23 September 2011

Active Directory Folder Redirection

Windows Active Directory with Roaming Profiles can be sluggish, but not if you configure folder redirects… although it is a bit fiddly to get it right here are my own notes. I gleaned the majority of this information from www.grouppolicy.biz so credit has to go to them but I just wanted to consolidate my own choices into a short document for future reference.

Setup Folder Locations
Set up the folders where the users’ files will be redirected to:
  • Create a ‘root’ folder. I recommend doing this on a separate drive to the OS.
  • In folder’s Properties, Security, Advanced, Permisions, Edit, un-tick Include inheritable permissions from parent and click Copy (to copy all inherited permissions).
  • Select Users with "Special" Permission and select Edit
    • Change Apply to to “This folder only”
  • Select Users “Read and Execute” ACL and click Edit
    • Change Apply to to “This folder only”
  • The Users ACL should now have combined to one ACL
  • Click OK twice to return to the folder’s properties and select the Sharing tab
  • In Advanced Sharing give the folder a share name ending with a dollar sign eg. Users$ then click Permissions
  • Tick Allow for the Full Control permissions then OK and Close.
NB: If you have XP users you should also setup a Profiles$ folder in the same way but also disabling offline caching in Advanced Sharing options/Caching.

Enable Access Based Enumeration
Ensure users can only see their own folders:
  • In Server Manager/Roles/File Services/Share and Storage Management, select the Users$ share.
  • Select Properties/Advanced and tick “Enable access-based enumeration”

You also need to set up a GPO (Group Policy Object) to apply the roaming profile path:

Group Policy Management/Domains/[Domain name]; right click and select “Create a GPO in this domain and Link it here”. Call it “User Profiles” or something relevant.
In the GPO: Computer Configuration, Policies, Administrative Templates
  • System, User Profiles:
    • Set Roaming profile path: \\[FileServer]\Users$\%username%\profile
      NB: THIS IS ACTUALLY WHERE ROAMING PROFILES ARE IMPLEMENTED or it can be done in the user object. I like to do it here so it can be over-written on a per-machine basis e.g. disabled on a server.
UPDATE: If you don't want roaming profiles then you can just set up folder re-direction. This is where the user's folders (e.g. My Documents) are re-directed to the server but their actual profile settings (e.g. desktop background) are not. This is in my opinion a more robust solution: it's not always appropriate to take settings or applications installed in the profile from one machine to another.

More on User Group Policy settings in another post here.

No comments:

Post a Comment