Folder Redirection
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Folder Redirection
In Group Policy Object Editor, you can use Folder Redirection to redirect certain special folders to network locations. Special folders are those folders, such as My Documents and My Pictures, that are located under Documents and Settings. Folder Redirection is located under User Configuration in the console tree of Group Policy Object Editor.
There are several basic options for Folder Redirection. For each basic option, there is an advanced version of that option. The advanced version provides for finer control by allowing redirection that is based on security group membership. For more information about specific procedures, see Use Folder Redirection. The following table describes the different folder redirection options that are available to you.
| Special folder | Notes |
|---|---|
Application Data |
A Group Policy setting controls the behavior of Application Data when client-side caching is enabled. Look in User Configuration\Administrative Templates\Network\Offline Files in the console tree of Group Policy Object Editor. |
Desktop |
Desktop can be redirected independently of all the other special folders. |
My Documents |
My Documents is the default location in the shell for users to save their documents and pictures. |
My Documents\My Pictures |
My Pictures can be redirected independently of My Documents, or it can be made to follow My Documents (to remain its subfolder whenever My Documents is redirected), as it does by default. The default behavior is recommended unless you have a specific reason (such as server scalability) for separating My Pictures from My Documents. If these folders are separated, a shortcut takes the place of the My Pictures folder in My Documents. |
Start Menu |
When Start Menu is redirected, its subfolders always follow. |
Caution
When creating a shared folder redirection directory, limit access to only those users that need access. Redirected folders can contain personal information such as confidential documents and EFS certificates, care should be taken to protect access to the shared folder. Restrict access to the shared folder to only those users that need access. You can also create a security group for users that require permissions for a particular shared folder, and limit access to only those users.
When creating the shared folder, hide it by putting a $ after the share name. This hides the shared folder from casual browsers, and it will not be visible in My Network Places.
Advantages of redirecting My Documents
Some of the following benefits pertain to redirecting any folder, but redirecting My Documents can be particularly advantageous because this folder tends to become large over time.
When roaming user profiles are used, only the network path to the My Documents folder is part of the roaming user profile, not the My Documents folder. Therefore, its contents do not have to be copied back and forth between the client computer and the server each time the user logs on or off, and the process of logging on or off can be much faster than it was in Windows NT 4.0.
Even if a user logs on to various computers on the network, his or her documents are always available.
Offline File technology gives users access to My Documents even when they are not connected to the network. This is particularly useful for people who use portable computers. For more information, see Make a file or folder available offline.
Data that is stored in a shared network folder can be backed up as part of routine system administration. This is safer because it requires no action on the part of the user.
As an administrator, you can use Group Policy to set disk quotas, limiting the amount of space that is taken up by users' special folders.
Data that is specific to a user can be redirected to a different hard disk on the user's local computer from the hard disk that holds the operating system files. This makes the user's data safer if the operating system is reinstalled.
For tips about using Folder Redirection, see Best practices for Folder Redirection.
Granting exclusive rights to special folders
The Settings tab in each folder's properties dialog box contains a check box labeled Grant the user exclusive rights to My Documents. If you select this check box, the user and the local system have full control over the folder, and no one else, not even the administrator, has any rights to it. If you clear this check box, no changes are made to the permissions on the folder. Whatever permissions are in effect by default remain in effect.
Policy removal considerations with regard to Folder Redirection
The following table summarizes what happens to redirected folders and their contents when the Group Policy object no longer applies.
| Move the contents of the special folder to the new location setting | Policy Removal option | Results when policy is removed |
|---|---|---|
Enabled |
Redirect the folder back to the user profile location when policy is removed |
|
Disabled |
Redirect the folder back to the user profile location when policy is removed |
Caution
|
Either Enabled or Disabled |
Leave the folder in the new location when policy is removed |
|
Folder Redirection and Offline Files
The Offline Files technology applies to any mounted or mapped drive that contains documents or data that a user might want to use offline. Offline Files does not depend on Folder Redirection. It is set up and configured on shared network servers separately from the Folder Redirection snap-in. Offline Files enables the user to do useful work even when the user is not connected to the network, for example, on a portable computer or in the event of router failure. For more information, see Offline Files.
If you use redirected folders of any type, it is recommended that you set up Offline Files as described in the following table.
| Special Folder | Offline File configuration |
|---|---|
My Documents |
Autocaching for documents (or manual caching for documents, if you want users to have to manually make files and folders available for offline use) |
My Pictures |
Autocaching for documents (or manual caching for documents, if you want users to have to manually make files and folders available for offline use) |
Application Data |
Autocaching for programs |
Desktop |
Autocaching for programs if the desktop is Read Only |
Start Menu |
Autocaching for programs |
Folder Redirection permissions
This is an advanced topic. If you let Folder Redirection create folders for you, which is the recommended procedure, correct permissions are set automatically. Usually, knowledge of these permissions is not necessary. However, there are two reasons the permissions might be of interest:
Sometimes, even though it is not recommended, administrators create the redirected folders before Folder Redirection creates them. The following table shows what permissions have to be set for Folder Redirection to work.
Redirection of My Documents to the home directory provides more relaxed security than standard folder redirection. The following table shows what security is in effect in the standard case.
NTFS permissions required for the root folder
User account Folder Redirection defaults Minimum permissions needed Creator/owner
Full Control, this folder, subfolders, and files
Full Control, this folder, subfolders, and files
Administrators
No permissions
No permissions
Everyone
No permissions
No permissions
Local System
Full Control, this folder, subfolders, and files
Full Control, this folder, subfolders, and files
Security group of users who need to put data on the shared network server
N/A
List Folder/Read Data, Create Folders/Append Data - This folder only
Share-level (SMB) permissions required for the root folder
User Account Folder Redirection defaults Minimum permissions needed Everyone
Full Control
No permissions (Use security group)
Security group of users who need to put data on the shared network server
N/A
Full Control
NTFS permissions required for each user's redirected folder
User account Folder Redirection defaults Minimum permissions needed UserName
Full Control, owner of folder
Full Control, owner of folder
Local System
Full Control
Full Control
Administrators
No permissions
No permissions
Everyone
No permissions
No permissions