Folder Redirection permissions and GPO (2024)

Folder Redirection permissions and GPO

-March 18, 2019

Have an issue you can't solve? I offer consulting engagements and can be reached here: consulting[а𝐭]amorales[․]org

Folder Redirection allows you to store your users' documentson a file server rather than on their workstations. This results in users being able to easily access their files on any machine.

This guide will show you how to securely configure folder redirection. This configuration will ensure that users only have access to their own folders.

Create Share

Create a share with the following settings:

Folder Name:RedirectedFolders
Sharing permissions
- Everyone - Full Control
- Authenticated Users - Full Control
NTFS Folder Security permissions
- This script will set the permissions for you
- CREATOR OWNER - Full Control(Apply onto: Subfolders and Files Only)
- System - Full Control(Apply onto: This Folder, Subfolders and Files)
- Domain Admins - Full Control(Apply onto: This Folder, Subfolders and Files)
- ACL_RedirectedFolders_FullControl- Full Control(Apply onto: This Folder, Subfolders and Files)
- Domain Users(Apply onto: This Folder Only)
  - Create Folder/Append Data
  - List Folder/Read Data
  - Read Attributes
  - Traverse Folder/Execute File
  - Read permissions

Create GPO

Create a GPO called Folder Redirection

Computer Configuration/System/Group Policy/Configure folder redirection policy processing

Enabled
Process even if the Group Policy objects have not changed
This will ensure that the redirection is always going to the correct location. It also very useful when you are changing the path from one server to another.

User Configuration/Windows Settings/Folder Redirection
1. Redirect the following folders:
  1. Desktop
  2. Documents
  3. Pictures
  4. Favorites
  5. Downloads
    1. Basic - Redirect everyone's folder to the same location
    2. Create a folder for each user under the root path
    3. Disable "Grant the user exclusive rights to X"
    4. Enable "Move contents of Desktop to the new location "

Apply GPOs to OUs

References

https://4sysops.com/archives/folder-redirection-part-5-best-practices/

https://blogs.technet.microsoft.com/migreene/2008/03/24/ntfs-permissions-for-redirected-folders-or-home-directories/

Comments

UnknownNovember 11, 2020 at 5:25 PM
Hello thank you for this how to. The only issue I have noticed with this is that if the admin places any files into their folders the actual user/owner of the redirected folders does not automatically receive rights to that file. I tried this with folders and the owner gets rights but contained files placed by an admin the owner does not receive rights. Is this expected or a known issue?
ReplyDelete
Replies

Add comment

FSLogix Troubleshooting guide

-April 14, 2020

Have an issue you can't solve? I offer consulting engagements and can be reached here: consulting[а 𝐭 ]amorales[․]org This article will cover some common issues I have ran into, and steps on how to resolve them. The guide should be followed in order since most of the advanced items are usually not the cause of a problem. If you just set up FSLogix, make sure that you followed every step under Deploying FSLogix Office 365 Containers and Deploying FSLogix Profile Containers Terminology ODFC = Office Data File Containers This is there Office (Outlook, Teams, Licensing) data is stored This can be used in conjunction with UPDs FSL Profiles Replacement for UPDs User profiles are stored here (Office data is stored in the ODFC) Cannot be used in conjunction with UPDs Non-Issues The items below should be ignored when troubleshooting Local_ files under C:\Users If FSLogix profiles are enabled, these folders can be ignored. They will be deleted the next

Best Practices for Deploying User Profile Disks

-March 15, 2019

Have an issue you can't solve? I offer consulting engagements and can be reached here: consulting[а 𝐭 ]amorales[․]org Last Updated 2020-01-03 After months of testing I recommend deploying FSLogix Profile Containers instead of User Profile Disks. You can find my guide here . Some of the items below apply to FSL Profile Containers. User Profile Disks (UPDs) are great for load balanced RDS farms since it allows users to seamlessly roam from server to server. The goal of this article will be to configure the RDS and file servers in a way that maximizes performance and reduces the likelihood of UPD disconnects. I'll keep this updated any time I find new improvements. Use FSLogix Before you even consider deploying UPDs you need to be aware of this limitation . On Server 2012 and 2016 (Server 2019 does not have this issue, but it doesn't support Office ) the Windows Search index is machine wide. This means that when a UPD is disconnected the user's index data is d

Removing Application UAC Requirements with Shims

-December 18, 2020

This guide will show you how to create shims that allow regular users to run applications that normally require local admin. Shims should only be used as a measure of last resort. In many cases simply granting users to certain folders or reg keys eliminates the need to create a shim. You can use LUA Buglight to identify what those reg keys/files are. How it works The shim will force the application to use "RunAsInvoker" when it is launched. RunAsInvoker tells the application to open with the privilege level of whatever launched it. For example, if a regular user opens the application through explorer.exe (a non admin process) then the application will open with regular user permissions. Things to keep in mind: Shims should be installed after the application Shims might need to be re-installed if an application is updated Not all apps play well with shims. Make sure to test the application before putting it into production Pre-Requisites Install the Microsoft Application C

Folder Redirection permissions and GPO (2024)