.




In an NT4 Domain

NT4 policies are only supported by the following Windows versions:

  • Windows NT 4.0 - Windows XP
  • Windows NT Server 4.0 - Windows Server 2003 R2

To create a folder redirection for the Default User Policy entry:

  • Log in to a computer using an account that is allowed you to edit NT4 policies, such as the NT4 domain Administrator account.
  • Open the System Policy Editor (poledit.exe). This application is stored on the Windows Server CD-ROM and part of the MS Office 2000 Resource Kit. For further details, see KB910203.
  • Select OptionsPolicy Template and open an *.adm file that contains policies for folder redirection.
Poledit Opening an ADM File.png
  • Create a new policy or open an existing one.
  • Double-click Default User.
  • Navigate to the folder redirection. The location depents on the structure of the ADM file you use.
  • Select the folder to redirect and enter the path to the destination. For example, to redirect the Documents folder to H:\My Documents:
Poledit Folder Redirection Documents.png
  • Optionally, redirect other folders in the same way.
  • Click OK
  • Save the policy in the \\PDC_name\netlogon\ntconfig.pol file. Note that all domain users must have permissions to read the file.

The policy is applied to users in domain at the next log in.