How To Configure Folder Redirection

How to use Group Policy to redirect the "Desktop", "My Documents", "Start Menu" and "Application Data" folders.
Published: Aug 22, 2007

Introduction

Folder redirection can limit the amount of data that is copied between the Roaming Profile Share and the Terminal Server at each logon
and logoff. This is accomplished by redirecting folders like Desktop, My Documents, and Application Data to a Network Share outside
of the Roaming Profile Share, so it is not copied at each logon and logoff.

Folder redirection can also provide locked down Desktop and Start Menu Folders by redirecting to Network Shares from which the end
users can only read, or it can be set up so users' individual Start Menu and Desktop folders reside on a File Share instead of being
copied back and forth with the rest of the roaming profile. This reduces the amount of data being transferred at each logon/logoff and
provides a more stable environment for users that log on to multiple terminal server sessions at the same time. This is because there is
no risk of data loss by one copy of the roaming profile’s Desktop Folder overwriting a previously saved copy, as they are always
referring to the directory on the file share, not to a local profile folder.

Terminal Server Group Policy Best Practice

Before we dig into configuring Folder Redirection, let’s review how to configure Group Policies for use with Terminal Services. Best
Practice for applying Settings to Users only when they log on to Terminal Servers would be to:

1. Create an OU to contain a set of Terminal Servers

2. Block Policy Inheritance on the OU (Properties -> Group Policy). This prevents settings from higher-up in AD from affecting
your Terminal Servers.

3. Move the Terminal Server Computer Objects into the OU. Do NOT place User Accounts in this OU.

4. Create an Active Directory Security Group called “Terminal Servers” (or something similar that you’ll recognize) and add
the Terminal Servers from this OU to this group.

5. Create a GPO called “TS Machine Policy” linked to the OU

6. Check “Disable User Configuration settings” on the GPO

7. Enable Loopback Policy Processing in the GPO

8. Edit the Security of the Policy so Apply Policy is set for “Authenticated Users” and the Security Group containing the
Terminal Servers

9. Create additional GPOs linked to this OU for each user population, i.e. “TS Users”, “TS Administrators”.

10. Check “Disable Computer Configuration settings” on these GPO

11. Edit the Security on these User Configuration GPOs so Apply Policy is enabled for the target user population, and Deny
Apply Policy is enabled for user to which the policy should not apply.

With GPOs configured this way the Machine Policy applies to everyone that logs on to the Terminal Server (only the Computer
Configuration Settings of the Machine Policy are processed) in addition to the appropriate User Configuration GPO (only the User
Configuration portion of the GPO is processed) for the target user population.

1
How To Configure Folder Redirection

Folder Redirection GPO Settings

Since Folder Redirection is in the User Configuration portion of a GPO, one can create multiple different policies and apply one to each
distinct user population by filtering the security settings in the properties of the GPO. This allows administrators to redirect some users'
folders to pre-configured directories, that the users do not have sufficient NTFS Permission to alter, and to redirect other users to
folders that are self maintained.

Folder Redirection settings are located in User Configuration-> Windows Settings -> Folder Redirections. In that node one will
find:

To configure an item, right-click and select “Properties”. This exposes the configuration UI for the specified folder. In a single GPO
one can either configure the folder to redirect to a specified location for all users to which the GPO applies, or one can configure the
folder to redirect to a specified location based upon group membership.

2
How To Configure Folder Redirection

For folder redirection to work properly, the destination shared folder NTFS and Share Permissions must be properly configured. If
redirecting a folder to a location that the end user should not change, i.e. the Start Menu or Locked Down Desktop the following
permissions should be applied:

 Share Permissions:
o Everyone – Full Control
o Administrators – Full Control
o System – Full Control

 NTFS Permissions:
o Everyone – Read and Execute
o Administrators – Full Control
o System – Full Control

If Group Policy is configured to redirect to a location where the GPO will automatically create the destination folder, i.e. user’s individual
Application Data, Desktop or My Documents folders the following permissions should be applied to the parent folder:

 Share Permissions:
o Everyone – Full Control
o Administrators – Full Control
o System – Full Control

 NTFS Permissions:
o Everyone - Create Folder/Append Data (This Folder Only)
o Everyone - List Folder/Read Data (This Folder Only)
o Everyone - Read Attributes (This Folder Only)
o Everyone - Traverse Folder/Execute File (This Folder Only)
o CREATOR OWNER - Full Control (Subfolders and Files Only)
o System - Full Control (This Folder, Subfolders and Files)
o Domain Admins - Full Control (This Folder, Subfolders and Files)

It’s important to note that when redirecting folders such as My Documents to a location that already exists, i.e. the User’s Home Folder
there is another setting to consider, ownership. If the user is not the owner of the destination directory, folder redirection will fail with the
default Folder Redirection settings. When this is the case, one must deselect “Grant the user exclusive rights to My Documents”

3
How To Configure Folder Redirection

4
How To Configure Folder Redirection

If this is not configured, folder redirection will fail and the following will be written to the Terminal Server’s Event Log:

Event ID: 101

Description:
Failed to perform redirection of folder foldername. The new directories for the redirected folder could not be created. The folder is
configured to be redirected to \\servername\sharename\%username%, the final expanded path was \\servername\sharename\
username. The following error occurred:
Access is denied.

Notes:

o User Configuration Settings in Group Policy take effect upon the first logon after the policy is saved and replicated to the user’s
logon server.
o Computer Configuration Settings in Group Policy take effect when the machine boots and logs on to Active Directory. With this in
mind, one needs to reboot a terminal server before Computer Configuration setting changes will be applied.
o Folder Redirection does not exist in Local Policy. If one wants to redirect folders without using Active Directory they should
investigate redirecting folders by editing the registry at:
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
o If redirecting the Start Menu, one should be aware that “by default” users right clicking on Start Button to Explore will explore
starting at the redirected folder’s network location, even if you have restricted access to My Network Places. To avoid this, one
can edit the following registry entry:
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shell\explore\ddeexec]
@="[ExploreFolder(\"DriveLetter:\\\", DriveLetter:\\, %S)]"

Summary

Folder Redirection is a powerful and fairly flexible set of configuration settings in group policy. As with anything in Group Policy, settings
should be tested in a controlled environment, and piloted with a small set of users before deploying to a production environment.