Folder Redirection permissions and GPO

Folder Redirection allows you to store your users' documents on a file server rather than on their workstations. This results in users being able to easily access their files on any machine.

This guide will show you how to securely configure folder redirection. This configuration will ensure that users only have access to their own folders.

Create Share
Create a share with the following settings:
  • Folder Name: RedirectedFolders
  • Sharing permissions
    • Everyone - Full Control
    • Authenticated Users - Full Control
  • NTFS Folder Security permissions
    • This script will set the permissions for you
    • CREATOR OWNER - Full Control (Apply onto: Subfolders and Files Only)
    • System - Full Control (Apply onto: This Folder, Subfolders and Files)
    • Domain Admins - Full Control (Apply onto: This Folder, Subfolders and Files)
    • ACL_RedirectedFolders_FullControl - Full Control (Apply onto: This Folder, Subfolders and Files)
      • (Optional) creating this group will allow you(or your helpdesk) to access all of the users' documents without getting the UAC prompt which adds an explicit permission on folders.
    • Domain Users (Apply onto: This Folder Only)
      • Create Folder/Append Data
      • List Folder/Read Data
      • Read Attributes
      • Traverse Folder/Execute File
      • Read permissions

Create GPO

  1. Create a GPO called Folder Redirection
    1. Computer Configuration/System/Group Policy/Configure folder redirection policy processing
      1. Enabled
      2. Process even if the Group Policy objects have not changed
      3. This will ensure that the redirection is always going to the correct location. It also very useful when you are changing the path from one server to another.
    2. User Configuration/Windows Settings/Folder Redirection
      1. Redirect the following folders:
        1. Desktop
        2. Documents
        3. Pictures
        4. Favorites
        5. Downloads
          1. Basic - Redirect everyone's folder to the same location
          2. Create a folder for each user under the root path
          3. Disable "Grant the user exclusive rights to X"
          4. Enable "Move contents of Desktop to the new location "
  2. Apply GPOs to OUs

Comments

Popular posts from this blog

Best Practices for Deploying User Profile Disks

Deploying FSLogix Office 365 Containers

Enabling Webcam on RDS