Folder Redirection permissions and GPO
Have an issue you can't solve? I offer consulting engagements and can be reached here: consulting[а𝐭]amorales[․]org
Folder Redirection allows you to store your users' documents on a file server rather than on their workstations. This results in users being able to easily access their files on any machine.
This guide will show you how to securely configure folder redirection. This configuration will ensure that users only have access to their own folders.
Create Share
Create a share with the following settings:
- Folder Name: RedirectedFolders
- Sharing permissions
- Everyone - Full Control
- Authenticated Users - Full Control
- NTFS Folder Security permissions
- This script will set the permissions for you
- CREATOR OWNER - Full Control (Apply onto: Subfolders and Files Only)
- System - Full Control (Apply onto: This Folder, Subfolders and Files)
- Domain Admins - Full Control (Apply onto: This Folder, Subfolders and Files)
- ACL_RedirectedFolders_FullControl - Full Control (Apply onto: This Folder, Subfolders and Files)
- (Optional) creating this group will allow you(or your helpdesk) to access all of the users' documents without getting the UAC prompt which adds an explicit permission on folders.
- Domain Users (Apply onto: This Folder Only)
- Create Folder/Append Data
- List Folder/Read Data
- Read Attributes
- Traverse Folder/Execute File
- Read permissions
Create GPO
- Create a GPO called Folder Redirection
- Computer Configuration/System/Group Policy/Configure folder redirection policy processing
- Enabled
- Process even if the Group Policy objects have not changed
- This will ensure that the redirection is always going to the correct location. It also very useful when you are changing the path from one server to another.
- User Configuration/Windows Settings/Folder Redirection
- Redirect the following folders:
- Desktop
- Documents
- Pictures
- Favorites
- Downloads
- Basic - Redirect everyone's folder to the same location
- Create a folder for each user under the root path
- Disable "Grant the user exclusive rights to X"
- Enable "Move contents of Desktop to the new location "
- Redirect the following folders:
- Apply GPOs to OUs
Hello thank you for this how to. The only issue I have noticed with this is that if the admin places any files into their folders the actual user/owner of the redirected folders does not automatically receive rights to that file. I tried this with folders and the owner gets rights but contained files placed by an admin the owner does not receive rights. Is this expected or a known issue?
ReplyDeletePer Microsoft you would Add Everyone or use instead of Domain Users above.
Deletehttps://learn.microsoft.com/en-us/troubleshoot/windows-server/user-profiles-and-logon/create-security-enhanced-redirected-folder
Everyone - Create Folder/Append Data (Apply onto: This Folder Only)
Everyone - List Folder/Read Data (Apply onto: This Folder Only)
Everyone - Read Attributes (Apply onto: This Folder Only)
Everyone - Traverse Folder/Execute File (Apply onto: This Folder Only)