You can use Group Policies to copy specific files and folders to user computers in an Active Directory domain. You can place the files on the desktop, in a special user profile directory, or in another folder on a local drive. With GPOs, you can automatically copy and update various configuration files, INI files, app executables (EXEs), DLLs, or scripts from and to a shared repository.
material:
Copying Files Using Group Policy Preferences
For example, I want to copy two files (app.exe And settings.xml) on the desktops of some Active Directory domain users.
Create a shared folder to store the source files that you want to copy to users’ computers. This can be a shared SMB folder on a file server or the SYSVOL directory on a domain controller (this folder is automatically replicated between all DCs in a domain using DFS, it is convenient to use because it can be loaded over the WAN Helps to reduce links). I put the files in Sysvol folder \\woshub.com\SYSVOL\woshub.com\scripts\CorpApp, Make sure that authenticated users The group has read permission on this folder.
- Create a new Active Directory security group (CorpAPPU (user) Using the Active Directory Users and Computers snap-in (
dsa.msc, You can create a group using this PowerShell cmdlet:New-ADGroup CorpAPPUsers -path 'OU=Groups,OU=DE,dc=woshub,DC=com' -GroupScope Global -PassThru –VerboseAdd users to the group on whose desktop you want to automatically copy files via GPO:Add-AdGroupMember -Identity CorpAPPUsers -Members asmith, bmuller, tweber - Open the Group Policy Management Console (
gpmc.msc, - Create a new GPO object (copycorpapp) and link it to the OU that contains the user’s computers;
- edit GPO settings;
- Expand the following Group Policy Preferences section: the user layout , choice , windows settings , files,
If you need to copy files to computers regardless of logged-in users, it’s better to use the same policy in the Computer Configuration section of the GPO.
- choose new , file,
- Specify the source file in the shared folder and the target path on the computer to which you want to copy the file. If the specified path does not exist, it will be created automatically. be sure to specify full name of the target file (If you specify only one target directory, you will receive an “Access Denied” error when copying the file).
You can select specific file name here or copy all files from source directory by specifying wildcard character
*, - There are 4 actions available for copying files using GPOs:
to create The file is copied to the target directory only if it does not exist there;
Change – The target file is always replaced with the source file on the user’s computer. If the source file is large, it will be copied every time the GPO is updated, which can lead to high network load. If you want to replace the file only once, enable the ‘Apply once and don’t apply again’ option on the General tab;
update (a default policy) – If a file already exists and the source and destination files differ, it will not be replaced with the source file (only attributes will be replaced). If the file does not exist, it will be copied;
delete – Delete target file.
- You can select a specific folder on the computer as the target directory or use environment variables. To copy files to the current user’s desktop, use
%DesktopDir%You can see the full list of environment variables available in GPP by pressing F3,
Here is a list of environment variables that can be used as destination folders when copying files using GPOs:
%AppDataDir%current user’s application data folder %CommonAppdataDir%Application data folder for all users %CommonDesktopDir%desktop for all users %CommonProgramsDir%Program directory of all users. %CommonStartMenuDir%Start menu folder of all users %CommonStartUpDir%Startup directory for all users %ComputerName%NetBIOS computer name %DesktopDir%current user desktop %DomainName%current domain name %LocalTime%local computer time %LogonDomain%current user’s domain %LogonServer%Name of the domain controller on which the user is authenticated %LogonUser%current username %NetPlacesDir%user’s my network location directory %ProgramFilesDir%program files directory %ProgramsDir%user’s program directory %RecentDocumentsDir%user’s recent documents directory %SendToDir%User’s Send Directory %StartMenuDir%current user’s start menu %StartUpDir%current user startup folder %SystemDir%windows directory %SystemDrive%the drive on which the operating system is installed %TempDir%user temp folder %WindowsDir%windows directory - To copy files to the desktops of specific users, Normal tab in policy settings, enable item-level targeting option, and click goal setting,
- In the next window, you can select more options for how the GPO is applied. In my case, I would like to limit the policy to CorpAPPUUser Group members only. To do this, click new item , security group and specify the Domain Users group;
- Since we linked the GPO to an organizational unit that contains computer objects (not user accounts), you need to enable the GPO loopback processing mode. enable option Configure User Group Policy Loopback Processing Mode , Sickness In Computer Configuration -> Policies -> Administrative Templates -> System -> Group Policy;
- Then update the Group Policy setting on the client computers (
gpupdate /forceor log off and log on again), and make sure that the two files were automatically copied to the user’s desktop.
In this way, you can copy scripts, application executable files, or system tools (PsTools, iperf, Portqry, etc.) to user computers. You can copy a file to Program Files and place a shortcut to it on the desktop via a GPO.
If the files are not copied to the users’ computers, you can use the gpresult.exe tool to determine why Group Policy is not being applied. To get detailed logs of GPO file copy operations, you can enable the log under Computer Configuration -> Policies -> Administrative Templates -> System -> Group Policy -> Logging and Tracing. Enable Configure File Preferences Logging and Tracing option and choose informational, warnings and errors Mode in policy settings.
You can now track all events and errors related to copying files via GPO on the client in Event Viewer -> Application Log. enable filter by group policy files source.
In my case, an Event ID 4098 error appeared on a user computer when copying files via GPO:
The user '%CommonDesktopDir%' preference item in the 'CopyCorpApp {GPO_GUID}' Group Policy Object did not apply because it failed with error code '0x80070005 Access is denied.' This error was suppressed.
This problem was resolved by giving NTFS read permission to the files in the source directory authenticated users Group.
How to copy folders and files with GPO startup script?
Note that Group Policy preferences do not allow you to copy an entire directory with all child subfolders and files. If you need to copy a folder with a large number of files, or you want the contents of the target user folder to always be updated when a file in the source is updated, you can create a simple logon script and add it to the GPO. can run through. ,
Create a GPO startup script to copy all new (and changed) files from the source directory to the users’ computers:
- Create a batch file in sysvol:
CopyCorpApp.batIF EXIST "C:\CorpApp" EXIT
MD "C:\CorpApp"
xcopy \\fs01\Sources\CorpApp\*.* C:\CorpApp /e /y /k /r /d /iIn some cases, it is better to use the more powerful robocopy command to copy files.
This script will copy the entire directory structure and all files with attributes. Only new or changed files are copied. This means that every time you run the script if there is no change in the source directory, the xcopy command will not overwrite the files.
- Create a new GPO (as mentioned above) and assign it to the OU with the users’ computers;
- to elaborate Computer Configuration -> Policies -> Windows Settings -> Scripts (Startup/Shutdown), choose start up,
- press Join button and specify the UNC path to your script on SysVol;
- Restart the user’s computer and verify that the source folder was copied successfully.
Leave a Comment