Redirected Folders

Basic Redirected Folders

Basic Redirected Folders works best in two situations:

• Smaller environmentssuch as a doctor's office or storefrontwhere all employees sit under one roof

• In an organization's OU structure that was designed such that similar people are not only in the same OU but are also in the same physical location

The reason these simple scenarios make a good fit with the basic option is that such situations let you redirect the users affected by the policy setting to a server that's close to them. That way, if they do roam within their location, the wait time is minimal to download and upload the data back and forth to the server and their workstation.

In the following example, I've created an OU called LikeUsers who are all using the same local serverWinDC01. Setting up a basic Redirected Folders for My Documents is a snap. It's a three-step process:

• Create a shared folder to store the data.

• Set the security on the shared folder.

• Create a new GPO and edit it to contain a policy setting to redirect the My Documents folder.

To create and share a folder to store redirected My Documents data, follow these steps:

1. Log on to WinDC01 as Administrator.

2. From the Desktop, double-click My Computer to open the My Computer folder.

3. Find a place to create a users folder. In this example, we'll use D:\DATA. Once you're inside the D: drive, right-click D:\ and select the Folder command from the New menu, then type in Data for the name .

   Tip	You can substitute any name for Data. Some use MYDOCS or REDIRDOCS.

4. Right-click the newly created Data folder, and choose "Sharing and Security," which opens the Properties of the folder, but focused on the Sharing tab. Note that Windows Server 2003 will default such that the share is Everyone:Read. Click "Share This Folder," and ensure the share is set so that Authenticated Users have Full Control, as seen in Figure 9.2. Keep the rest of the defaults, and click OK.

Figure 9.2: Share the Data folder such that Authenticated Users have Change permissions.

Now that the share is created, we're ready to create a new GPO to do the magic. To set up Redirected Folders for My Documents, follow these steps:

1. In the GPMC, right-click the OU on which you want to apply Folder Redirection (in my case, the LikeUsers OU), and choose "Create and link a new GPO here"

2. Name the GPO, say, "My Docs Folder Redirection," as shown in Figure 9.3.

3. Right-click the new GPO, and choose Edit from the shortcut menu to open the Group Policy Object Editor.

4. Drill down to Folder Redirection by choosing User Configuration ˜ Windows Settings ˜ Folder Redirection. Right-click the My Documents entry in the Group Policy Object Editor, and choose Properties to open the My Document Properties dialog box, as shown in Figure 9.4.

5. In the Setting drop-down list box, select "BasicRedirect everyone's Folder to the same location."

Figure 9.3: The LikeUsers OU has a GPO named "My Docs Folder Redirection." After drilling down into the folder that you want to redirect, right-click and choose Properties.

Figure 9.4: The Basic settings redirect all users in the OU to the same location.

Share Permissions: Full Control versus Change

In the last chapter, we set up a shared folder for our Roaming Profiles. We put Change control on the permissions, and this was enough. Interestingly, here, on the share that will house our redirected folders, we need Full Control permissions, or the Folder Redirection will fail.

So, is there a problem using Full Control? Is there a way to exploit an attack on a share with Full Control? Not really, unless the underlying NTFS permissions are open for an attack. Basically, as long as the root folder of the share is an NTFS folder with appropriate permissions, there is no reason to use anything other than Everyone:Full Control on the share; though there's certainly nothing wrong with Authenticated Users: Full Control either.

Some people had insisted on using share permissions, but it was often because they instituted the practice in the dark days of OS/2 and Microsoft LanManager and got used to it. The share permission is simply a security descriptor stored in the Registry entry for the share in the LanManServer entries on the server. Giving Everyone:Full Control doesn't change the permissions on the Registry entry itself, so it cannot be used as an exploit for getting a toehold on the server.

The moral of the story: have the correct NTFS permissions underneath the folder that contains the share. Indeed, share permissions aren't sufficient if someone gets physical access, or near-physical access, to the box; for example, via Terminal Services access.

The Target Tab

The "Target folder location" drop-down list box has the following four options:

• Redirect to the user's home directory. Many companies use home drives for each user and have the users store all their stuff there. To set a home drive for each user, in Active Directory Users And Computers click the "Profile" tab for the user and enter a path in the "Home folder" section. The idea behind this setting is that it's an easy way to help users continue to use a drive letter they already know and love, say, H: (for Home directory) in addition to the My Documents redirection. If you choose this setting, both H: and My Documents point to the exact same placethe path you set in the Home folder section in Active Directory Users And Computers. In this book, we didn't set up home drives because My Documents redirection frees us from the need to do so. This setting is provided here only as a convenience for organizations that want to continue to use home folders. If you plan to eventually get rid of home drives in your company in lieu of just a redirected My Documents folder, my advice is not to use this setting; instead use the Redirect to the following location setting (explored shortly).

  Note	If the user has no home folder, this option is ignored, and the folder stays in its current location.

• Create a folder for each user under the root path. If you plan to redirect more than just the My Documents folder (say, the Application Data or Desktop), you might want to select this option. This creates secure subfolders underneath the point you specify. As you can see in Figure 9.4 earlier in this chapter, entering \\windc01\data in the Root Path box shows an example of how all users affected by this policy setting are redirected.

In the example, you can see that My Documents for a user Clair will be redirected to her own folder in the Data share. Go ahead and perform this now.

Redirect to the following location. This option makes sense if you plan to redirect only My Documents or just one other redirectable folder. This selection allows you to specifically dictate where you want the folder placed. This was the only option available in previous versions. To use this setting, type \\WinDC01\data\%username% in the Target Folder Location text box. Then, a subfolder for the user is created directly under the Data shared folder. This is the selection to choose when none of the others is to your liking; that is, you have the most flexibility with this option.

Redirect to the local userprofile location. With this option, you redirect the folder for the user back to their Local Profile. It's useful when you want to remove redirection for a particular folder without affecting the rest of the other redirected folders.

The Settings Tab

When you click the Settings tab, you have access to additional options for Folder Redirection. The Settings tab is the hidden gem of Folder Redirection; it activates a bit of magic. There is a Settings tab for each redirected folder: My Documents (and the corresponding My Pictures), the Desktop, the Start Menu, and Application Data. Figure 9.5 shows the Settings tab for My Documents.

Figure 9.5: The Settings tab in Folder Redirection holds all sorts of magical powers!

By default, users have exclusive NTFS permissions to their directories, and the contents of their My Documents folders are automatically moved to the new directory. You can change this behavior, if desired, by making the appropriate choices on the Settings tab.

Because we're discussing My Documents at this point, we'll dive into the Settings tab specifically for My Documents. However, each setting discussed here affects the other potentially redirected folders in exactly the same way. Let's take a look at some of the options available on this tab.

Grant the User Exclusive Rights to My Documents By default, this check box is checked. You're instructing the system to create a secure directory underneath the redirection. This check box sets NTFS permissions on that directory such that only that user can enter the directory. This keeps prying eyes, even those of nosy administrators, out of people's personal business. If you want to change this setting, uncheck the box.

Unchecking the "Grant the user exclusive rights to My Documents" check box sets no additional permissions, nor does it modify the target directory permissions in any way. Any permissions on the folder are left as they were by default. The NTFS permissions are not modified. Because Windows 2000 and Windows 2003 use NTFS inheritance, newly created folders receive the same permissions as the parent folder.

Move the Contents of My Documents to the New Location By default, this check box is checked. When you start out on your IntelliMirror journey, Microsoft is betting that the first thing you do is to set up Roaming Profiles and then move on to setting up Redirected Folders. In between those two time periods, however, users have surely created their own documents and started putting them in their My Documents folder in their Local or Roaming Profile. This check box magically moves (not copies) their documents from their profile (Roaming or Local) to the appointed place on the server the next time they log on.

Policy Removal You must select one of the two settings under the Policy Removal heading. The point of having OUs is that you can move users easily in and out of them. If the user is moved out of an OU to which this policy applies, the following options help you determine what happens to their redirected folder contents.

• Leave the Folder in the New Location When a Policy Is Removed. If this option is selected, and the user is moved out of the OU to which this policy applies, the data stays in the shared folder and directory you specified. This is the default. The user will continue to access the contents of the redirected folder.

• Redirect the Folder Back to the Local User Profile Location When the Policy Is Removed. If this check box is selected, and the user moves (or the policy no longer applies), a copy of the data is sent to the profile.

• If Roaming Profiles is not set up, a copy of the data is sent to every workstation the user logs on to. If you've set up Roaming Profiles, the data gets pushed back up to the server and shared folder that house the user's Roaming Profile when the user logs off.

• This setting is useful if a user under your jurisdiction moves to another territory. Once this happens, you can eliminate their junk cluttering your servers (as long as you're not the administrator of the target OU). Use this option with care, though; since the users' data isn't anchored to a shared folder, the network traffic will increase when this data roams around the network.

• It is recommended that you check with the target OU administrator to ensure that some Folder Redirection policy will apply to the user. This eliminates all the "up and back" problems associated with maintaining user data inside regular Roaming Profiles.

My Pictures Preferences The Settings tab in the My Documents dialog box has an additional setting regarding the My Pictures folder. Usually, My Pictures is located underneath My Documents in normal Local and Roaming Profiles. With Redirected Folders, though, one server and shared folder can hold My Documents, and another server and shared folder can hold My Pictures. This option is grayed out when using a Basic folder redirection policy for My Documents and is available only when using an Advanced folder redirection policy (as explored later in this chapter).

• Make My Pictures a Subfolder of My Documents This is the default. It keeps the hierarchical structure of My Documents\My Pictures as it is normally found in the profile.

• Do Not Specify Administrative Policy for My Pictures If this is selected, the My Pictures settings (the folder under My Documents in the policy) determines what happens to this folder first.

If the My Pictures policy is left blank, My Pictures is located within the profile (Local or Roaming). Interestingly, the default setting in the My Pictures policy is 100 percent dependent on what is configured in the My Documents Settings tab for My Pictures.

The My Pictures portion of the My Documents Settings tab is only configurable at the initial setup of policy for redirection. After finalizing the setting, you can change the My Pictures setting only from the My Pictures policy. The My Documents setting for My Pictures is then unavailable.

How to Grant Administrators Access to My Documents (or Other Redirected Folders)

As you learned in the last chapter, it's possible to grant administrators access to the folders where users store their Roaming Profiles. In that chapter, you set up a policy setting that affects the client computers, and the first time the user jumps on the computer, the file permissions are set such that both the user and the administrator have joint access. However, that's not the case with redirected folders.

If you want both the user and the administrator to have joint access to a redirected folder such as My Documents, you need to perform two major steps.

1. Clear the "Grant the user exclusive rights to My Documents" setting (as seen in Figure 9.5).

2. Set security on the subfolder you are sharing that will contain the redirected folders.

In the Security Properties dialog box of the folder you shared, select Advanced. Uncheck the "Allow inheritable permissions from parent to propagate to this object" check box. Now, remove the permissions, and then add four groups, assign them permissions, and dictate where those permissions will flow. Here's the breakdown:

• Administrators Full Control, which applies to "This folder, subfolders and files"

• System Full Control, which applies to "This folder, subfolders and files"

• Creator Owner Full Control, which applies to "This folder, subfolders and files"

• Authenticated Users Create Folders / Append Data, Read Permissions, Read Extended Attributes, which apply to "This folder only" (as seen here)

This information is valid for both Windows 2003 and Windows 2000 servers, and you can find more details in the Knowledge Base article Q288991. Adding these groups and assigning these permissions appears to remove the automatic synchronization of redirected folders, as you'll see a bit later. However, you can restore this functionality with the Administratively Assigned Offline Files policy setting again, explored later.

In some circumstances when redirecting to Windows 2000 servers, I needed to grant the Authenticated Users the List Folder / Read Data access for this process to work fully.

But we have a problem. What if you've already set up Redirected Folders and users already have their own protected subfolders? How do you "go back in time" and fix the ones that already were created? In our example, our redirected folders are in D:\data. Follow these steps:

1. Start cmd.exe , and type AT nn:nn /interactive cmd.exe (nn: nn is a couple of minutes in the future).This will get you access as the NT Authority\SYSTEM account which has the required permissions you'll need.

2. Wait until the new command window opens.This can take up to a minute. In this window, you are acting as the SYSTEM account.

3. Run cacls "d:\data" /T /E /G DOMAIN\Administrator:F.

This command edits the ACL (/E) rather than replacing it. It grants the user DOMAIN\Administrator Full Control (/G DOMAIN\Administrator: F) and sets the permissions on all subfolders ( /T ). This should allow you to set all previously created folders to nearly the same standard.

Advanced Redirected Folders

You select Advanced Redirected Folders from the Setting drop-down list box, as shown in Figure 9.4 earlier in this chapter. Advanced Redirected Folders works best in two situations, both larger environments, for example:

• A campus with many buildings . You'll want to specify different Redirected Folders locations that are closest to the biggest groups of users.

• More likely, a specific department that is charged with purchasing its own server and storage. In this scenario, there's usually a battle over who can store what data on whose server. With this mechanism, everyone can have their own sandbox.

In either case, you can still have an OU that affects many similar users, but that breaks up where folders are redirected, depending on the users' respective security groups. For example, we have an OU called Sales that contains two global security sales groups: East_Sales and West_Sales. Each Sales group needs their folders redirected to the server closest to them, either East_Server or West_Server. First, you'll want to create the shares on both the East_ Server and West_Server as directed earlier. For this example, they're each shared out as Data. To perform an Advanced Folder Redirection, follow these steps:

1. If you're not already logged on to WinDC01 as Administrator of the domain, do so now.

2. Start the GPMC.

3. Right-click the OU on which we want to apply folder redirection, in this case Sales OU, and select "Create and link a GPO here "

4. Enter a descriptive name, such as "Advanced Folder Redirection for the Sales OU," for the GPO. Select it, and click Edit to open the Group Policy Object Editor.

5. The GPO for the OU appears. Drill down to Folder Redirection by choosing User Configuration ˜ Windows Settings ˜ Folder Redirection.

6. Right-click the My Documents folder in the Group Policy Object Editor, and choose Properties from the shortcut menu to open the My Documents Properties dialog box. In the Setting drop-down list box, select "AdvancedSpecify Locations for Various User Groups." The dialog box changes so that you can now use the Add button to add security settings, as shown in Figure 9.6. Click OK.

7. Click the "Add " button in the My Documents Properties to open up the "Specify Group and Location" dialog box. Click Browse under Security Group Membership, and locate the East_Sales global security group.

8. In the Target Folder location, enter the UNC path of the redirected folder. In this case, it's \\east_server\data\%username%. Click OK to close the Specify Group and Location dialog box.

9. Repeat steps 8 and 9 for the West_Sales global security group.

Figure 9.6: Use the Advanced redirection function to choose different locations to move users' data.

When finished, you should have both East_Sales and West_Sales listed.

The next time the user logs on, the settings specified in the Settings tab take effect; that is, by default, a new folder is generated specifically for each user, and the current documents in the user's My Documents folder are transported to the newly redirected folder location.

Testing Folder Redirection of My Documents

In the last chapter, you used Brett Wier's account to verify that Roaming Profiles were working properly. You did this by creating a test file, FILE1.TXT , in the My Documents folder and noting that the file properly roamed with the user when they hopped from machine to machine. Additionally, you noted that the file location was on the local hard drivein his locally cached copy of his Roaming User Profile. To see whether My Documents is being redirected, move Brett's user account into an OU that has the My Documents folder redirected as specified in either the Basic or Advanced Folder Redirection settings.

Log on to a Windows 2000 machine as Brett Wier and open My Documents. Right-click FILE1.TXT and note its location, as shown in Figure 9.7.

Figure 9.7: Windows 2000 Folder Redirection in action

The file was automatically transported from the Roaming Profile and anchored to the fixed point on the server, in this case \\WinDC01\data\bwier\My Documents .

If you perform the same experiment on a Windows XP machine, you'll see the same results, but notice the curious arrows on the files and folders (see Figure 9.8).

Figure 9.8: Windows XP Folder Redirection in action

The arrows signify that another IntelliMirror feature is in forceOffline Files, which I'll talk about in the next major section. However, one point should be gleamed from these previous two figures. The behavior of Windows XP is different from that of Windows 2000. That is, when a Windows XP machine uses a redirected folder, the entire contents are automatically cached offline. Thus, when the network is offline, your users still have total access to the files they need.

Stay tuned for Offline Folders where we'll discuss how to actually put this knowledge to good use.

Windows XP Fast Boot and Folder Redirection

If you see the message in Figure 9.10, you might initially think that Folder Redirection isn't working as it should. This event tells us that because Fast Boot is enabled in Windows XP (the default), Folder Redirection will not take affect until the next logon. With Fast Boot enabled, Basic Folder Redirection needs two logons to take effect. With Fast Boot enabled, Advanced Folder Redirection needs three logons to take effect. (See Chapter 3 for more information.)

Figure 9.10: Fast Boot in Windows XP can delay Folder Redirection until multiple reboots.

Permissions Problems

Be sure that the user has access to the folder; specifically, make sure that the share you use for Folder Redirection is set for Authenticated Users:Full Control. Without it, you might encounter EventID: 101s, as shown in Figure 9.11.

Figure 9.11: Be sure the user has permissions to write to the share you set up.

Another common event for security problems is Event 112: "The security descriptor structure is invalid." Again, the idea is that there are some permissions problems -- usually share level permissions where Authenticated Users weren't set up properly for Full Control.

Use GPResult for Verification

First, make sure the user is actually being affected by the GPO you set up that contains your Folder Redirection policy. Use the GPResult tool we explored in Chapter 3. Figure 9.12 shows a snippet from the output of GPResult /v on Windows XP when Folder Redirection is working.

Figure 9.12: GPResult can help you determine if Folder Redirection is working.

If no Folder Redirection policy displayed in the output when you run GPResult /v , chances are the user is not being affected by the policy. Check to see if the user has permissions on the GPO for both "Read" and "Apply Group Policy." If they are getting the GPO as indicated via GPResult /v , also make sure that the target server is still available, that the share is still shared, and that the users have rights to write to that share and folder. Last, make sure the user isn't hitting a disk quota on the volume on which the shared folder resides, as this can generate mixed results.

Enabling Advanced Folder Redirection Logging

Folder Redirection can provide a detailed log should the event log and GPResult not turn up what you're looking for. To create a log file for the Folder Redirection process, you need to modify the Registry as follows :

 HKLM\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics 

If the Diagnostics key doesn't exist at the end of this Registry path, you'll need to create it. Then, you'll add a new Reg_DWORD of FdeployDebugLevel and set it to of in hex or 15 in decimal.

Once you do this, you can find the log file at:

 %windir%\debug\usermode\fdeploy.log. 

Only the administrator can read the log file, so you have only two options. First, you can log out as the user, and log back in as the local administrator to read the log file in action. Alternatively, you can use the runas command to view the log as an administrator while you're still logged in as the user.