Share via
Facebookx.comLinkedInEmailNote
Access to this page requires authorization. You can trysigning in orchanging directories.
Access to this page requires authorization. You can trychanging directories.
Deploy Folder Redirection with Offline Files
In this article
Applies To: Windows 10, Windows 7, Windows 8, Windows 8.1, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Vista
This topic describes how to use Windows Server to deploy Folder Redirection with Offline Files to Windows client computers.
For a list of recent changes to this topic, seeChange history.
Important
Due to the security changes made inMS16-072, we updatedStep 3: Create a GPO for Folder Redirection of this topic so that Windows can properly apply the Folder Redirection policy (and not revert redirected folders on affected PCs).
Prerequisites
Hardware requirements
Folder Redirection requires an x64-based or x86-based computer; it is not supported by Windows® RT.
Software requirements
Folder Redirection has the following software requirements:
To administer Folder Redirection, you must be signed in as a member of the Domain Administrators security group, the Enterprise Administrators security group, or the Group Policy Creator Owners security group.
Client computers must run Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008.
Client computers must be joined to the Active Directory Domain Services (AD DS) that you are managing.
A computer must be available with Group Policy Management and Active Directory Administration Center installed.
A file server must be available to host redirected folders.
If the file share uses DFS Namespaces, the DFS folders (links) must have a single target to prevent users from making conflicting edits on different servers.
If the file share uses DFS Replication to replicate the contents with another server, users must be able to access only the source server to prevent users from making conflicting edits on different servers.
When using a clustered file share, disable continuous availability on the file share to avoid performance issues with Folder Redirection and Offline Files. Additionally, Offline Files might not transition to offline mode for 3-6 minutes after a user loses access to a continuously available file share, which could frustrate users who aren’t yet using the Always Offline mode of Offline Files.
Note
To use new features in Folder Redirection, there are additional client computer and Active Directory schema requirements. For more information, seeFolder Redirection, Offline Files, and Roaming User Profiles.
Step 1: Create a folder redirection security group
If your environment is not already set up with Folder Redirection, the first step is to create a security group that contains all users to which you want to apply Folder Redirection policy settings.
To create a security group for Folder Redirection
Open Server Manager on a computer with Active Directory Administration Center installed.
On theTools menu, clickActive Directory Administration Center. Active Directory Administration Center appears.
Right-click the appropriate domain or OU, clickNew, and then clickGroup.
In theCreate Group window, in theGroup section, specify the following settings:
InGroup name, type the name of the security group, for example:Folder Redirection Users.
InGroup scope, clickSecurity, and then clickGlobal.
In theMembers section, clickAdd. The Select Users, Contacts, Computers, Service Accounts or Groups dialog box appears.
Type the names of the users or groups to which you want to deploy Folder Redirection, clickOK, and then clickOK again.
Step 2: Create a file share for redirected folders
If you do not already have a file share for redirected folders, use the following procedure to create a file share on a server running Windows Server 2012.
Note
Some functionality might differ or be unavailable if you create the file share on a server running another version of Windows Server.
To create a file share on Windows Server 2012
In the Server Manager navigation pane, clickFile and Storage Services, and then clickShares to display the Shares page.
In theShares tile, clickTasks, and then clickNew Share. The New Share Wizard appears.
On theSelect Profile page, clickSMB Share – Quick. If you have File Server Resource Manager installed and are using folder management properties, instead clickSMB Share - Advanced.
On theShare Location page, select the server and volume on which you want to create the share.
On theShare Name page, type a name for the share (for example,Users$) in theShare name box.
Tip
When creating the share, hide the share by putting a
$after the share name. This will hide the share from casual browsers.On theOther Settings page, clear the Enable continuous availability checkbox, if present, and optionally select theEnable access-based enumeration andEncrypt data access checkboxes.
On thePermissions page, clickCustomize permissions…. The Advanced Security Settings dialog box appears.
ClickDisable inheritance, and then clickConvert inherited permissions into explicit permission on this object.
Set the permissions as described Table 1 and shown in Figure 1, removing permissions for unlisted groups and accounts, and adding special permissions to the Folder Redirection Users group that you created in Step 1.
.jpeg&f=jpg&w=240)
Figure 1 Setting the permissions for the redirected folders share
If you chose theSMB Share - Advanced profile, on theManagement Properties page, select theUser Files Folder Usage value.
If you chose theSMB Share - Advanced profile, on theQuota page, optionally select a quota to apply to users of the share.
On theConfirmation page, clickCreate.
Table 1 Required permissions for the file share hosting redirected folders
| User Account | Access | Applies to |
| System | Full control | This folder, subfolders and files |
| Administrators | Full Control | This folder only |
| Creator/Owner | Full Control | Subfolders and files only |
| Security group of users needing to put data on share (Folder Redirection Users) | List folder / read data1 Create folders / append data1 Read attributes1 Read extended attributes1 Read permissions1 | This folder only |
| Other groups and accounts | None (remove) |
1 Advanced permissions
Step 3: Create a GPO for Folder Redirection
If you do not already have a GPO created for Folder Redirection settings, use the following procedure to create one.
To create a GPO for Folder Redirection
Open Server Manager on a computer with Group Policy Management installed.
From theTools menu clickGroup Policy Management. Group Policy Management appears.
Right-click the domain or OU in which you want to setup Folder Redirection and then clickCreate a GPO in this domain, and Link it here.
In theNew GPO dialog box, type a name for the GPO (for example,Folder Redirection Settings), and then clickOK.
Right-click the newly created GPO and then clear theLink Enabled checkbox. This prevents the GPO from being applied until you finish configuring it.
Select the GPO. In theSecurity Filtering section of theScope tab, selectAuthenticated Users, and then clickRemove to prevent the GPO from being applied to everyone.
In theSecurity Filtering section, clickAdd.
In theSelect User, Computer, or Group dialog box, type the name of the security group you created in Step 1 (for example,Folder Redirection Users), and then clickOK.
Click theDelegation tab, clickAdd, typeAuthenticated Users, clickOK, and then clickOK again to accept the default Read permissions.
This step is necessary due to security changes made inMS16-072.
Important
Due to the security changes made inMS16-072, you now must give the Authenticated Users group delegated Read permissions to the Folder Redirection GPO - otherwise the GPO won't get applied to users, or if it's already applied, the GPO is removed, redirecting folders back to the local PC. For more info, seeDeploying Group Policy Security Update MS16-072.
Step 4: Configure folder redirection with Offline Files
After creating a GPO for Folder Redirection settings, edit the Group Policy settings to enable and configure Folder Redirection, as discussed in the following procedure.
Note
Offline Files is enabled by default for redirected folders on Windows client computers, and disabled on computers running Windows Server, unless changed by the user. To use Group Policy to control whether Offline Files is enabled, use theAllow or disallow use of the Offline Files feature policy setting.For information about some of the other Offline Files Group Policy settings, seeEnable Advanced Offline Files Functionality, andConfiguring Group Policy for Offline Files.
To configure Folder Redirection in Group Policy
In Group Policy Management, right-click the GPO you created (for example,Folder Redirection Settings), and then clickEdit.
In the Group Policy Management Editor window, navigate toUser Configuration, thenPolicies, thenWindows Settings, and thenFolder Redirection.
Right-click a folder that you want to redirect (for example,Documents), and then clickProperties.
In theProperties dialog box, from theSetting box clickBasic - Redirect everyone’s folder to the same location.
Note
To apply Folder Redirection to client computers running Windows XP or Windows Server 2003, click theSettings tab and select theAlso apply redirection policy to Windows 2000, Windows 2000 Server, Windows XP, and Windows Server 2003 operating systems checkbox.
In theTarget folder location section, clickCreate a folder for each user under the root path and then in theRoot Path box, type the path to the file share storing redirected folders, for example:\\fs1.corp.contoso.com\users$
Click theSettings tab, and in thePolicy Removal section, optionally clickRedirect the folder back to the local userprofile location when the policy is removed (this setting can help make Folder Redirection behave more predictably for adminisitrators and users).
ClickOK, and then clickYes in the Warning dialog box.
Step 5: Enable the Folder Redirection GPO
Once you have completed configuring the Folder Redirection Group Policy settings, the next step is to enable the GPO, permitting it to be applied to affected users.
Tip
If you plan to implement primary computer support or other policy settings, do so now, before you enable the GPO. This prevents user data from being copied to non-primary computers before primary computer support is enabled.
To enable the Folder Redirection GPO
Open Group Policy Management.
Right-click the GPO that you created, and then clickLink Enabled. A checkbox appears next to the menu item.
Step 6: Test Folder Redirection
To test Folder Redirection, sign in to a computer with a user account configured for Folder Redirection. Then confirm that the folders and profiles are redirected.
To test Folder Redirection
Sign in to a primary computer (if you enabled primary computer support) with a user account for which you have enabled Folder Redirection.
If the user has previously signed in to the computer, open an elevated command prompt, and then type the following command to ensure that the latest Group Policy settings are applied to the client computer:
gpupdate /forceOpen File Explorer.
Right-click a redirected folder (for example, the My Documents folder in the Documents library), and then clickProperties.
Click theLocation tab, and confirm that the path displays the file share you specified instead of a local path.
Appendix A: Checklist for deploying Folder Redirection
| 1. Prepare domain | |
| - Join computers to domain | |
| - Create user accounts | |
| 2. Create security group for Folder Redirection | |
| - Group name: | |
| - Members: | |
| 3. Create a file share for redirected folders | |
| - File share name: | |
| 4. Create a GPO for Folder Redirection | |
| - GPO name: | |
| 5. Configure Folder Redirection and Offline Files policy settings | |
| - Redirected folders: | |
| - Windows 2000, Windows XP, and Windows Server 2003 support enabled? | |
| - Offline Files enabled? (enabled by default on Windows client computers) | |
| - Always Offline Mode enabled? | |
| - Background file synchronization enabled? | |
| - Optimized Move of redirected folders enabled? | |
| 6. (Optional) Enable primary computer support | |
| - Computer-based or User-based? | |
| - Designate primary computers for users | |
| - Location of user and primary computer mappings: | |
| - (Optional) Enable primary computer support for Folder Redirection | |
| - (Optional) Enable primary computer support for Roaming User Profiles | |
| 7. Enable the Folder Redirection GPO | |
| 8. Test Folder Redirection |
Change history
The following table summarizes some of the most important changes to this topic.
| Date | Description | Reason |
|---|---|---|
| January 18, 2017 | Added a step toStep 3: Create a GPO for Folder Redirection to delegate Read permissions to Authenticated Users, which is now required because of a Group Policy security update. | Customer feedback. |
See Also
Deploy Folder Redirection, Offline Files, and Roaming User ProfilesDeploy Primary Computers for Folder Redirection and Roaming User ProfilesEnable Advanced Offline Files FunctionalityMicrosoft’s Support Statement Around Replicated User Profile DataHow to Add and Remove AppsTroubleshooting packaging, deployment, and query of Windows Runtime-based apps
Additional resources
In this article
[8]ページ先頭