- Article
Applies To: Windows 11, Windows 10, Windows Server 2022, Windows Server 2019, Windows Server 2016
This article describes the requirements for deploying Folder Redirection and Offline Files together, including the steps that you need to follow to control access to the redirected files.
Prerequisites
Before you begin, make sure your environment meets the following requirements.
Administration requirements
- To administer Folder Redirection, you must be signed in as a member of the Domain Administrators security group, the Enterprise Administrators security group, or the Group Policy Creator Owners security group.
- A computer must be available that has Group Policy Management and Active Directory Administration Center installed.
File server requirements
The file server is the computer that hosts the redirected folders. Make sure your file server meets the following requirements.
Interoperability with Remote Desktop Services
Your remote access configuration affects how you configure the file server, file shares, and policies. If your file server also hosts Remote Desktop Services, there are a few deployment steps that differ.
- You don't have to create a security group for folder redirection users.
- You have to configure different permissions on the file share that hosts the redirected folders.
- You have to precreate folders for new users, and set specific permissions on those folders.
Important
Most of the procedures in the rest of this section apply to both remote access configurations. The procedures or steps that are specific to one configuration or the other are labeled as such.
Restricting access
Apply the following changes to the file server, as appropriate for your configuration:
- All configurations: Make sure only required IT administrators have administrative access to the file server. The procedure in the next step configures access for the individual file shares.
- Servers that don't also host Remote Desktop Services: Disable the Remote Desktop Services service (
termserv) on your file server if it's not also hosting Remote Desktop Services.
Interoperability with other storage features
To make sure Folder Redirection and Offline Files interact correctly with other storage features, check the following configurations.
- If the file share uses DFS Namespaces, the DFS folders (links) must have a single target to prevent users from making conflicting edits on different servers.
- If the file share uses DFS Replication to replicate the contents with another server, users must be able to access only the source server to prevent users from making conflicting edits on different servers.
- When using a clustered file share, disable continuous availability on the file share to avoid performance issues with Folder Redirection and Offline Files. When continuous availability is enabled, Offline Files might not transition to offline mode for 3-6 minutes after a user loses access to the file share. The delay could frustrate users who aren’t yet using the Always Offline mode of Offline Files.
Client requirements
- Client computers must run Windows 11, Windows 10, Windows Server 2022, Windows Server 2019, or Windows Server 2016.
- Client computers must be joined to the Active Directory Domain Services (AD DS) domain that you're managing.
- Client computers must run x64-based or x86-based processors. Folder Redirection isn't supported on PCs powered by ARM processors.
Important
Some newer features in Folder Redirection have additional client computer and Active Directory schema requirements. For more information, see Deploy primary computers for Folder Redirection and Roaming User Profiles, Disable Offline Files on individual redirected folders, Enable Always Offline mode for faster access to files, and Enable optimized moves of redirected folders.
Step 1: Create a folder redirection security group
If you're running Remote Desktop Services on the file server, skip this step. Instead, assign permissions to the users when you precreate folders for new users.
This procedure creates a security group that contains all users to which you want to apply Folder Redirection policy settings.
On a computer that has Active Directory Administration Center installed, open Server Manager.
Select Tools > Active Directory Administration Center. Active Directory Administration Center appears.
Right-click the appropriate domain or OU, and then select New > Group.
In the Create Group window, in the Group section, specify the following settings:
- In Group name, enter the name of the security group, for example: Folder Redirection Users.
- In Group scope, select Security > Global.
In the Members section, select Add. The Select Users, Contacts, Computers, Service Accounts or Groups dialog box appears.
Enter the names of the users or groups to which you want to deploy Folder Redirection, select OK, and then select OK again.
If you don't already have a file share for redirected folders, use the following procedure to create a file share on a server that runs Windows Server 2016 or a later version.
Note
Some functionality might differ or be unavailable if you create the file share on a server that runs a different version of Windows Server.
In the Server Manager navigation pane, select File and Storage Services > Shares to display the Shares page.
In the Shares page, select Tasks > New Share. The New Share Wizard appears.
On theSelect Profilepage, choose the option that corresponds to your File Server Resource Manager configuration:
- If you have File Server Resource Manager installed and are using folder management properties, selectSMB Share - Advanced.
- If you don't have File Server Resource Manager installed or you aren't using folder management properties, selectSMB Share – Quick.
On the Share Location page, select the server and volume on which you want to create the share.
On the Share Name page, enter a name for the share (for example,
Users$) in the Share name box.Tip
When you create the share, hide the share by putting a
$(dollar sign) after the share name. This change hides the share from casual browsers.On the Other Settings page, clear the Enable continuous availability checkbox, if present. Optionally, select the Enable access-based enumeration and Encrypt data access checkboxes.
On the Permissions page, select Customize permissions to open the Advanced Security Settings dialog box.
Select Disable inheritance, and then select Convert inherited permissions into explicit permission on this object.
Set the permissions as described in the following tables and figures.
Important
The permissions that you use depend on your remote access configuration, so make sure you use the correct table.
Permissions for file servers without Remote Desktop Services
User Account Permission Applies to System Full Control This folder, subfolders, and files Administrators Full Control This folder only Creator/Owner Full Control Subfolders and files only Security group of users who need to put data on the share (Folder Redirection Users) List folder/read data1
Createfolders/append data1
Read attributes1
Read extended attributes1
Read permissions1
Traverse folder/execute file1Thisfolderonly Other groups and accounts None (Remove any accounts that this table doesn't list) 1 Advanced permissions
Permissions for file servers with Remote Desktop Services
User Account or Role Permission Applies to System Full Control This folder, subfolders, and files Administrators Full Control This folder, subfolders, and files Creator/Owner Full Control Subfolders and files only Other groups and accounts None (remove any other accounts from the access control list)
If you chose theSMB Share - Advancedprofile earlier in this procedure, follow these extra steps:
- On theManagement Propertiespage, select theUser FilesFolder Usage value.
- Optionally, select a quota to apply to users of the share.
On the Confirmation page, select Create.
Step 3: Precreate folders for new users on servers that also host Remote Desktop Services
If the file server also hosts Remote Desktop Services, use the following procedure to precreate folders for new users and assign the appropriate permissions to the folders.
In the file share that you created in the previous procedure, navigate to the file share's root folder.
Use one of the following methods to create a new folder.
Right-click the root folder, and then select New > Folder. For the name of the folder, enter the user name of the new user.
Alternatively, to use Windows PowerShell to create the new folder, open a PowerShell Command Prompt window and run the following cmdlet:
New-Item -Path 'c:\shares\frdeploy\<newuser>' -ItemType DirectoryIn this command, <newuser> represents the user name of the new user.
Right-click the new folder, and then select Properties > Security > Advanced > Owner. Verify that the folder owner is the Administrators group.
Set the permissions as described in the following table and figure. Remove permissions for any groups and accounts that aren't listed here.
User Account Permission Applies to System Full control This folder, subfolders, and files Administrators Full Control This folder, subfolders, and files Creator/Owner Full Control Subfoldersand filesonly newuser1 Full Control This folder, subfolders, and files Other groups and accounts None (remove any other accounts from the access control list) 1 newuser represents the user name of the new user's account.
Step 4: Create a GPO for Folder Redirection
If you don't already have a Group Policy object (GPO) that manages the Folder Redirection and Offline Files functionality, use the following procedure to create one.
On a computer that has Group Policy Management installed, open Server Manager.
Select Tools > Group Policy Management.
In Group Policy Management, right-click the domain or OU in which you want to set up Folder Redirection, and then select Create a GPO in this domain, and Link it here.
In the New GPO dialog box, enter a name for the GPO (for example, Folder Redirection Settings), and then select OK.
Right-click the newly created GPO, and then clear the Link Enabled checkbox. This change prevents the GPO from being applied until you finish configuring it.
Select the GPO. Select Scope > Security Filtering > Authenticated Users, and then select Remove to prevent the GPO from being applied to everyone.
In the Security Filtering section, select Add.
In the Select User, Computer, or Group dialog box, configure the option that corresponds to your configuration:
- File servers without Remote Desktop Services: Enter the name of the security group that you created in Step 1: Create a folder redirection security group (for example, Folder Redirection Users), and then select OK.
- File servers with Remote Desktop Services: Enter the user name that you used for the user folder in Step 3: Precreate folders for new users on servers that also host Remote Desktop Services and then select OK.
Select Delegation > Add, and then enter Authenticated Users. Select OK, and then select OK again to accept the default Read permission.
Important
This step is necessary because of security changes made in MS16-072. You must give the Authenticated Users group delegated Read permissions to the Folder Redirection GPO. If you don't, the GPO isn't applied to users, or if it's already applied, the GPO is removed, redirecting folders back to the local PC. For more information, see Deploying Group Policy Security Update MS16-072.
Step 5: Configure the Group Policy settings for Folder Redirection and Offline Files
After you create a GPO for Folder Redirection settings, follow these steps to edit the Group Policy settings that enable and configure Folder Redirection.
Note
By default, the Offline Files feature is enabled for redirected folders on Windows client computers, and disabled on Windows Server computers. Users can enable this feature, or you can use Group Policy to control it. The policy is Allow or disallow use of the Offline Files feature.
For information about some of the other Offline Files Group Policy settings, see Enable Advanced Offline Files Functionality, and Configuring Group Policy for Offline Files.
In Group Policy Management, right-click the GPO you created (for example, Folder Redirection Settings), and then select Edit.
In the Group Policy Management Editor window, navigate to User Configuration > Policies > Windows Settings > Folder Redirection.
Right-click a folder that you want to redirect (for example, Documents), and then select Properties.
In the Properties dialog box, from the Settings box, select Basic - Redirect everyone’s folder to the same location.
(Optional) In the Policy Removal section, select Redirect the folder back to the local userprofile location when the policy is removed. This setting can help make Folder Redirection behave more predictably for administrators and users.
In the Target folder location section, select Create a folder for each user under the root path.
In the Root Path box, enter the path to the file share that stores the redirected folders, such as
\\fs1.corp.contoso.com\users$.Select OK, and then select Yes in the Warning dialog box.
Step 6: Enable the Folder Redirection GPO
After you finish configuring the Folder Redirection Group Policy settings, the next step is to enable the GPO. This change allows the GPO to be applied to affected users.
Tip
If you plan to implement primary computer support or other policy settings, do so now, before you enable the GPO. Implementing these settings prevents user data from being copied to non-primary computers before primary computer support is enabled.
- Open Group Policy Management.
- Right-click the GPO that you created, and then select Link Enabled. A checkbox appears next to the menu item.
Step 7: Test Folder Redirection
To test Folder Redirection, sign in to a computer by using a user account that is configured to use redirected folders. Then confirm that the folders and profiles are redirected.
Sign in to a primary computer (if you enabled primary computer support) by using a user account for which you have enabled Folder Redirection.
If the user has previously signed in to the computer, open an elevated command prompt, and then enter the following command to ensure that the latest Group Policy settings are applied to the client computer:
gpupdate /forceOpen File Explorer.
Right-click a redirected folder (for example, the My Documents folder in the Documents library), and then select Properties.
Select the Location tab, and confirm that the path displays the file share you specified instead of a local path.
Appendix A: Checklist for deploying Folder Redirection
| Complete | Task or item |
|---|---|
| Prepare domain and other prerequisites | |
| - Join computers to domain | |
| - Create user accounts | |
| - Check file server prerequisites and compatibility with other services | |
| - Does the file server also host Remote Desktop Services? | |
| - Restrict access to the file server | |
| Step 1: Create a folder redirection security group | |
| - Group name: | |
| - Members: | |
| Step 2: Create a file share for redirected folders | |
| - File share name: | |
| Step 3: Precreate folders for new users on servers that also host Remote Desktop Services | |
| Step 4: Create a GPO for Folder Redirection | |
| - GPO name: | |
| Step 5: Configure the Group Policy settings for Folder Redirection and Offline Files | |
| - Redirected folders: | |
| - Windows 2000, Windows XP, and Windows Server 2003 support enabled? | |
| - Offline Files enabled? (enabled by default on Windows client computers) | |
| - Always Offline Mode enabled? | |
| - Background file synchronization enabled? | |
| - Optimized Move of redirected folders enabled? | |
| (Optional) Enable primary computer support: | |
| - Computer-based or User-based? | |
| - Designate primary computers for users | |
| - Location of user and primary computer mappings: | |
| - (Optional) Enable primary computer support for Folder Redirection | |
| - (Optional) Enable primary computer support for Roaming User Profiles | |
| Step 6: Enable the Folder Redirection GPO | |
| Step 7: Test Folder Redirection |
- Folder Redirection, Offline Files, and Roaming User Profiles overview
- Deploy primary computers for Folder Redirection and Roaming User Profiles
- Enable Always Offline mode for faster access to files
- Information about Microsoft support policy for a DFS-R and DFS-N deployment scenario
- Sideload Apps with DISM
- Troubleshooting packaging, deployment, and query of Windows apps
