Things to Consider with Folder Redirection

Folder Redirection is a feature available on Microsoft Windows operating systems, that allows a user or an administrator to change the location where his/her “main folders” actually store their files.

For example, %USERPROFILE%\Documents may point to \\FILESERVER\HOMES\%USERNAME%\Documents instead.

It’s an especially nice feature for administrators to use, since they can now force* their users to save their files on a network share that’s included in the backup plan.

* You can’t really force users to do so, life always finds a way. But you can make it more convenient and transparant for users.

In this article, I’ve taking on the role of a system administrator setting up Folder Redirection for my users through Group Policies, and what are some important things to consider or be reminded of.

Permissions

You probably want to end up with a logical directory structure like this, am I right?

\\FILESERVER\HOMES\John\Documents
\\FILESERVER\HOMES\Claire\Pictures

And you don’t want John or Claire be able to access the other’s files and folders, right?

Your home folders might be properly setup, but what about new users connecting? Also, the Group Policy setting which sets a Folder Redirection, has a setting enabled by default, that sets the user permissions automatically:

“Grant the user exclusive rights” is enabled by default, but causes wonky permissions.

This may sound good in theory, but in practise those permissions seem wonky. There are even PowerShell scripts to automatically fix them on logon. An easier way to do this, would be to simply setup the correct NTFS permissions on the root “homes” folder and let inheritance do all the heavy lifting.

The permission settings below allow a user to create his/her home directory and provide read and write access only to their home folder (because they’re the owner of that folder).

Note: replace Usergroup with the appropriate security group for your organisation.

NTFS Permissions on “homes”:

  • CREATOR OWNER — Full Control (Apply onto: Subfolders and Files Only)
  • System — Full Control (Apply onto: This Folder, Subfolders and Files)
  • Domain Admins — Full Control (Apply onto: This Folder, Subfolders and Files)
  • Usergroup — Create Folders / Append Data, List Folder / Read Data, Read Attributes, Traverse Folder / Execute File (Apply onto: This Folder Only)

Share Permissions on “homes”:

Don’t forget the share permissions on the homes root directory. Usergroup needs to be able to read and write to the share (Full Control). Let NTFS permissions handle the specifics.

Moving Folders

What if a user has a Documents folder on their local PC, but also one in their home folder. Some files are different, some are the same. What is the behavior that happens when you shove Folder Redirection down their throat?

I did some experimenting and came to the following conclusion: Files and folders are merged between source and target folders in a “best effort” kind of way. Meaning, that if there is a file1.txt at the source, and a file2.txt at the target, the result after merge will be a folder with both file1.txt and file2.txt. However, files with the same filename will result in the file at the target folder getting priority and the file at the source folder getting removed. Take backups and inform your users of this behavior if they have folders at both locations! A more visual guide:

Transferring Data

Consider this scenario: Most of your users have a Documents folder of a few megabytes. A few of them however, store everything in there, and their Documents folder is in the tens or hundreds of gigabytes. And that’s just the Documents folder. If you’ve got users storing their photos and music library on their computer, this adds up very quickly.

Think about what you’re planning on doing in terms of data logistics and plan accordingly. A list of considerations:

  • Some users might not be aware what it is you’re trying to achieve. Inform them that their data will be moved to the server and your reasoning behind it. Why they can’t store specific data in one location and should store other specific data in an other location. This should become part of your IT Policy rules.
  • You’ll be transferring a lot of data over the network, possibly twice if you’ve got Offline folders enabled. You’ll also be needing a lot more storage space. Do the math or at least get a decent estimate of how much storage space you’ll be needing, including room for expansion.
  • When will the files be transferred? Good question. The answer is: At the next logon after the relevant Group Policy has been applied. The desktop will only show once all relevant files and folders have been transferred.
    This can take several minutes on system with a fast link to the storage array and limited amounts of data. It can take forever on a system with an slow or unreliable link to the storage array and huge amounts of data.
    Plan accordingly! Apply Folder Redirection to a few users at a time, and only when they have a proper link access (like when they’re in the office).
    Also inform users that their next login might take awhile, and make sure they don’t reboot at that time or they might lose data.

There must be a lot more things I’m forgetting, but I hope that I might have triggered a few “Oh yeah, I didn’t think of that!” moments for other ITers messing around with Folder Redirection. Let me know in the comments if it did.