Group Policy Central

Read Me First: If you are using Folder Redirection with Windows 7 in your organisation then I would definitely recommend that you check my other blog post about a pretty nasty Folder redirection bug and how to fix it at  Disappearing Folder Redirection Issues with Windows 7

Update: I have new blog post that describes the new “Primary Computer” feature in Windows 8 for folder redirection at How to configure a “Primary Computer” (a.k.a. msDS-PrimaryComputer property) in Windows 8 I also talk about this feature in a TechNet Edge video at EdgeShow 55

Roaming Profiles and Folder redirection is what allows a user to logon onto any computer in an organisations and have all their personal files and setting apply to that computer as it was the last time they used a computer. This is really a Win/Win for Users and IT Pros as for a user this is a big time saver as they no longer need to waste time setting up their drives, printers and other personal settings when they have to use another computers. IT Pro’s also benefit when there is an un-expected failure or loss of a computer then they don’t have to go through what could be a lengthily, costly and if not impossible, process of recovering the users data.

Now theoretically User State Virtualization can be totally done with just a Roaming Profile, however this quickly becomes impractical as users often store a LOT of data which can make users profile impossibly large. To get around this Microsoft users folder redirection to essentially redirect parts of a users profile to a file share on a server where it is centrally access whenever they logon to a computer.

In case you still woundering what User State Virtualization is then check out the overview video from Microsoft below:

Reference: Managing Roaming User Data Deployment Guide

Folder Redirection provides a way for administrators to divide user data from profile data. This division of user data decreases user logon times, and Windows downloads less data. Windows redirects the local folder to a central location, giving the user immediate access to their data when they save it, regardless of the computer they are using. This immediate access removes the need to update the user profile.

By redirecting these folders to a server they are only access when needed and therefore very large files do not slow down the profile update process. The obvious disadvantage of doing this is that when a user cannot access the redirected folders (e.g. disconnected laptop users) they lose access to these files. However this restriction is also mitigated by ensuring that the user has a cached copy of these redirected folders.

Below I am going to go through a number of tips and tricks to make sure you get the most out of a User State Virtualization setup in your environment and to ensure that you don’t fall into some configuration traps.

Before you begin I would also recommend that you read the following articles from Microsoft about User State Virtualization.

• Choosing an Appropriate User State Virtualization Solution
• Understanding User State Virtualization Improvements In Windows 7

Note: I am going to mainly focus on Windows Vista/7 setups however most of the setting/principals I do mention below will still apply to Windows XP.

Update: Here is a really good video from Darren Mar-Elia (Fellow Group Policy MVP) from TechEd North America 2011. This session is entitled Optimizing Group Policy in Virtual Desktop (VDI) Environments however much of it covers User State Virtualization.

Setting up Folder Redirections using Group Policy

Below I will show you how to setup folder redirection for you users profiles. It is very important that you realise the impact that redirection some of these folder can have as if users have many GB’s of music of videos on their local computers you could quickly find yourself running out of disk space on the server.

For another good overview of Redirected Folder take a look at the video below:

Setting up file server share for User State Virtualization

When setting up the file server you need to be sure that the permission on the folder are setup so that a user can create a new folder however you also need to ensure that they can only see their own files if they start to snoop about.

Below I will go though the setup of a folder to be used for folder redirection and the roaming profiles. Combining a users redirected folders and roaming profile path to the one spot on the network is far easier to manage as it consolidates all the users information in one locations.

Note: This consolidated storage of users information can only applies to Windows Vista/7 systems. Otherwise you will need to create a separate share for roaming profiles with offline caching disabled for Windows XP systems.

Step 1. Create a folder to be used as a root folder for all the users information (e.g. Users)

Step 2. Open the properties of the folder and then go to the Security tab and then click on the Advanced button.

Step 3. Now click on the “Change Permissions” button

Step 4. Un tick “Include inheritable permission form this object’s parent.

Step 5. Click the “Add” button

Explanation: We have now setup a folder with no inheritable file permissions from the parent. We do this so we can remove the Read permission from Users for all subfolders and files in a later step.

You should now see something like this below.

Step 6. Select the Users “Special” ACL and then click the Edit Button.

Step 7. Change the Apply to: permission to “This folder only” and press “OK”

Step 8. Select the Users “Read & execute” ACL and then click the “Edit” button.

Step 9. Again select the “This folder only” option from the Apply to: section and then press “OK”

Notice how the two “This folder only” permissions for Users have now combined into one ACL.

Step 10. Then press “OK” and “OK” to get you back to the Users Properties screen.

Now we need to share the folder…

Listen

Multiple Page Post: Page 1 Page 2 Page 3 Page 4 Page 5