Configure User’s Folder Redirection with Group Policy

folder redirection Enables you to store certain user profile folders (special folders like Desktop, Documents, Pictures, Downloads, etc.) in a shared network folder on your file server. Redirected folders work similarly to mapped network drives (users access files in their profiles over the network on the file server). In this article, we will see how to use Group Policy to enable folder redirection on user computers in an Active Directory domain.

Benefits of using redirected folders:

  • You can configure centralized user data backup on your file server (instead of enabling backup on each workstation);
  • When a user logs on to a computer, they have access to their personal profile files;
  • You can manage the content allowed in different files (using the FSRM role in Windows Server) or restrict the size of user profiles using NTFS disk quotas;
  • You can use redirected folders for both workstations and terminal servers (Remote Desktop Services/RDS farms);
  • You can use folder redirection in RDS with Roaming Profiles (User Profile Disk or FSLogix Profile Container). This can reduce the load on the network and speed up the loading of profiles because you do not need to copy data from the redirected folder to the RDS host when you log in and when you log out.

You can configure redirected folders in an Active Directory environment in two steps:

  1. Create a shared network folder on the file server and assign permissions;
  2. Configure folder redirection options with Group Policy.

Create a domain group of the users for whom you want to enable folder redirection. You can create a new AD group and add users to it using PowerShell or the ADUC mmc snap-in:

New-ADGroup munFolderRedirection -path 'OU=Groups,OU=Munich,dc=woshub,DC=com' -GroupScope Global -PassThru –Verbose
Add-AdGroupMember -Identity munFolderRedirection -Members user1,user2,user3

Create a shared folder to store user’s redirected folders on your file server.

It’s better to use a high availability configuration with Windows Failover Cluster or DFS, and/or provide resiliency for file servers running Windows Server at the virtualization level (VMware HA, Hyper-V Cluster, etc.) on which you want individual stores will do. User Folder.

For storing user folders, it is recommended to use a separate disk (other than system drive C :). Create and share a network folder with Windows Explorer or by using the New-SmbShare PowerShell cmdlet:

New-SmbShare -Name RedirFolder -Path D:\RedirFolder –description "Target location for user's redirected folders"

You then need to configure the correct NTFS permissions on the folder so that each user can only access their files.

Open Folder Properties and navigate Security tab. Click Advanced, then click disable inheritance, When a warning appears, select Convert inherited permissions to explicit permissions on the object,

Create shared folder for redirected user's profile

Remove Users/Authenticated Users from the NTFS permissions list, and leave the following permissions:

  • Administrator (Full control, this folder, subfolders and files)
  • System (Full Control, this folder, subfolders and files)
  • Creator Owner (Full Control, subfolders and files only)

add now munFolderRedirection Grant the security group and the following permissions on the root folder (applies to -> this folder only):

  • traverse folder/exec file
  • list folder/read data
  • read properties
  • read extended properties
  • create folder/add data
  • read permissions

configure redirected folder ntfs permissions

grant full control permissions to Authenticated Users Group in the network share properties (Sharing -> Advanced Sharing -> Permissions).

set shared folder permissions

With this configuration, users are allowed to create folders in the directory root, and only the owner can access the contents of the subfolders.

You can then create a Folder Redirection Group Policy for the users. open domain Group Policy Management Console ,gpmc.msc), create a new GPO, and link it to the Organizational Unit (OU) with the target user accounts.

Using Folder Redirection in Group Policy

To apply the policy only to specific users, remove it authenticated users from the group security filtering and add munFolderRedirection And domain computer group instead.

Edit and expand your new GPO user configuration , policies , windows settings , folder redirection,

Here are the options for redirecting the various user profile folders. In this example, I’ll configure the redirection to document Folders only (you can enable folder redirection for other profile folders in the same way).

redirection of AppData (roaming) The folder is rarely used.

open the document Configure folder properties and the following folder redirection options:

  • Adjustment:- Basic, redirect all folders to one place
  • target folder location: Create a folder for each user under the root path
  • root path, \\mun-fs1\RedirFolder (specify the UNC path to the shared folder created earlier)

Enable User Folder Redirection in Windows via GPO

There are a few options in the Settings tab:

  • Grant user exclusive rights to documents – can be disabled, since we have already configured the correct NTFS permissions beforehand;
  • Move documents contents to new location – whether existing files in the user’s Documents should be moved to the redirected folder on the file server;
  • Redirect folder back to local user profile location when policy is deleted – This option enables offline access to data (using offline files in Windows) and determines the behavior when the GPO is disabled. Redirect Profile Folder Settings

Add your file server and/or domain to a trusted local intranet using Site to Zone Assignment List under GPO setting computer configuration , administrative model , windows components , internet explorer , internet control panel , security page,

In the policy settings, specify the list of trusted servers in the following format:

  • Server or domain name (in the format: file://hostname , \\hostame or its IP address)
  • an area number ( 1 – for a local intranet)

If you do not configure this option, running shortcuts and executables from the redirected directory may result in Windows security warnings.

Logout and log back in on the user’s computer (this will update the Group Policy settings on the device).

Then open the Documents folder properties and make sure the UNC path of your shared folder on the file server is shown as Location,

Deploy Folder Redirection in Windows 11 and Windows Server 2022

You can create files and folders in the Documents folder and they will be available to users on any computer in your domain.

Leave a Comment