Folder Redirection

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Folder Redirection

In Group Policy Object Editor, you can use Folder Redirection to redirect certain special folders to network locations. Special folders are those folders, such as My Documents and My Pictures, that are located under Documents and Settings. Folder Redirection is located under User Configuration in the console tree of Group Policy Object Editor.

There are several basic options for Folder Redirection. For each basic option, there is an advanced version of that option. The advanced version provides for finer control by allowing redirection that is based on security group membership. For more information about specific procedures, see Use Folder Redirection. The following table describes the different folder redirection options that are available to you.

Special folder Notes

Application Data

A Group Policy setting controls the behavior of Application Data when client-side caching is enabled. Look in User Configuration\Administrative Templates\Network\Offline Files in the console tree of Group Policy Object Editor.

Desktop

Desktop can be redirected independently of all the other special folders.

My Documents

My Documents is the default location in the shell for users to save their documents and pictures.

My Documents\My Pictures

My Pictures can be redirected independently of My Documents, or it can be made to follow My Documents (to remain its subfolder whenever My Documents is redirected), as it does by default. The default behavior is recommended unless you have a specific reason (such as server scalability) for separating My Pictures from My Documents. If these folders are separated, a shortcut takes the place of the My Pictures folder in My Documents.

Start Menu

When Start Menu is redirected, its subfolders always follow.

Caution

  • When creating a shared folder redirection directory, limit access to only those users that need access. Redirected folders can contain personal information such as confidential documents and EFS certificates, care should be taken to protect access to the shared folder. Restrict access to the shared folder to only those users that need access. You can also create a security group for users that require permissions for a particular shared folder, and limit access to only those users.

    When creating the shared folder, hide it by putting a $ after the share name. This hides the shared folder from casual browsers, and it will not be visible in My Network Places.

Advantages of redirecting My Documents

Some of the following benefits pertain to redirecting any folder, but redirecting My Documents can be particularly advantageous because this folder tends to become large over time.

  • When roaming user profiles are used, only the network path to the My Documents folder is part of the roaming user profile, not the My Documents folder. Therefore, its contents do not have to be copied back and forth between the client computer and the server each time the user logs on or off, and the process of logging on or off can be much faster than it was in Windows NT 4.0.

  • Even if a user logs on to various computers on the network, his or her documents are always available.

  • Offline File technology gives users access to My Documents even when they are not connected to the network. This is particularly useful for people who use portable computers. For more information, see Make a file or folder available offline.

  • Data that is stored in a shared network folder can be backed up as part of routine system administration. This is safer because it requires no action on the part of the user.

  • As an administrator, you can use Group Policy to set disk quotas, limiting the amount of space that is taken up by users' special folders.

  • Data that is specific to a user can be redirected to a different hard disk on the user's local computer from the hard disk that holds the operating system files. This makes the user's data safer if the operating system is reinstalled.

For tips about using Folder Redirection, see Best practices for Folder Redirection.

Granting exclusive rights to special folders

The Settings tab in each folder's properties dialog box contains a check box labeled Grant the user exclusive rights to My Documents. If you select this check box, the user and the local system have full control over the folder, and no one else, not even the administrator, has any rights to it. If you clear this check box, no changes are made to the permissions on the folder. Whatever permissions are in effect by default remain in effect.

Policy removal considerations with regard to Folder Redirection

The following table summarizes what happens to redirected folders and their contents when the Group Policy object no longer applies.

Move the contents of the special folder to the new location setting Policy Removal option Results when policy is removed

Enabled

Redirect the folder back to the user profile location when policy is removed

  • The special folder returns to its user profile location.

  • The contents are copied, not moved, back to the user profile location.

  • The contents are not deleted from the redirected location.

  • The user continues to have access to the contents, but only on the local computer.

Disabled

Redirect the folder back to the user profile location when policy is removed

  • The special folder returns to its user profile location.

  • The contents are not copied or moved to the user profile location.

Caution

  • If the contents of a folder are not copied to the user profile location, the user cannot see them.



Either Enabled or Disabled

Leave the folder in the new location when policy is removed

  • The special folder remains at its redirected location.

  • The contents remain at the redirected location.

  • The user continues to have access to the contents at the redirected folder.

Folder Redirection and Offline Files

The Offline Files technology applies to any mounted or mapped drive that contains documents or data that a user might want to use offline. Offline Files does not depend on Folder Redirection. It is set up and configured on shared network servers separately from the Folder Redirection snap-in. Offline Files enables the user to do useful work even when the user is not connected to the network, for example, on a portable computer or in the event of router failure. For more information, see Offline Files.

If you use redirected folders of any type, it is recommended that you set up Offline Files as described in the following table.

Special Folder Offline File configuration

My Documents

Autocaching for documents (or manual caching for documents, if you want users to have to manually make files and folders available for offline use)

My Pictures

Autocaching for documents (or manual caching for documents, if you want users to have to manually make files and folders available for offline use)

Application Data

Autocaching for programs

Desktop

Autocaching for programs if the desktop is Read Only

Start Menu

Autocaching for programs

Folder Redirection permissions

This is an advanced topic. If you let Folder Redirection create folders for you, which is the recommended procedure, correct permissions are set automatically. Usually, knowledge of these permissions is not necessary. However, there are two reasons the permissions might be of interest:

  • Sometimes, even though it is not recommended, administrators create the redirected folders before Folder Redirection creates them. The following table shows what permissions have to be set for Folder Redirection to work.

  • Redirection of My Documents to the home directory provides more relaxed security than standard folder redirection. The following table shows what security is in effect in the standard case.

    NTFS permissions required for the root folder

    User account Folder Redirection defaults Minimum permissions needed

    Creator/owner

    Full Control, this folder, subfolders, and files

    Full Control, this folder, subfolders, and files

    Administrators

    No permissions

    No permissions

    Everyone

    No permissions

    No permissions

    Local System

    Full Control, this folder, subfolders, and files

    Full Control, this folder, subfolders, and files

    Security group of users who need to put data on the shared network server

    N/A

    List Folder/Read Data, Create Folders/Append Data - This folder only

    Share-level (SMB) permissions required for the root folder

    User Account Folder Redirection defaults Minimum permissions needed

    Everyone

    Full Control

    No permissions (Use security group)

    Security group of users who need to put data on the shared network server

    N/A

    Full Control

    NTFS permissions required for each user's redirected folder

    User account Folder Redirection defaults Minimum permissions needed

    UserName

    Full Control, owner of folder

    Full Control, owner of folder

    Local System

    Full Control

    Full Control

    Administrators

    No permissions

    No permissions

    Everyone

    No permissions

    No permissions