Configuring Windows Profile Folder Redirections: Difference between revisions
Mmuehlfeld (talk | contribs) (Slitted folder redirection content from the old profile page to a separate one) |
RenegadeTech (talk | contribs) (→Using Group Policy Folder Redirection: Added link to Microsoft support article addressing application log Event ID 502) |
||
(5 intermediate revisions by one other user not shown) | |||
Line 1: | Line 1: | ||
= Introduction = |
|||
__TOC__ |
|||
Using the default settings, roaming Windows user profiles include folder that can contain a large amount of data, such as <code>Documents</code>, <code>Downloads</code>, and <code>Pictures</code>. When logging in, the data is transferred from the Server to the domain member and back when the user logs out. Folder redirection enables you to redirect paths of folders outside of the Windows user profile to reduce the size of the profile. |
|||
= Configure folder redirection in an AD environment = |
|||
Because the user profile can contain sensitive information, you should redirect the folder to a secured area that only the profile owner can access, such as the [[User Home Folders|user's home folder]]. |
|||
To keep the following guide simple, we setup the policy in the „Default Domain Policy“. If you have different requirements, adapt it to your needs. |
|||
* Open the Group Policy Management console. |
|||
* Go to „Forest: your.domain“ / „Domains“ / „your.domain“ |
|||
* Right-click „Default Domain Policy“ and choose „Edit“ to open the Group Policy Management Editor. |
|||
:[[Image:Edit_group_policy.png]] |
|||
* Navigate to „User Configuration“ / „Policies“ / „Windows Settings“ / „Folder Redirection“, right-click to „Documents“ and choose „Properties“. |
|||
= Setting Folder Redirections = |
|||
* Redirect the folder to your needs and adjust the values on the „Settings“ tab, too. |
|||
:[[Image:Folder_Redirection_Documents.png]] |
|||
== In an Active Directory == |
|||
* In the „Folder redirection“ sub-tree you can redirect other folders, too. |
|||
Using group policies, you can assign settings to organizational units (OU) or to a domain. This enables you, for example, to automatically set folder redirections to all users in the OU or domain. If you move the account to a different OU or domain, the settings are removed or updated. Using this way, you do not have to set the redirection manually for each user account. |
|||
* Save the changes by closing the Group Policy Management Editor. |
|||
=== Using Group Policy Folder Redirection === |
|||
== GPO work around for Samba "homes" directive == |
|||
Using a group policy object (GPO) is the preferred way to set folder redirections. |
|||
The smb.conf [homes] directive creates an auto share \\SERVER\some_user for the user home directory. |
|||
{{Imbox |
|||
The Vanilla Windows Folder Redirection GPO insists on having the following share/folder structure for the location of user home folders on the server: |
|||
| type = note |
|||
| text = Windows does not support dynamically-generated user home folders provided by the Samba <code>[homes]</code> section. If you used this way to provide home folders, set up a group policy preference instead. See [[#Using_a_Group_Policy_Preference|Using a Group Policy Preference]]. |
|||
}} |
|||
To create a group policy object (GPO) for the domain that automatically redirects profile folders to user's home folder: |
|||
\\SERVER\someshare\some_user |
|||
* Log in to a computer using an account that is allowed you to edit group policies, such as the AD domain <code>Administrator</code> account. |
|||
The following steps provide a workaround. (Tested in a Windows 2012 Domain with Windows 7 and 2012 clients) |
|||
* Open the Group Policy Management Console |
* Open the <code>Group Policy Management Console</code>. If you are not having the Remote Server Administration Tools (RSAT) installed on this computer, see [[Installing RSAT|Installing RSAT]]. |
||
* Right-click to your AD domain and select <code>Create a GPO in this domain, and Link it here</code>. |
|||
* Completely disable the folder redirection GPO. |
|||
:[[Image:GPMC_Create_GPO.png]] |
|||
* Create a new GPO |
|||
Expand the folder heirarchy: |
|||
* Enter a name for the GPO, such as <code>Folder Redirections</code>. The new GPO is shown below the domain entry. |
|||
User Configuration |
|||
Preferences |
|||
Windows Settings |
|||
Registry |
|||
* Right-click to the newly-created GPO and select <code>Edit</code> to open the <code>Group Policy Management Editor</code>. |
|||
* Navigate to the <code>User Configuration</code> → <code>Policies</code> → <code>Windows Settings</code> → <code>Folder Redirection</code> entry. |
|||
Right click on "Registry" and select "New" then "Registry Item" |
|||
* Right-click to the folder to redirect, such as <code>Documents</code>, and select <code>Properties</code>. |
|||
* Action: Replace |
|||
* Hive: HKEY_CURRENT_USER |
|||
* Key path: Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders |
|||
* Value name: Personal |
|||
* Value type: REG_EXPAND_SZ |
|||
* Value data: \\SERVER\%username%\My Documents |
|||
* Set the following: |
|||
Apply changes. Reboot Windows 7 clients. |
|||
:* On the <code>Target</code> tab: |
|||
::* Setting: <code>Basic - Redirect everyone's folder to the same location</code> |
|||
::* Target folder location: <code>Redirect to the user's home directory</code> |
|||
:* On the <code>Settings</code> tab: |
|||
::* Unselect <code>Grant the user exclusive rights.</code> |
|||
::* Unselect <code>Move the contents of Documents to the new location.</code> |
|||
::* Select <code>Also apply redirection to Windows 2000, Windows 2000 Server, Windows XP, and Windows Server 2003 operating systems.</code> |
|||
::* Select <code>Leave the folder in the new location when policy is removed.</code> |
|||
(If you choose to set these options differently and run into problems such as Event ID 502 in the application event log when a user logs in, see [https://support.microsoft.com/en-us/help/2493506/redirecting-the-user-s-documents-folder-to-their-home-directory-fails this Microsoft support article] which boils down to either setting both ''Grant user exclusive'' and ''Also apply to Windows 2000'' or neither of them.) |
|||
::[[Image:GPME_Folder_Redirection_Documents.png]] |
|||
Note that this does NOT work for XP clients unless they have the GPP extension installed (allegedly) |
|||
:* Click <code>OK</code>. |
|||
Screenshot: |
|||
* Optionally, redirect other folders in the same way. |
|||
[[File:Folder_redirection_via_reg_gpo.png]] |
|||
* Close the <code>Group Policy Management Editor</code>. The GPOs are automatically saved on the <code>Sysvol</code> share on the domain controller (DC). |
|||
* Close the <code>Group Policy Management Console</code>. |
|||
The policy is applied to users in domain at the next log in. |
|||
=== Using a Group Policy Preference === |
|||
When you use the Samba <code>[homes]</code> section to dynamically generate user home folders, you must set registry keys using a group policy preference to redirect folders. If you provide home folders using a different share name, see [[#Using Group Policy Folder Redirection|Using Group Policy Folder Redirection]]. |
|||
= In a NT4 domain = |
|||
To create a group policy preference for the domain that automatically redirects profile folders to user's home folder: |
|||
NT4 policies can only be applied to Windows NT4 up to XP machines. Newer Windows versions only support group policies. |
|||
* Log in to a computer using an account that is allowed you to edit group policies, such as the AD domain <code>Administrator</code> account. |
|||
To keep this guide simple, we set the folder redirection in this example on the default user policy. |
|||
* Open the <code>Group Policy Management Console</code>. If you are not having the Remote Server Administration Tools (RSAT) installed on this computer, see [[Installing RSAT|Installing RSAT]]. |
|||
* Open the System Policy Editor (poledit.exe). |
|||
:You find PolEdit e.g. on your Windows Server CD-ROM or in the Ms Office 2000 Resource Kit (ORK). Please look here for more informations: [http://support.microsoft.com/kb/910203 KB-910203] |
|||
* Right-click to your AD domain and select <code>Create a GPO in this domain, and Link it here</code>. |
|||
* Go to „Options“ / „Policy Template“ and open an ADM file that contains policies for folder redirection (you may download such an ADM file from Novell's website: [http://www.novell.com/coolsolutions/tools/downloads/redirect.zip http://www.novell.com/coolsolutions/tools/downloads/redirect.zip]) |
|||
:[[Image:Poledit_opening_adm.png]] |
|||
:[[Image:GPMC_Create_GPO.png]] |
|||
* Create a new policy or open an existing. |
|||
* Enter a name for the GPO, such as <code>Folder Redirections</code>. The new GPO is shown below the domain entry. |
|||
* Double-click on „Default User“. |
|||
* Right-click to the newly-created GPO and select <code>Edit</code> to open the <code>Group Policy Management Editor</code>. |
|||
* Follow the tree to the folder redirection (the way depends on the ADM file you use). |
|||
:[[Image:Poledit_folder_redirection.png]] |
|||
* Navigate to the <code>User Configuration</code> → <code>Preferences</code> → <code>Windows Settings</code> entry. |
|||
* Set a location where you want to redirect the folder to. |
|||
* Right-click to the <code>Registry</code> entry in the navigation and select <code>New</code> → <code>Registry Item</code>. |
|||
* Redirect other folders too, if necessary. |
|||
* Set the following: |
|||
* Close the „Default User Properties“ window. |
|||
:* Action: <code>Replace</code> |
|||
:* Hive: <code>HKEY_CURRENT_USER</code> |
|||
:* Key Path: <code>Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders</code> |
|||
:* Value name: For example, to redirect the <code>Documents</code> folder, enter: <code>Personal</code> |
|||
:: For a list of other registry keys of folders you can redirect, see the <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders</code> entry in your local Windows registry. |
|||
:* Value type: <code>REG_EXPAND_SZ</code> |
|||
:* Value data: For example: <code>\\server\%USERNAME%\Documents</code> |
|||
:: Windows automatically replaces the <code>%USERNAME%</code> variable with the name of the current user when the policy is applied. |
|||
:[[Image:GPME_Folder_Redirection_GP_Preference_Documents.png]] |
|||
* Save the policy to \\PDC\NetLogon\ntconfig.pol (the file must be placed on your PDC's NetLogon share with the name „ntconfig.pol" and should be world-readable). |
|||
* Optionally, redirect other folders in the same way. |
|||
* Close the <code>Group Policy Management Editor</code>. The GPOs are automatically saved on the <code>Sysvol</code> share on the domain controller (DC). |
|||
* Close the <code>Group Policy Management Console</code>. |
|||
The policy is applied to users in domain at the next log in. |
|||
== In an NT4 Domain == |
|||
NT4 policies are only supported by the following Windows versions: |
|||
* Windows NT 4.0 - Windows XP |
|||
* Windows NT Server 4.0 - Windows Server 2003 R2 |
|||
To create a folder redirection for the <code>Default User Policy</code> entry: |
|||
* Log in to a computer using an account that is allowed you to edit NT4 policies, such as the NT4 domain <code>Administrator</code> account. |
|||
* Open the <code>System Policy Editor</code> (poledit.exe). This application is stored on the Windows Server CD-ROM and part of the MS Office 2000 Resource Kit. For further details, see [http://support.microsoft.com/kb/910203 KB910203]. |
|||
* Select <code>Options</code> → <code>Policy Template</code> and open an <code>*.adm</code> file that contains policies for folder redirection. |
|||
:[[Image:Poledit_Opening_an_ADM_File.png]] |
|||
* Create a new policy or open an existing one. |
|||
* Double-click <code>Default User</code>. |
|||
* Navigate to the folder redirection. The location depents on the structure of the ADM file you use. |
|||
* Select the folder to redirect and enter the path to the destination. For example, to redirect the <code>Documents</code> folder to <code>H:\My Documents</code>: |
|||
:[[Image:Poledit_Folder_Redirection_Documents.png]] |
|||
* Optionally, redirect other folders in the same way. |
|||
* Click <code>OK</code> |
|||
* Save the policy in the <code>\\''PDC_name''\netlogon\ntconfig.pol</code> file. Note that all domain users must have permissions to read the file. |
|||
The policy is applied to users in domain at the next log in. |
|||
---- |
|||
[[Category:Active Directory]] |
|||
[[Category:NT4 Domains]] |
Revision as of 19:45, 3 May 2018
Introduction
Using the default settings, roaming Windows user profiles include folder that can contain a large amount of data, such as Documents
, Downloads
, and Pictures
. When logging in, the data is transferred from the Server to the domain member and back when the user logs out. Folder redirection enables you to redirect paths of folders outside of the Windows user profile to reduce the size of the profile.
Because the user profile can contain sensitive information, you should redirect the folder to a secured area that only the profile owner can access, such as the user's home folder.
Setting Folder Redirections
In an Active Directory
Using group policies, you can assign settings to organizational units (OU) or to a domain. This enables you, for example, to automatically set folder redirections to all users in the OU or domain. If you move the account to a different OU or domain, the settings are removed or updated. Using this way, you do not have to set the redirection manually for each user account.
Using Group Policy Folder Redirection
Using a group policy object (GPO) is the preferred way to set folder redirections.
Windows does not support dynamically-generated user home folders provided by the Samba [homes] section. If you used this way to provide home folders, set up a group policy preference instead. See Using a Group Policy Preference. |
To create a group policy object (GPO) for the domain that automatically redirects profile folders to user's home folder:
- Log in to a computer using an account that is allowed you to edit group policies, such as the AD domain
Administrator
account.
- Open the
Group Policy Management Console
. If you are not having the Remote Server Administration Tools (RSAT) installed on this computer, see Installing RSAT.
- Right-click to your AD domain and select
Create a GPO in this domain, and Link it here
.
- Enter a name for the GPO, such as
Folder Redirections
. The new GPO is shown below the domain entry.
- Right-click to the newly-created GPO and select
Edit
to open theGroup Policy Management Editor
.
- Navigate to the
User Configuration
→Policies
→Windows Settings
→Folder Redirection
entry.
- Right-click to the folder to redirect, such as
Documents
, and selectProperties
.
- Set the following:
- On the
Target
tab:
- Setting:
Basic - Redirect everyone's folder to the same location
- Target folder location:
Redirect to the user's home directory
- Setting:
- On the
Settings
tab:
- Unselect
Grant the user exclusive rights.
- Unselect
Move the contents of Documents to the new location.
- Select
Also apply redirection to Windows 2000, Windows 2000 Server, Windows XP, and Windows Server 2003 operating systems.
- Select
Leave the folder in the new location when policy is removed.
- Unselect
- On the
(If you choose to set these options differently and run into problems such as Event ID 502 in the application event log when a user logs in, see this Microsoft support article which boils down to either setting both Grant user exclusive and Also apply to Windows 2000 or neither of them.)
- Click
OK
.
- Click
- Optionally, redirect other folders in the same way.
- Close the
Group Policy Management Editor
. The GPOs are automatically saved on theSysvol
share on the domain controller (DC).
- Close the
Group Policy Management Console
.
The policy is applied to users in domain at the next log in.
Using a Group Policy Preference
When you use the Samba [homes]
section to dynamically generate user home folders, you must set registry keys using a group policy preference to redirect folders. If you provide home folders using a different share name, see Using Group Policy Folder Redirection.
To create a group policy preference for the domain that automatically redirects profile folders to user's home folder:
- Log in to a computer using an account that is allowed you to edit group policies, such as the AD domain
Administrator
account.
- Open the
Group Policy Management Console
. If you are not having the Remote Server Administration Tools (RSAT) installed on this computer, see Installing RSAT.
- Right-click to your AD domain and select
Create a GPO in this domain, and Link it here
.
- Enter a name for the GPO, such as
Folder Redirections
. The new GPO is shown below the domain entry.
- Right-click to the newly-created GPO and select
Edit
to open theGroup Policy Management Editor
.
- Navigate to the
User Configuration
→Preferences
→Windows Settings
entry.
- Right-click to the
Registry
entry in the navigation and selectNew
→Registry Item
.
- Set the following:
- Action:
Replace
- Hive:
HKEY_CURRENT_USER
- Key Path:
Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
- Value name: For example, to redirect the
Documents
folder, enter:Personal
- For a list of other registry keys of folders you can redirect, see the
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
entry in your local Windows registry.
- Value type:
REG_EXPAND_SZ
- Value data: For example:
\\server\%USERNAME%\Documents
- Windows automatically replaces the
%USERNAME%
variable with the name of the current user when the policy is applied.
- Action:
- Optionally, redirect other folders in the same way.
- Close the
Group Policy Management Editor
. The GPOs are automatically saved on theSysvol
share on the domain controller (DC).
- Close the
Group Policy Management Console
.
The policy is applied to users in domain at the next log in.
In an NT4 Domain
NT4 policies are only supported by the following Windows versions:
- Windows NT 4.0 - Windows XP
- Windows NT Server 4.0 - Windows Server 2003 R2
To create a folder redirection for the Default User Policy
entry:
- Log in to a computer using an account that is allowed you to edit NT4 policies, such as the NT4 domain
Administrator
account.
- Open the
System Policy Editor
(poledit.exe). This application is stored on the Windows Server CD-ROM and part of the MS Office 2000 Resource Kit. For further details, see KB910203.
- Select
Options
→Policy Template
and open an*.adm
file that contains policies for folder redirection.
- Create a new policy or open an existing one.
- Double-click
Default User
.
- Navigate to the folder redirection. The location depents on the structure of the ADM file you use.
- Select the folder to redirect and enter the path to the destination. For example, to redirect the
Documents
folder toH:\My Documents
:
- Optionally, redirect other folders in the same way.
- Click
OK
- Save the policy in the
\\PDC_name\netlogon\ntconfig.pol
file. Note that all domain users must have permissions to read the file.
The policy is applied to users in domain at the next log in.