This article describes how to dynamically create security-enhanced redirected folders or home folders.
Original KB number: 274443
Summary
In Microsoft Windows Server Active Directory, as an administrator, you can customize desktops by using Folder Redirection or assign a server-based home folder. Additionally, you can redirect the following folders by using Active Directory and Group Policy:
Application Data
Desktop
My Documents
My Documents/My Pictures
Start Menu
You can find more information about Folder Redirection by searching Windows Help for Folder Redirection.
When you redirect folders to a shared location on a network, you need both read and write access to this location so that you can read the contents of these folders. However, in some scenarios, you may not want to grant read access to other users.
Create security-enhanced redirected folders
To make sure that only the user and the domain administrators have permissions to open a particular redirected folder, do the following steps:
Select a central location in your environment where you would like to store Folder Redirection, and then share this folder. In this example, FLDREDIR, and HOMEDIR are used.
Set Share Permissions for the Everyone group to Full Control.
Use the following settings for NTFS Permissions:
CREATOR OWNER - Full Control (Apply onto: Subfolders and Files Only)
System - Full Control (Apply onto: This Folder, Subfolders, and Files)
Domain Admins - Full Control (Apply onto: This Folder, Subfolders, and Files)
Everyone - Create Folder/Append Data (Apply onto: This Folder Only)
Everyone - List Folder/Read Data (Apply onto: This Folder Only)
Everyone - Read Attributes (Apply onto: This Folder Only)
Everyone - Traverse Folder/Execute File (Apply onto: This Folder Only)
Configure Folder Redirection Policy as outlined in Windows Help. Use a path similar to \\server\FLDREDIR\%username% to create a folder under the shared folder, FLDREDIR.
You can also configure a home folder "HOMEDIR" in a similar manner by copying a template user with a home folder like \\server\HOMEDIR\%username%, or create the user and folder with that name.
Note
For home folders, the scenario isn't common, because when you add the home folder for a user, Active Directory Users and Computers will create the folder. But if you use a custom provisioning, Active Directory Users and Computers doesn't create the folder. Therefore, you have to do it by yourself.
Because the Everyone group has the Create Folder/Append Data right, the group members have the proper permissions to create the folder; however, the members aren't able to read the data afterwards. The Username group is the name of the user that was logged on when you created the folder. Because the folder is a child of the parent folder, it inherits the permissions that you assigned to FLDREDIR. Also, because the user is creating the folder, the user gains full control of the folder because of the Creator Owner Permission setting.
More information
The article was initially written for Windows Server 2003, and the access control entry (ACE) for CreatorOwner was likely converted to: <Folder-User> - Full Control (Apply onto: This Folder, Subfolders, and Files)
But there's no proof that this has happened. The earlier versions of the article don't mention the result of the access control list (ACL), and the versions of the operating systems that this article was written for aren't supported any longer.
By the end of May 2017, all supported operating systems converted the ACE to: <Folder-User> - Full Control (Apply onto: This Object only)
But this doesn't affect the daily operations of the folders for the users. It makes a difference when the administrator has to work on the contents of the home folders or redirected folders.
If you want to make sure that the user gets the inheritable full control on all child objects, you've to:
Create the folder matching for the users samaccountname by yourself.
Set the permissions that are needed for the folder, omit the Everyone ACEs above, and make sure that you have the ACE:
<Folder-User> - Full Control (Apply onto: This Folder, Subfolders, and Files)
Select a central location in your environment where you would like to store Folder Redirection, and then share this folder. In this example, FLDREDIR, and HOMEDIR are used. Set Share Permissions for the Everyone group to Full Control.
Open the Group Policy Management Console (GPMC) in the server manager by navigating Tools > Group Policy Management. Then Create a new group policy object by right-clicking and selecting New for Create New Policy. In this case, create a new group policy object called “Folder Redirection Policy”.
For optimal performance of the Folder Redirection feature, it is strongly recommended that you create only the root share on the server, and then let the system create the folders for each user. If you must create the folders for users, ensure that you correctly assign permissions.
Under User Configuration, navigate to Policies, then Administrative Templates, then System, then Folder Redirection. Right-click Enable optimized move of contents in Offline Files cache on Folder Redirection server path change, and then select Edit. Select Enabled, and then select OK.
There are normally two settings, Basic and Advanced. Basic – This setting applies the folder redirection to all users to whom the Group Policy applies. Advanced – This setting applies to select users and can apply different settings to different user groups. These folders are normally contained in your profile.
The profile path is the location of the user's user profile.The "Home" path may be the same, but it could be set to another location (via the user account properties).
Set permissions at the highest level: Set permissions at the top level of your folder structure and let them propagate down to reduce the amount of permissions you need to manage. Avoid breaking inheritance: Do not break permission inheritance unless absolutely necessary.
Folder Redirection allows saving data regardless of storage location and separates user data from profile data decreasing the time required to log on. Other advantages include: Data is stored on a server where it can be backed up.
301 refers to the HTTP status code for this type of redirect. In most instances, the 301 redirect is the best method for implementing redirects on a website.
Open User Configuration > Policies > Windows Settings > Folder Redirection. Right-click Documents and click Properties. Choose Basic - Redirect everyone's folder to the same location. Under Target folder location choose Create a folder for each user under the root path.
When a redirect must be used, use a single redirect instead of a chain of several redirects for a faster response. For instance, a redirect chain such as http://example.com → https://example.com → https://www.example.com can be common when redirect rules haven't been optimised.
In a session, navigate to a folder you directed, right-click the folder, and then select Properties.
In the properties window, navigate to the Shortcut tab and then check the Target field. If the field displays a redirected path, folder redirection works.
Click the Dynamic Folders button in the Administration menu to display your Dynamic Folders list. To create a new top-level Dynamic Folder, select Add Dynamic Folder and enter the folder name in the Dynamic Folder Name field. This will be the name of the Dynamic Folder structure.
A home folder is not the same as folder redirection. Although both reflect the designation of a centralized storage location for user data, there are some key differences. A home folder is a shared drive designation that maps at logon and enables the user to store personal files.
Right-click a folder that you want to redirect (for example, Documents), and then select Properties. In the Properties dialog box, from the Settings box, select Basic - Redirect everyone's folder to the same location.
Introduction: My name is Pres. Lawanda Wiegand, I am a inquisitive, helpful, glamorous, cheerful, open, clever, innocent person who loves writing and wants to share my knowledge and understanding with you.
We notice you're using an ad blocker
Without advertising income, we can't keep making this site awesome for you.
