How to configure a “Primary Computer” (a.k.a. msDS-PrimaryComputer property) in Windows 8

As I mentioned in my previous blog post there is a new Group Policy setting called “Redirect folders on primary computers only”. As the descriptions says this ”policy setting is useful to improve logon performance and to increase security for user data on computers where the user might not want to download private data, such as on a meeting room computer or on a computer in a remote office.”. Problem is there is no UI in Active Directory Users and Computers to configure a primary computer on a users account. So below I show you how you can configure a primary computer on a users account to allow this setting to work.

Update: Microsoft has now released a blog post about this feature as well at Configuring Primary Computers for Folder Redirection and Roaming Profiles in Windows Server “8” Beta

Prerequisite: The Domain must have the Windows Sever 8 Schema applied to you domain for this to work.

Step 1. Launch Active Directory Administrative Console and open the properties of the computer your want to make a “Primary Computer”.

image

Step 2. Click on “Extensions” on the left and then on the “Attribute Editor” and then click on “distinguishedName” then the “View” button and press “CTRL-C” or copy the value.

image

Step 3. Now navigate the user account you want to assign a “Primary Computer” and go to the “Extensions” option and then open the “Attribute Editor” select the “msDS-PrimaryComputer” and click “Edit” then paste the Distinguished Name of the computer you copied in step 2 into the “Value to add:” field and click “Add”.

Note: This allows multiple values so the users can be configured to have multiple “Primary Computers”.

image

Now when the user logs onto their primary computer they will get their redirected folder when they logon to the “Primary Computer”.

image

But not when they logon to another computer…

image

Note: If you are wondering why folder redirection is (or is not) being applied if this setting is enabled be aware that the Group Policy Results Report will NOT tell you why (or why not) that folder redirection is applied (see below).

Primary Computer with Folder Redirection

image

Non-Primary Computer without Folder Redirection

image

10 Comments

  1. Windows 8 only? This sure would nice to use on older machines as the purpose is exactly what should have been from the beginning. Exchange end user archiving is another example….

  2. Pingback: How to configure Roaming Profiles and Folder Redirection

  3. Here’s our situation:
    - Active Directory schema is at 2012 (not R2) and we can get/set the “msDS-PrimaryComputer” attribute for our test users.
    - Client computers are all Windows 8.1, fully patched.
    - GPO for Folder Redirection is set appropriately w/the option to restrict redirection to designated primary computers enabled.
    - GPO setting for “Redirect folders on primary computers only” IS being applied to the client computer (validated by detecting the associated registry values).
    - End Result: Full folder Redirection is STILL being applied on ALL computers regardless of their primary computer designation!
    - We’ve scoured our system logs, enabled verbose logging and have found no indication that the client-side group policy extension for Folder Redirection is actually looking at or acting on the value of “msDS-PrimaryComputer”.
    - What on earth could we be missing?

    Thanks in advance for any ideas.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>