Windows provides the ability to redirect specific user folders to server locations, using a group policy extension called Folder Redirection.
Many administrators may wish to use folder redirection in such a way that a user's folders are automatically redirected to a newly created folder for each user. This article discusses how to redirect to the new folder location and the minimum NTFS Access Control List (ACL) permissions you need to complete the redirection successfully.
Back to the top
Set Up
Folder Redirection is a User group policy. This means that a user for whom you configure folder redirection must have a group policy linked to some folder structure where their user object is subordinate, such as a site, domain, or organizational unit.
Once you create the group policy and link it to the appropriate folder object, an administrator can designate which folders to redirect and where To do this, the administrator needs to navigate to the following location in the Group Policy Object:
User Configuration\Windows Settings\Folder Redirection
In the Properties of the folder, you can choose Basic or Advanced folder redirection, and you can designate the server file system path to which the folder should be redirected.
The %USERNAME% variable may be used as part of the redirection path, thus allowing the system to dynamically create a newly redirected folder for each user to whom the policy object applies.
Back to the top
Security Requirements
If you configure Folder Redirection to create new subfolders for each user, that user needs sufficient Share and NTFS ACL permissions to create the subfolder in the appropriate location.
When a user does not have sufficient Share and NTFS ACL permissions, their folder is not redirected and you can view one of the following event messages in the local application event log:
Event ID: 101
User: username
Computer: computername
Description:
Failed to perform redirection of folder foldername. The new directories for the redirected folder could not be created. The folder is configured to be redirected to \\servername\sharename\%username%, the final expanded path was \\servername\sharename\username. The following error occurred:
Access is denied.
-or-
Event ID: 101
User: username
Computer: computername
Description:
Failed to perform redirection of the folder application data. The files for the redirected folder could not be moved to the new location. The folder is configured to be redirected to path. Files were being moved from path to path. The following error occurred: The security descriptor structure is invalid.
For additional information about the permissions that are required for a share that will host redirected folders, click the following article number to view the article in the Microsoft Knowledge Base:
274443 (http://support.microsoft.com/kb/274443/) How to dynamically create security-enhanced redirected folders by using folder redirection in Windows 2000
In Microsoft Windows 2000 and in Microsoft Windows Server 2003, as an administrator, you can customize desktops by using Folder Redirection. You can redirect the following folders by using Active Directory and Group Policy:
•
Application Data
•
Desktop
•
My Documents
•
My Documents/My Pictures
•
Start Menu
You can find more information about Folder Redirection by searching Windows Help for Folder Redirection.
When you redirect folders to a shared location on a network, users need both read and write access to this location so that the users can read the contents these folders. However, in some scenarios, you may not want to grant read access.
Back to the top
Create security-enhanced redirected folders
To make sure that only the user and the domain administrators have permissions to open a particular redirected folder, do the following:
1.
Select a central location in your environment where you would like to store Folder Redirection, and then share this folder. In this example, FLDREDIR is used.
2.
Set Share Permissions for the Everyone group to Full Control.
3.
Use the following settings for NTFS Permissions:
•
CREATOR OWNER - Full Control (Apply onto: Subfolders and Files Only)
•
System - Full Control (Apply onto: This Folder, Subfolders and Files)
•
Domain Admins - Full Control (Apply onto: This Folder, Subfolders and Files)
•
Everyone - Create Folder/Append Data (Apply onto: This Folder Only)
•
Everyone - List Folder/Read Data (Apply onto: This Folder Only)
•
Everyone - Read Attributes (Apply onto: This Folder Only)
•
Everyone - Traverse Folder/Execute File (Apply onto: This Folder Only)
4.
Configure Folder Redirection Policy as outlined in Windows Help. Use a path similar to \\server\FLDREDIR\username to create a folder under the shared folder, FLDREDIR.
Because the Everyone group has the Create Folder/Append Data right, the group members have the proper permissions to create the folder; however, the members are not able to read the data afterwards. The Username group is the name of the user that was logged on when you created the folder. Because the folder is a child of the parent folder, it inherits the permissions that you assigned to FLDREDIR. Also, because the user is creating the folder, the user gains full control of the folder because of the Creator Owner Permission setting.
Folder Redirection encounters errors and redirection fails
Folder redirection encounters errors when redirecting the user's folders on the client. As a result, the user's folders are not redirected successfully.
Cause
Several conditions must be met in order for users' folders to be redirected successfully. If these conditions are not met, the following Folder Redirection errors may occur:
•
Folder redirection initialization fails.
•
The Folder redirection path specified by the administrator is invalid, too long, inaccessible, or offline.
•
You do not have adequate privileges to create or access the redirected folders on the server, or there is not enough free disk space on the server.
•
Folder redirection is unable to set the shell folder registry keys to redirect the folders to the required destination.
•
Configuration errors occur in the event that a parent folder was redirected to a subfolder.
•
Folder redirection is unable to acquire the fdeploy.ini config file from the GPO.
•
Some files to be moved as part of redirection are locked on the client.
Solution
To troubleshoot Folder Redirection problems, try one or all of the following:
•
Look at the Event Viewer logs for Folder Redirection events. Based on the event, one or a combination of the following steps may be required to resolve the issue.
•
If Folder redirection initialization fails, ensure that there are no memory or security issues on the client and that there are no issues with the GPO (this applies only if there was an error extracting the fdeploy.ini file). Ensure that the correct Fdeploy.ini file is available on the domain controller that the client is accessing.
•
Verify that the folder redirection path specified by the administrator is valid and accessible. If the target paths are longer than the set limit, you need to make them shorter (look at the event log to see if the path length exceeds permitted number of characters). If the path to the folder does not exist (for example if the path specification is mistyped in the policy setting, if folders in the path have been renamed or removed, or if the server is unavailable), Folder Redirection will fail.
•
Ensure that the folder redirection configuration is correct and that you are not redirecting parent folders to subfolders.
•
Ensure that no files to be moved are locked by an application or service.
•
Ensure that the user has the required ACLS on all the folders and shell folder registry keys.
•
Verify that the user has appropriate permissions to create folders at the redirected location and that there is adequate free disk space to create the redirected folders. If disk quotas are applied, adjust the quotas to ensure the user has the required disk space required.
Note:
In order to use the folder, the file system and share permissions must be set such that the user can navigate the path to the folder, and if the folder exists the user must have ownership privileges on it. (The user is given ownership of the folder by default if you allow the folder to be created automatically.) This is a common cause of confusion with Folder Redirection. When using Folder Redirection Policies, it is best to allow the system to create and set permissions on the folder. This reduces the likelihood of errors due to incorrect security settings. For more information about Folder Redirection permissions, see the "User Data and Settings Management for Windows Server 2003 " white paper on the Microsoft Web site at http://go.microsoft.com/fwlink/?LinkId=26719.
If you need to set permissions manually, you must ensure that the user has the appropriate minimum file system and share permissions. For more information about the required permissions, search for "Folder Redirection" in Windows Server 2003 Help and Support.
For more information about disk quotas, search for "Manage Disk Quotas" in Windows Server 2003 Help and Support.
•
Folder Redirection, like Software Installation settings, can only be applied during computer startup or user logon. On computers running Windows XP with logon optimization enabled, this can mean that the user needs to log on more than once before the setting takes effect.
Folder Redirection Component Locations
Component
Location
Fdeploy.dll
%windir%\system32
{25537BA6-77A8-11D2-9B6C-0000F8080861}.ini
%USERPROFILE%\Local Settings\Application Data\Microsoft\Windows\File Deployment\
Fdeploy.log
%windir%\debug\usermode\
Folder Redirection CSE Background
The Folder Redirection client side extension, fdeploy.dll, processes Group Policy settings for Folder Redirection. Folder Redirection also includes the following components:
•
{25537BA6-77A8-11D2-9B6C-0000F8080861}.ini: A locally cached redirection information file specific to each user profile.
•
{1C08E84D-F112-4252-978B-EC82A225CC20}.ini: A file indicating the status of the previous locations used for redirected folders. This file is used to detect server location changes and user name changes.
Folder Redirection is used to maintain user data in a centralized location. This permits regular backups of the information, and also provides the user with access to the data from any computer in the network.
The following folders can be redirected:
•
My Documents
•
Application Data
•
Desktop
•
Start Menu
The Folder Redirection CSE manages folder Redirection. When events from this CSE are listed on the Policy Events tab in Group Policy Results reports, the source is listed as Folder Redirection.
Fdeploy.dll is loaded during the logon process by the Group Policy engine. The Folder Redirection policies are passed to fdeploy.dll, which then examines the policy settings and redirects user folders based on those settings.
The first step in Folder Redirection is to get a list of all Folder Redirection policies and evaluate them. The policies are handed down to the fdeploy.dll by the Group Policy engine through an API call into fdeploy.dll. The policies come in the form of two linked lists. The first list is a list of added policies. This refers to a list of Folder Redirection policies that are still applicable to the user. The second list is a list of deleted policies that refers to policies that used to be applicable to the user but are no longer applicable. The changes that result from Folder Redirection are then updated with the shell. The client-side cache, also referred to as offline files, is also updated to reflect the files moved by Folder Redirection.
Folder Redirection CSE processing is delayed
Updated: March 02, 2005
Application of the user's folder redirection policy is delayed until the next logon, because Group Policy logon optimization is in effect. As a result, the user's folders are not redirected during the current logon.
Cause
Folder Redirection cannot redirect the user's folders because the Group Policy asynchronous foreground processing setting is turned ON. Folder Redirection requires that the redirection policy be applied synchronously, so that the folders are redirected as part of the login and prior to user access.
The Always wait for the network at computer startup and logon policy setting determines whether Windows XP waits for the network during computer startup and user logon. By default, Windows XP does not wait for the network to be fully initialized at startup and logon. Existing users are logged on using cached credentials, which results in shorter logon times. Group Policy is applied in the background once the network becomes available.
If the Always wait for the network at computer startup and logon policy is set to Not configured or Disabled, Windows XP does not wait for the network to be fully initialized at startup and logon. Group Policy is applied asynchronously in the background.
In order for Folder Redirection settings to apply with the first logon, Windows must wait for the network to be fully initialized at startup and logon before applying policy. This means policy must apply synchronously in the foreground. The same applies to Software Installation and roaming user profiles.
Solution
To guarantee the application of Folder Redirection in just one logon, enable the Always wait for the network at computer startup and logon policy setting to ensure that Windows waits for the network to be available before applying policy. When this setting is enabled, logons are performed in the same way as for Windows 2000 clients, in that Windows XP waits for the network to be fully initialized before users are logged on. Group Policy is applied in the foreground, synchronously.
For more information about this policy, see the Explain tab in the Always wait for the network at computer startup and logon policy setting.
To enable logging for Folder Redirection
1.
In the Run dialog box, type regedit, and then click OK.
2.
Locate the following subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Diagnostics.
3.
Create a new entry called FdeployDebugLevel of data type Reg_DWORD, and set its value to 0x0f.
The log file is created in %windir%\Debug\Usermode\Fdeploy.log.
Locally Cached Redirection Information File
Whenever a folder is redirected, fdeploy.dll saves the details of the redirection in a local file. This data is used later by fdeploy.dll to determine how to process redirected folders if a user's personal name (UPN) or security group membership changes. The file is also used with roaming user profiles.
The redirection information file is stored in the %USERPROFILE%\Local Settings\Application Data\Microsoft\Windows\File Deployment\ folder.
The file has one section per folder currently redirected through Folder Redirection policy. If there is no policy applicable for a particular folder, then that section is removed from this file. For each folder, the following information is maintained:
•
User Name. The user name of the user when the redirection was performed. This information is used to handle UPN changes.
•
Path. The path to which the folder is redirected.
•
Flags. The flags describing the Folder Redirection settings.
•
Group. The string representation of the SID for the security group that was responsible for that particular path to get chosen as the redirection destination.
•
GPO. The GUID of the GPO that was responsible for redirection.
An example cached redirection file:
[Desktop]Username=usernamePath=%USERPROFILE%\DesktopFlags=31Group=S-1-5-21-397955417-626881126-188441444-3038017GPO={AFC36721-F1D5-46BA-981C-FC33BDE293D7} Folder Redirection Processes and InteractionsFolder Redirection client-side extension interacts with the Group Policy engine as well as the shell.
Folder Redirection processing contains five steps:
1.
Determine which user folders to redirect based on changes to Group Policy settings at time of logon.
2.
Determine the target location specified for redirection and confirm the user has access rights to that location.
3.
If the target folder does not exist, the folder is created and the appropriate access control list (ACL) rights are set.
4.
If the folder exists, access rights and folder ownership are checked.
5.
If desired, the files contained within specified folders are moved to the new location, which also deletes them from the source folder if the source folders are local.
If the policy for Folder Redirection does not specify that the user be granted exclusive access to the redirected location, fdeploy.dll confirms only that the destination folder exists. If the target folder does not exist, it is created. However, if the policy requires that the user be given exclusive access to the destination folder, fdeploy.dll does one of the following, depending on whether the destination folder already exists or not.
Note
•
With Windows XP SP1 the user must be the owner of the folder on the server. If not, the ownership check fails, and redirection fails unless a policy is set to ignore this. This was added in SP1.
•
If the destination already exists, fdeploy.dll checks whether the user is the owner of the folder. If the folder is owned by the user, fdeploy.dll proceeds; otherwise it fails and aborts the redirection of that folder.
•
If the destination does not exist, fdeploy.dll creates the folder and then sets ACLs on it so that only the user and the local system account have full access to it, but no other users have any access to it. Fdeploy.dll also ensures that the folder does not inherit any Access Control Entries (ACE) from its parent. Fdeploy.dll then sets the user as the owner of the folder. This is done because if the user belongs to the local administrators group on the destination server, the local administrators group becomes the owner of the group by default. By setting the user as the owner of the folder you can assure that any quota accounting for that user is done correctly. This also ensures that any subsequent redirections to the same location from other computers do not fail due to the ownership check performed on pre-existing folders described previously. If configuration of either ownership or Access Control Lists (ACL) fails, the process is aborted and redirection fails for the folder specified. If not, redirection proceeds and the files are copied to the redirected location.
Once this is done, fdeploy.dll deletes the files from the source. However, there is an exception to this. If the source is a network location and the destination is a local location, the files are not deleted from the source. This ensures that any subsequent redirection operations from other computers also get a copy of the files on the local computer as required by the policy.
Folder Redirection Interaction with the Shell
There are two main points of interaction with the shell. The first point is when fdeploy.dll determines the current location of a folder. For this, it uses the SHGetFolderPath API from shell32.dll. The second point of interaction is when fdeploy.dll needs to notify the shell about the new location of a folder after it applies redirection settings. For this, it uses the SHSetFolderPath API from shell32.dll.
In addition, there is one other point of interaction which is specific to redirection of the My Documents folder. In the Windows shell, the properties dialog box for the My Documents folder has a Target tab. Settings on the Target page enable a user to change the location of this folder. If the folder is redirected through policy, this functionality is not desirable and should be disabled. Therefore, fdeploy.dll needs to set the policy which disables this functionality. This is done by creating a DWORD value called DisablePersonalDirChange under the key HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer.
Folder Redirection and Environment Variables
Environment variables can be used to define the path to the redirected location. Supported environment variables include %USERNAME% and %USERPROFILE%.
These are the only environment variables supported because other variables are not defined when the Folder Redirection extension is loaded by Winlogon. Note that fdeploy.dll does not do any sort of validation to ensure that only certain allowed variables are present in the paths. It merely expands the paths and if any variables are not defined, they stay as they are. Homedir redirection is an exception. Redirection to the home directory of the user is only allowed for the My Documents folder; fdeploy.dll does perform validation to ensure that other folders cannot be redirected to that location.
Folder Redirection and Mapped Drives
Because Folder Redirection is processed early in the logon process, drives mapped with logon scripts (including the homedrive for folders other than My Documents), the Folder Redirection client side extension is not able to redirect to these locations. At the time that redirection takes place, the drives do not exist hence redirection fails.
Using Offline Files Settings
Using offline files settings on a shared network folder where user data is stored is especially useful for users of portable computers. It is recommended that you use Folder Redirection in conjunction with offline files.
The offline files feature of Windows, also referred to as client-side caching, is designed to make network access of files more efficient by keeping a local copy of the files in the offline files cache. It also facilitates access to those files when the user is not connected to the network. Since Folder Redirection moves a user's files to and from network locations, it is important for it to move files within the local offline files cache to provide a seamless and transparent experience to the user. In most cases when you use Folder Redirection, you will combine it with offline files so that users can access cached copies of the redirected folders when disconnected from the network. The following table provides some recommended settings for redirecting folders.
Note
•
All redirected folders are pinned by default.
Recommended Configuration for Offline Files
Redirected Folder
Recommended Offline Folder Settings
My Documents
Auto-caching for documents or manual caching for documents (if you want users to have to manually make files and folders available offline).
My Pictures
Auto-caching for documents or manual caching for documents (if you want users to have to manually make files and folders available offline).
Application Data
Auto-caching for programs.
Desktop
Auto-caching for programs if the desktop is read-only.
Folder Redirection and Software Installation Policies
When logon optimization is enabled, a user might need to log on to a computer twice before Folder Redirection policies and software installation policies are applied. This is because application of these types of policies requires the synchronous policy application. During a policy refresh (which is asynchronous), the system sets a flag that indicates that the application of Folder Redirection or a software installation policy is required. The flag forces synchronous application of the policy at the user's next logon.
Because background refresh is the default behavior in Windows XP, Folder Redirection and Software Installation might require as many as three logons to apply changes.
This behavior exists because Folder Redirection and Software Installation cannot apply during an asynchronous or background application of policy. Folder Redirection can be applied only when processed synchronously.
Here is a sample scenario showing how polices are applied:
•
An administrator deploys a software package to User A.
•
User A logs on fast and receives a background (asynchronous) application of policy.
•
Because the policy application was asynchronous, the software that was set to be installed cannot be installed at this time. Instead the computer is tagged, indicating that software needs to be installed.
•
The next time the user logs on, the computer instead logs on the user synchronously to allow the software package to be installed. (This is the same behavior as Windows 2000). This results in one extra logon for the software to be installed.
•
In the case of Advanced Folder Redirection, because policy is evaluated based on security group membership three logons will be required: the first logon to update the cached user object (and security group membership), the second logon for policy to detect the change in security group membership and require a foreground policy application, and the third logon to actually apply Folder Redirection policy in the foreground.
Note
•
When a client running Windows XP logs onto a Windows 2000 or Windows Server 2003 Active Directory, all Software Installation policy settings for Windows 2000 clients will be applied and work successfully on the Windows XP client.
older
Subscribe to:
Post Comments (Atom)
Posts
No comments:
Post a Comment