Folder Redirection permissions and GPO

-
Have an issue you can't solve? I offer consulting engagements and can be reached here: consulting[а𝐭]amorales[․]org

Folder Redirection allows you to store your users' documents on a file server rather than on their workstations. This results in users being able to easily access their files on any machine.

This guide will show you how to securely configure folder redirection. This configuration will ensure that users only have access to their own folders.

Create Share
Create a share with the following settings:
  • Folder Name: RedirectedFolders
  • Sharing permissions
    • Everyone - Full Control
    • Authenticated Users - Full Control
  • NTFS Folder Security permissions
    • This script will set the permissions for you
    • CREATOR OWNER - Full Control (Apply onto: Subfolders and Files Only)
    • System - Full Control (Apply onto: This Folder, Subfolders and Files)
    • Domain Admins - Full Control (Apply onto: This Folder, Subfolders and Files)
    • ACL_RedirectedFolders_FullControl - Full Control (Apply onto: This Folder, Subfolders and Files)
      • (Optional) creating this group will allow you(or your helpdesk) to access all of the users' documents without getting the UAC prompt which adds an explicit permission on folders.
    • Domain Users (Apply onto: This Folder Only)
      • Create Folder/Append Data
      • List Folder/Read Data
      • Read Attributes
      • Traverse Folder/Execute File
      • Read permissions

Create GPO

  1. Create a GPO called Folder Redirection
    1. Computer Configuration/System/Group Policy/Configure folder redirection policy processing
      1. Enabled
      2. Process even if the Group Policy objects have not changed
      3. This will ensure that the redirection is always going to the correct location. It also very useful when you are changing the path from one server to another.
    2. User Configuration/Windows Settings/Folder Redirection
      1. Redirect the following folders:
        1. Desktop
        2. Documents
        3. Pictures
        4. Favorites
        5. Downloads
          1. Basic - Redirect everyone's folder to the same location
          2. Create a folder for each user under the root path
          3. Disable "Grant the user exclusive rights to X"
          4. Enable "Move contents of Desktop to the new location "
  2. Apply GPOs to OUs

Comments

  1. UnknownNovember 11, 2020 at 5:25 PM

    Hello thank you for this how to. The only issue I have noticed with this is that if the admin places any files into their folders the actual user/owner of the redirected folders does not automatically receive rights to that file. I tried this with folders and the owner gets rights but contained files placed by an admin the owner does not receive rights. Is this expected or a known issue?

    ReplyDelete
    Replies
    1. jcwrksOctober 13, 2022 at 9:35 AM

      Per Microsoft you would Add Everyone or use instead of Domain Users above.

      https://learn.microsoft.com/en-us/troubleshoot/windows-server/user-profiles-and-logon/create-security-enhanced-redirected-folder

      Everyone - Create Folder/Append Data (Apply onto: This Folder Only)
      Everyone - List Folder/Read Data (Apply onto: This Folder Only)
      Everyone - Read Attributes (Apply onto: This Folder Only)
      Everyone - Traverse Folder/Execute File (Apply onto: This Folder Only)

      Delete

Post a Comment

Popular posts from this blog

FSLogix Troubleshooting guide

-
Image
Have an issue you can't solve? I offer consulting engagements and can be reached here: consulting[а 𝐭 ]amorales[․]org This article will cover some common issues I have ran into, and steps on how to resolve them. The guide should be followed  in order  since most of the advanced items are usually not the cause of a problem. If you just set up FSLogix, make sure that you followed every step under  Deploying FSLogix Office 365 Containers  and  Deploying FSLogix Profile Containers Terminology ODFC = Office Data File Containers This is there Office (Outlook, Teams, Licensing) data is stored This can be used in conjunction with UPDs FSL Profiles Replacement for UPDs User profiles are stored here (Office data is stored in the ODFC) Cannot  be used in conjunction with UPDs Non-Issues The items below should be ignored when troubleshooting Local_ files under C:\Users If FSLogix profiles are enabled, these folders can be ignored. They will be deleted the next
Read more

Best Practices for Deploying User Profile Disks

-
Image
Have an issue you can't solve? I offer consulting engagements and can be reached here: consulting[а 𝐭 ]amorales[․]org Last Updated 2020-01-03 After months of testing I recommend deploying FSLogix Profile Containers instead of User Profile Disks. You can find my guide here . Some of the items below apply to FSL Profile Containers.  User Profile Disks (UPDs) are great for load balanced RDS farms since it allows users to seamlessly roam from server to server. The goal of this article will be to configure the RDS and file servers in a way that maximizes performance and reduces the likelihood of UPD disconnects. I'll keep this updated any time I find new improvements. Use FSLogix Before you even consider deploying UPDs you need to be aware of  this limitation . On Server 2012 and 2016 (Server 2019 does not have this issue,  but it doesn't support Office ) the Windows Search index is machine wide. This means that when a UPD is disconnected the user's index data is d
Read more

Removing Application UAC Requirements with Shims

-
Image
This guide will show you how to create shims that allow regular users to run applications that normally require local admin. Shims should only be used as a measure of last resort. In many cases simply granting users to certain folders or reg keys eliminates the need to create a shim. You can use LUA Buglight to identify what those reg keys/files are.   How it works The shim will force the application to use "RunAsInvoker" when it is launched. RunAsInvoker tells the application to open with the privilege level of whatever launched it. For example, if a regular user opens the application through explorer.exe (a non admin process) then the application will open with regular user permissions.  Things to keep in mind: Shims should be installed after the application Shims might need to be re-installed if an application is updated Not all apps play well with shims. Make sure to test the application before putting it into production Pre-Requisites Install the Microsoft Application C
Read more