Difference between revisions of "Configuring Windows Profile Folder Redirections"

From SambaWiki
m (Added category)
m
 
(4 intermediate revisions by 3 users not shown)
Line 1: Line 1:
  +
= Introduction =
__TOC__
 
   
  +
Using the default settings, roaming Windows user profiles include folder that can contain a large amount of data, such as <code>Documents</code>, <code>Downloads</code>, and <code>Pictures</code>. When logging in, the data is transferred from the Server to the domain member and back when the user logs out. Folder redirection enables you to redirect paths of folders outside of the Windows user profile to reduce the size of the profile.
= Configure folder redirection in an AD environment =
 
   
  +
Because the user profile can contain sensitive information, you should redirect the folder to a secured area that only the profile owner can access, such as the [[User Home Folders|user's home folder]].
To keep the following guide simple, we setup the policy in the „Default Domain Policy“. If you have different requirements, adapt it to your needs.
 
   
* Open the Group Policy Management console.
 
   
  +
= Setting Folder Redirections =
* Right-click to your AD domain and select "Create a GPO in this domain, and Link it here".
 
   
  +
== In an Active Directory ==
:[[Image:GPMC_Create_GPO.png]]
 
   
  +
{{:Configuring_Windows_Profile_Folder_Redirections_with_Group_Policy}}
* Enter a name for the GPO, such as "Folder redirection". The new GPO is shown below the domain entry.
 
   
  +
== In an NT4 Domain ==
* Right-click to the newly-created GPO and select "Edit" to open the "Group Policy Management Editor".
 
   
  +
NT4 policies are only supported by the following Windows versions:
* Navigate to „User Configuration“ / „Policies“ / „Windows Settings“ / „Folder Redirection“, right-click to „Documents“ and choose „Properties“.
 
  +
* Windows NT 4.0 - Windows XP
  +
* Windows NT Server 4.0 - Windows Server 2003 R2
   
  +
To create a folder redirection for the <code>Default User Policy</code> entry:
* Redirect the folder to your needs and adjust the values on the „Settings“ tab, too.
 
:[[Image:Folder_Redirection_Documents.png]]
 
   
  +
* Log in to a computer using an account that is allowed you to edit NT4 policies, such as the NT4 domain <code>Administrator</code> account.
* In the „Folder redirection“ sub-tree you can redirect other folders, too.
 
   
  +
* Open the <code>System Policy Editor</code> (poledit.exe). This application is stored on the Windows Server CD-ROM and part of the MS Office 2000 Resource Kit. For further details, see [http://support.microsoft.com/kb/910203 KB910203].
* Save the changes by closing the Group Policy Management Editor.
 
   
  +
* Select <code>Options</code> &rarr; <code>Policy Template</code> and open an <code>*.adm</code> file that contains policies for folder redirection.
  +
:[[Image:Poledit_Opening_an_ADM_File.png]]
   
  +
* Create a new policy or open an existing one.
   
  +
* Double-click <code>Default User</code>.
== GPO work around for Samba "homes" directive ==
 
   
  +
* Navigate to the folder redirection. The location depents on the structure of the ADM file you use.
The smb.conf [homes] directive creates an auto share \\SERVER\some_user for the user home directory.
 
   
  +
* Select the folder to redirect and enter the path to the destination. For example, to redirect the <code>Documents</code> folder to <code>H:\My Documents</code>:
The Vanilla Windows Folder Redirection GPO insists on having the following share/folder structure for the location of user home folders on the server:
 
  +
:[[Image:Poledit_Folder_Redirection_Documents.png]]
   
  +
* Optionally, redirect other folders in the same way.
\\SERVER\someshare\some_user
 
   
  +
* Click <code>OK</code>
The following steps provide a workaround. (Tested in a Windows 2012 Domain with Windows 7 and 2012 clients)
 
   
  +
* Save the policy in the <code>\\''PDC_name''\netlogon\ntconfig.pol</code> file. Note that all domain users must have permissions to read the file.
* Open the Group Policy Management Console
 
   
  +
The policy is applied to users in domain at the next log in.
* Completely disable the folder redirection GPO.
 
 
* Create a new GPO
 
 
Expand the folder heirarchy:
 
 
User Configuration
 
Preferences
 
Windows Settings
 
Registry
 
 
 
Right click on "Registry" and select "New" then "Registry Item"
 
 
* Action: Replace
 
* Hive: HKEY_CURRENT_USER
 
* Key path: Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
 
* Value name: Personal
 
* Value type: REG_EXPAND_SZ
 
* Value data: \\SERVER\%username%\My Documents
 
 
Apply changes. Reboot Windows 7 clients.
 
 
Note that this does NOT work for XP clients unless they have the GPP extension installed (allegedly)
 
 
Screenshot:
 
 
[[File:Folder_redirection_via_reg_gpo.png]]
 
 
 
 
 
 
= In a NT4 domain =
 
 
NT4 policies can only be applied to Windows NT4 up to XP machines. Newer Windows versions only support group policies.
 
 
To keep this guide simple, we set the folder redirection in this example on the default user policy.
 
 
* Open the System Policy Editor (poledit.exe).
 
:You find PolEdit e.g. on your Windows Server CD-ROM or in the Ms Office 2000 Resource Kit (ORK). Please look here for more informations: [http://support.microsoft.com/kb/910203 KB-910203]
 
 
* Go to „Options“ / „Policy Template“ and open an ADM file that contains policies for folder redirection (you may download such an ADM file from Novell's website: [http://www.novell.com/coolsolutions/tools/downloads/redirect.zip http://www.novell.com/coolsolutions/tools/downloads/redirect.zip])
 
:[[Image:Poledit_opening_adm.png]]
 
 
* Create a new policy or open an existing.
 
 
* Double-click on „Default User“.
 
 
* Follow the tree to the folder redirection (the way depends on the ADM file you use).
 
:[[Image:Poledit_folder_redirection.png]]
 
 
* Set a location where you want to redirect the folder to.
 
 
* Redirect other folders too, if necessary.
 
 
* Close the „Default User Properties“ window.
 
 
* Save the policy to \\PDC\NetLogon\ntconfig.pol (the file must be placed on your PDC's NetLogon share with the name „ntconfig.pol" and should be world-readable).
 
   
   

Latest revision as of 07:24, 2 November 2021

Introduction

Using the default settings, roaming Windows user profiles include folder that can contain a large amount of data, such as Documents, Downloads, and Pictures. When logging in, the data is transferred from the Server to the domain member and back when the user logs out. Folder redirection enables you to redirect paths of folders outside of the Windows user profile to reduce the size of the profile.

Because the user profile can contain sensitive information, you should redirect the folder to a secured area that only the profile owner can access, such as the user's home folder.


Setting Folder Redirections

In an Active Directory

Using group policies, you can assign settings to organizational units (OU) or to a domain. This enables you, for example, to automatically set folder redirections to all users in the OU or domain. If you move the account to a different OU or domain, the settings are removed or updated. Using this way, you do not have to set the redirection manually for each user account.


Using Group Policy Folder Redirection

Using a group policy object (GPO) is the preferred way to set folder redirections.

To create a group policy object (GPO) for the domain that automatically redirects profile folders to user's home folder:

  • Log in to a computer using an account that is allowed you to edit group policies, such as the AD domain Administrator account.
  • Open the Group Policy Management Console. If you are not having the Remote Server Administration Tools (RSAT) installed on this computer, see Installing RSAT.
  • Right-click to your AD domain and select Create a GPO in this domain, and Link it here.
GPMC Create GPO.png
  • Enter a name for the GPO, such as Folder Redirections. The new GPO is shown below the domain entry.
  • Right-click to the newly-created GPO and select Edit to open the Group Policy Management Editor.
  • Navigate to the User ConfigurationPoliciesWindows SettingsFolder Redirection entry.
  • Right-click to the folder to redirect, such as Documents, and select Properties.
  • Set the following:
  • On the Target tab:
  • Setting: Basic - Redirect everyone's folder to the same location
  • Target folder location: Redirect to the user's home directory
  • On the Settings tab:
  • Unselect Grant the user exclusive rights.
  • Unselect Move the contents of Documents to the new location.
  • Select Also apply redirection to Windows 2000, Windows 2000 Server, Windows XP, and Windows Server 2003 operating systems.
  • Select Leave the folder in the new location when policy is removed.

(If you choose to set these options differently and run into problems such as Event ID 502 in the application event log when a user logs in, see this Microsoft support article which boils down to either setting both Grant user exclusive and Also apply to Windows 2000 or neither of them.)

GPME Folder Redirection Documents.png
  • Click OK.
  • Optionally, redirect other folders in the same way.
  • Close the Group Policy Management Editor. The GPOs are automatically saved on the Sysvol share on the domain controller (DC).
  • Close the Group Policy Management Console.

The policy is applied to users in domain at the next log in.

Using a Group Policy Preference

When you use the Samba [homes] section to dynamically generate user home folders, you must set registry keys using a group policy preference to redirect folders. If you provide home folders using a different share name, see Using Group Policy Folder Redirection.

To create a group policy preference for the domain that automatically redirects profile folders to user's home folder:

  • Log in to a computer using an account that is allowed you to edit group policies, such as the AD domain Administrator account.
  • Open the Group Policy Management Console. If you do not already have the Remote Server Administration Tools (RSAT) installed on this computer, see Installing RSAT.
  • Right-click to your AD domain and select Create a GPO in this domain, and Link it here.
GPMC Create GPO.png
  • Enter a name for the GPO, such as Folder Redirections. The new GPO is shown below the domain entry.
  • Right-click to the newly-created GPO and select Edit to open the Group Policy Management Editor.
  • Navigate to the User ConfigurationPreferencesWindows Settings entry.
  • Right-click to the Registry entry in the navigation and select NewRegistry Item.
  • Set the following:
  • Action: Replace
  • Hive: HKEY_CURRENT_USER
  • Key Path: Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
  • Value name: For example, to redirect the Documents folder, enter: Personal
For a list of other registry keys of folders you can redirect, see the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders entry in your local Windows registry.
  • Value type: REG_EXPAND_SZ
  • Value data: For example: \\server\%USERNAME%\Documents
Windows automatically replaces the %USERNAME% variable with the name of the current user when the policy is applied.
GPME Folder Redirection GP Preference Documents.png
  • Optionally, redirect other folders in the same way.
  • Close the Group Policy Management Editor. The GPOs are automatically saved on the Sysvol share on the domain controller (DC).
  • Close the Group Policy Management Console.

The policy is applied to users in domain at the next log in.

In an NT4 Domain

NT4 policies are only supported by the following Windows versions:

  • Windows NT 4.0 - Windows XP
  • Windows NT Server 4.0 - Windows Server 2003 R2

To create a folder redirection for the Default User Policy entry:

  • Log in to a computer using an account that is allowed you to edit NT4 policies, such as the NT4 domain Administrator account.
  • Open the System Policy Editor (poledit.exe). This application is stored on the Windows Server CD-ROM and part of the MS Office 2000 Resource Kit. For further details, see KB910203.
  • Select OptionsPolicy Template and open an *.adm file that contains policies for folder redirection.
Poledit Opening an ADM File.png
  • Create a new policy or open an existing one.
  • Double-click Default User.
  • Navigate to the folder redirection. The location depents on the structure of the ADM file you use.
  • Select the folder to redirect and enter the path to the destination. For example, to redirect the Documents folder to H:\My Documents:
Poledit Folder Redirection Documents.png
  • Optionally, redirect other folders in the same way.
  • Click OK
  • Save the policy in the \\PDC_name\netlogon\ntconfig.pol file. Note that all domain users must have permissions to read the file.

The policy is applied to users in domain at the next log in.