Windows Folder Redirection

KB ID 0000467 

Problem

Q: What is Folder Redirection?

A: Essentially you can take folders that hold things like your “My documents” or your “Favorites” folder, and put them out on a network server, which is great if you want to back that sort of information up for disaster recovery.

Q: What’s the difference between this and a roaming / roving profile?

A: Folder redirection keeps information on a server and you access it remotely, Roaming profiles are designed to sync that information (and your WHOLE user profile) backwards and forwards to a network share as your users logon and log off.

Q: What folders can be redirected?

A: From Server 2008 onwards, and with Windows 7 clients and above, the following can be redirected.

  • AppData(Roaming)
  • Desktop
  • Start Menu
  • Documents
  • Pictures
  • Music
  • Videos
  • Favorites
  • Contacts
  • Downloads
  • Links
  • Searches
  • Saved Games

Solution

1. On a server create a folder to hold the redirected data, In this case you will notice I’ve called my share Redir$ (The dollar sign just means it’s a hidden share, and can’t be seen if people are network browsing).

Folder Redirection: Permissions for the Root Folder

2. Set the share permissions to Everyone: Full Control (Don’t worry we will secure it with NTFS permissions).

3. On the security tab of the folder click advanced.

4. For Server 2012 / 2016 you should see something like this;

For Server 2008 and older it should look more like this;

5. For server 2012 / 2016 Disable Inheritance and select ‘Convert’.

For 2008 and older, untick “Include Inheritable permissions from this objects parent” > At the warning click “Add”.

6. Select each User in turn (You will need to add the Everyone group) > Then Edit the permissions so that they are as follows.

  • CREATOR OWNER – Full Control (Apply onto: Subfolders and Files Only).
  • System – Full Control (Apply onto: This Folder, Subfolders and Files).
  • Domain Admins – Full Control (Apply onto: This Folder, Subfolders and Files).
  • Everyone – Traverse Folder/Execute File (Apply onto: This Folder Only).
  • Everyone – List Folder/Read Data (Apply onto: This Folder Only).
  • Everyone – Read Attributes (Apply onto: This Folder Only).
  • Everyone – Create Folder/Append Data (Apply onto: This Folder Only).

2012 / 2016

‘Show Advanced Permissions’

2008 and older.

7. Now REMOVE BOTH the entries for USERS > Apply  > OK.

7. On your domain controller open the Group Policy Management Console, (Under Administrative Tools) and either create a new USER policy of edit one that already linked to the users you want to enforce this policy upon.

8. I prefer to create a new policy and call it something sensible so if there’s a problem it’s easy to find in the future.

9. Navigate to:

[box]User Configuration > Policies > Windows Settings > Folder Redirection[/box]

Locate the folder you want to redirect (In this case its just the documents folder) > Right click > Properties.

10. I’m going to redirect all my users documents to the one folder I created earlier, so I will choose basic.

Note: You can choose “Advanced” and redirect different groups folders to different locations.

Enter the path to the root folder AS A UNC PATH, DONT click the browse button and browse to it.

11. I’m going to accept the defaults on the settings tab, the option I’ve highlighted creates the folders with exclusive rights on the folders for the user in question and SYSTEM, so the domain admin had no access (this is OK, it’s the same way user profiles work, you can still back them up).

12. Now as your users log on their folders will be redirected to the share you setup.

Backing up Redirected Folders

13. Even with exclusive rights you can still back this data up:

Related Articles, References, Credits, or External Links

Original Article written 22/06/11

Windows – Forcing Domain Group Policy

KB ID 0001282

Problem

I’ve written hundreds of posts about doing things with group policies. Every time I finish one, I write a couple of paragraphs on how long to wait, or how to force the policy etc. So I’ve finally got round to writing a post I can simply reference!

How Long Before Group Policy Changes Are Applied?

This is something that hasn’t changed since I was doing Windows 2000 exams 🙂 The default interval between policies being applied is 90 minutes, plus or minus a figure between 0 and 30 minutes. (This avoids all user and computer policies being seen and applied at the same time. So between 60 minutes and 120 minutes if you are going to wait.

Now you can change this interval with group policy;

[box]

User Configuration > Administrative Templates > System > Group Policy > Group Policy refresh interval for users
Computer Configuration > Administrative Templates > System > Group Policy > Group Policy refresh interval for users

[/box]

As you can see, you can change the interval up to 64,800 seconds (45 days). If you set it to ‘0’ the policy updates every 7 seconds (NEVER DO THIS!) unless you’re on a test bench with a couple of computers! Personally I’ve never needed to mess around with these settings.

Solution

Force Group Policy Update From GPMC

If you have Windows 2012 server with the group policy management console installed, you can force a group policy refresh on an OU in Active Directory.

Either right click the OU, and select ‘Group Policy Update..’ (or from the Action menu) > Yes.

Some will fail, they might not be turned on, or (like some below,) they might be linux machines.

Manually Force a Group Policy Update on a Single Host

While testing new policies this command is your friend, it gives you a chance to test the result on a client instantly, (as soon as policy editing is finished). By opening an administrative command window, and running the following command.

[box]gpupdate /force[/box]

Note: Some policies require a log off/log on, or even a reboot, you should be told this after running gpupdate.

Force Group Policy Update with PowerShell

You can also get single/multiple machines/users to update their policies using PowerShell. For this to work you need Server 2012 and at least Windows 8 clients. You also need to make some changes to the machines firewalls. Luckily you can also do that with group policy, and Microsoft have already written the policy for you, (it’s in starter policies).

Within the Group Policy Management Console > Locate Stater GPOs > Group Policy Remote Update Firewall Ports > New GPO From Starter GPO > Give the new policy a name.

Link that new policy to your user/computer organisational units (as required).

You can now use the ‘Invoke-Gpupdate‘ commandlet, here I’m applying the update to the ‘Servers’ OU.

[box]get-adcomputer -SearchBase “OU=Servers,OU=PNL,DC=pnl,DC=com” -Filter * | %{invoke-gpupdate -Computer $_.Name -RandomDelayInMinute 0; “Refreshing host $_.”}
[/box]

Warning: This displays output on the affected machines, and might start some users ringing the help desk!

See What Group Policies are Being Applied

Forcing them is one thing, proving they actually get to the target computers is something else. For peace of mind, and troubleshooting, it helps to see what policies have filtered down to the computers and users.

The easiest way, is to open an administrative command window, and run the following command;

[box]gpresult -R[/box]

Or to see things a little more ‘granularly’. Windows Key + R > mmc {enter} > File Add/Remove  Snap-In > Resultant Set of Policy > Add > OK.

Generate RSoP Data > Follow the Wizard.

When complete it will show you the ‘sum total’ of all policies being applied – it can also show you any problems that are occurring. The next best place for troubleshooting group policies is the Event Viewer on the target machine.

Related Articles, References, Credits, or External Links

NA

RDS Server – Remove the Shutdown Command

KB ID 0000499 

Problem

I’m surprised that when you make a server a Terminal Services Server / Remote Desktop Services Server, that this does not get applied from an administrative template anyway, but it does not.

Why would you want to do this? Well users are used to hitting Start > Shutdown, when they are finished working, which is fine, unless they are in a terminal session with 500 other users and they’ve just issued a shutdown command to the server!

Solution

The simplest way to do this is run gpedit.msc on the server itself and remove shutdown through local group policy, but a far more elegant solution is create a domain group policy for the TS Server(s).

1. On a domain controller,  launch the “Group Policy Management Console”. Create a policy, and link it to the OU that contains the Terminal Servers, you want to enforce the policy on, (Or edit an existing policy linked toy them).

2. Now remove the shutdown is a USER policy, and this is a COMPUTER policy we are writing, so it wont work unless we turn on “Loopback processing”. Navigate to Computer Configuration > Administrative Templates > System > Group Policy > User Group Policy loopback processing. (Note: On 2016 It will be called, ‘Configure user Group Policy loopback processing mode’.)

3. In most cases you will already have user policies applied to your users, if so you will want to “Merge” this with them rather than replace them > Apply > OK.

4. Now to remove the Shutdown command. Navigate to User Configuration > Administrative Templates > Start Menu and Taskbar > Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate Commands.

5. Enable > Apply > OK.

6. Then either reboot the TS Server(s), wait a couple of hours or run “gpupdate /force” on them.

 

Related Articles, References, Credits, or External Links

NA