Deploy Folder Redirection with Offline Files
Applies To: Windows 10, Windows 7, Windows 8, Windows 8.1, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Vista
|Due to the security changes made in MS16-072, we updated Step 3: Create a GPO for Folder Redirection of this topic so that Windows can properly apply the Folder Redirection policy (and not revert redirected folders on affected PCs).|
Folder Redirection requires an x64-based or x86-based computer; it is not supported by Windows® RT.
Folder Redirection has the following software requirements:
- To administer Folder Redirection, you must be signed in as a member of the Domain Administrators security group, the Enterprise Administrators security group, or the Group Policy Creator Owners security group.
- Client computers must run Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008.
- Client computers must be joined to the Active Directory Domain Services (AD DS) that you are managing.
- A computer must be available with Group Policy Management and Active Directory Administration Center installed.
- A file server must be available to host redirected folders.
- If the file share uses DFS Namespaces, the DFS folders (links) must have a single target to prevent users from making conflicting edits on different servers.
- If the file share uses DFS Replication to replicate the contents with another server, users must be able to access only the source server to prevent users from making conflicting edits on different servers.
- When using a clustered file share, disable continuous availability on the file share to avoid performance issues with Folder Redirection and Offline Files. Additionally, Offline Files might not transition to offline mode for 3-6 minutes after a user loses access to a continuously available file share, which could frustrate users who aren’t yet using the Always Offline mode of Offline Files.
|To use new features in Folder Redirection, there are additional client computer and Active Directory schema requirements. For more information, see Folder Redirection, Offline Files, and Roaming User Profiles.|
If your environment is not already set up with Folder Redirection, the first step is to create a security group that contains all users to which you want to apply Folder Redirection policy settings.
- Open Server Manager on a computer with Active Directory Administration Center installed.
- On the Tools menu, click Active Directory Administration Center. Active Directory Administration Center appears.
- Right-click the appropriate domain or OU, click New, and then click Group.
- In the Create Group window, in the Group section, specify the following settings:
- In Group name, type the name of the security group, for example: Folder Redirection Users.
- In Group scope, click Security, and then click Global.
- In the Members section, click Add. The Select Users, Contacts, Computers, Service Accounts or Groups dialog box appears.
- Type the names of the users or groups to which you want to deploy Folder Redirection, click OK, and then click OK again.
If you do not already have a file share for redirected folders, use the following procedure to create a file share on a server running Windows Server 2012.
|Some functionality might differ or be unavailable if you create the file share on a server running another version of Windows Server.|
- In the Server Manager navigation pane, click File and Storage Services, and then click Shares to display the Shares page.
- In the Shares tile, click Tasks, and then click New Share. The New Share Wizard appears.
- On the Select Profile page, click SMB Share – Quick. If you have File Server Resource Manager installed and are using folder management properties, instead click SMB Share – Advanced.
- On the Share Location page, select the server and volume on which you want to create the share.
- On the Share Name page, type a name for the share (for example, Users$) in the Share name box.
Tip When creating the share, hide the share by putting a
$after the share name. This will hide the share from casual browsers.
- On the Other Settings page, clear the Enable continuous availability checkbox, if present, and optionally select the Enable access-based enumeration and Encrypt data access checkboxes.
- On the Permissions page, click Customize permissions…. The Advanced Security Settings dialog box appears.
- Click Disable inheritance, and then click Convert inherited permissions into explicit permission on this object.
- Set the permissions as described Table 1 and shown in Figure 1, removing permissions for unlisted groups and accounts, and adding special permissions to the Folder Redirection Users group that you created in Step 1.Figure 1 Setting the permissions for the redirected folders share
- If you chose the SMB Share – Advanced profile, on the Management Properties page, select the User Files Folder Usage value.
- If you chose the SMB Share – Advanced profile, on the Quota page, optionally select a quota to apply to users of the share.
- On the Confirmation page, click Create.
|User Account||Access||Applies to|
|System||Full control||This folder, subfolders and files|
|Administrators||Full Control||This folder only|
|Creator/Owner||Full Control||Subfolders and files only|
|Security group of users needing to put data on share (Folder Redirection Users)||List folder / read data
Create folders / append data
Read extended attributes
|This folder only|
|Other groups and accounts||None (remove)|
If you do not already have a GPO created for Folder Redirection settings, use the following procedure to create one.
- Open Server Manager on a computer with Group Policy Management installed.
- From the Tools menu click Group Policy Management. Group Policy Management appears.
- Right-click the domain or OU in which you want to setup Folder Redirection and then click Create a GPO in this domain, and Link it here.
- In the New GPO dialog box, type a name for the GPO (for example, Folder Redirection Settings), and then click OK.
- Right-click the newly created GPO and then clear the Link Enabled checkbox. This prevents the GPO from being applied until you finish configuring it.
- Select the GPO. In the Security Filtering section of the Scope tab, select Authenticated Users, and then click Remove to prevent the GPO from being applied to everyone.
- In the Security Filtering section, click Add.
- In the Select User, Computer, or Group dialog box, type the name of the security group you created in Step 1 (for example, Folder Redirection Users), and then click OK.
- Click the Delegation tab, click Add, type Authenticated Users, click OK, and then click OK again to accept the default Read permissions.This step is necessary due to security changes made in MS16-072.
|Due to the security changes made in MS16-072, you now must give the Authenticated Users group delegated Read permissions to the Folder Redirection GPO – otherwise the GPO won’t get applied to users, or if it’s already applied, the GPO is removed, redirecting folders back to the local PC. For more info, see Deploying Group Policy Security Update MS16-072 .|
Step 4: To configure Folder Redirection in Group Policy
- In Group Policy Management, right-click the GPO you created (for example, Folder Redirection Settings), and then click Edit.
- In the Group Policy Management Editor window, navigate to User Configuration, then Policies, then Windows Settings, and then Folder Redirection.
- Right-click a folder that you want to redirect (for example, Documents), and then click Properties.
- In the Properties dialog box, from the Setting box click Basic – Redirect everyone’s folder to the same location.
Note To apply Folder Redirection to client computers running Windows XP or Windows Server 2003, click the Settings tab and select the Also apply redirection policy to Windows 2000, Windows 2000 Server, Windows XP, and Windows Server 2003 operating systems checkbox.
- In the Target folder location section, click Create a folder for each user under the root path and then in the Root Path box, type the path to the file share storing redirected folders, for example: \\fs1.corp.contoso.com\users$
- Click the Settings tab, and in the Policy Removal section, optionally click Redirect the folder back to the local userprofile location when the policy is removed (this setting can help make Folder Redirection behave more predictably for adminisitrators and users).
- Click OK, and then click Yes in the Warning dialog box.
Once you have completed configuring the Folder Redirection Group Policy settings, the next step is to enable the GPO, permitting it to be applied to affected users.
|If you plan to implement primary computer support or other policy settings, do so now, before you enable the GPO. This prevents user data from being copied to non-primary computers before primary computer support is enabled.|
- Open Group Policy Management.
- Right-click the GPO that you created, and then click Link Enabled. A checkbox appears next to the menu item.
To test Folder Redirection, sign in to a computer with a user account configured for Folder Redirection. Then confirm that the folders and profiles are redirected.
- Sign in to a primary computer (if you enabled primary computer support) with a user account for which you have enabled Folder Redirection.
- If the user has previously signed in to the computer, open an elevated command prompt, and then type the following command to ensure that the latest Group Policy settings are applied to the client computer:
- Open File Explorer.
- Right-click a redirected folder (for example, the My Documents folder in the Documents library), and then click Properties.
- Click the Location tab, and confirm that the path displays the file share you specified instead of a local path.
|1. Prepare domain|
|– Join computers to domain|
|– Create user accounts|
|2. Create security group for Folder Redirection|
|– Group name:|
|3. Create a file share for redirected folders|
|– File share name:|
|4. Create a GPO for Folder Redirection|
|– GPO name:|
|5. Configure Folder Redirection and Offline Files policy settings|
|– Redirected folders:|
|– Windows 2000, Windows XP, and Windows Server 2003 support enabled?|
|– Offline Files enabled? (enabled by default on Windows client computers)|
|– Always Offline Mode enabled?|
|– Background file synchronization enabled?|
|– Optimized Move of redirected folders enabled?|
|6. (Optional) Enable primary computer support|
|– Computer-based or User-based?|
|– Designate primary computers for users|
|– Location of user and primary computer mappings:|
|– (Optional) Enable primary computer support for Folder Redirection|
|– (Optional) Enable primary computer support for Roaming User Profiles|
|7. Enable the Folder Redirection GPO|
|8. Test Folder Redirection|
- As you are redirecting the Desktop and Start Menu to a network location you will need to add the file server into the trusted sites list otherwise Windows will warn you are trying to run a program form an un-trusted location (see below).
Tip: To avoid having to enter in the name of every file server in your organisation simple added the Domain name portion of the server name so that all servers will be Intranet Zone (e.g. file://*.contoso.local ). see this blog to solve it.
As all redirected folder are also made available offline it allows users to work on their files when in offline mode but still have them periodically sync in the background when connected via a low link. This is very useful for roaming users connected via a VPN or even when the file server might be experiencing heavy load.
When the network connection is slow or unavailable, Offline Files routes requests for the user folders that are stored on the server to the local computer cache. Users read and write from their local cache. Offline Files synchronizes new and changed files and folders from the local computer cache to the server when the network becomes available or in the background when the connection is slow.
The difference between Local, LocalLow and Roaming Applications Data
One of the most confusing aspect of folder redirection is all the type of Application Data folders there are and what they do. Below is my attempt at trying to explain the difference between the Applications Data folders and how they will affect your computers.
Reference: Managing Roaming User Data Deployment Guide
Local and LocalLow folders for application data that does not roam with the user.
Local AppData & AppData
The “LocalAppData” and “AppData” folder’s for a user that does not have folder redirection enabled is one and the same and will be located at “C:\Users\USERNAME\AppData\Local”. The most commonly saved files in this path would be very large cache files that would be impractical to constantly send and receive across the network. As the files are only cache’s then there would be no issues if they were lost as they information would simple need to be re-cached. A good example of this is the TEMP and TMP path variable that is configured where most applications are configured to save temporary files.
That being said when folder redirection is enabled the “AppData” environment variable will point to the network path that it is configured in the Group Policy (see image below). This then splits you AppData folder into two locations with any application configured to use the “AppData” variable will be pointed the path on the network and any application that is configured to use the “LocalAppData” variable will still be pointed to the local hard drive.
Enabling folder redirection for AppData is far more practical to do with Windows Vista/7 than Windows XP as the offline file cache can seamless transition form offline to online mode if the network latency goes above a threshold.
Warning: If you are running Windows XP and the users is connected via a slow link then the affect of having this folder redirected could be devastating to the users performance. In my experience even the simple act of scrolling a word document requires constant writing to this “Local” application data folder.
To identify if a user has application data folder redirection enabled by simple running “set” from the command prompt and the look at the value of the “APPDATA” variable (see image below). The below image also illustrates that the “LOCALAPPDATA” variable will always point to the local hard drive even when folder redirection is enabled.
The “LocalLow” folder for all users is “C:\Users\USERNAME\AppData\LocalLow”. This BIG difference of “Local” to “LocalLow” is that it is specifically intended as a place for “Low Integrity” applications to write files such as Internet Explorer add-on like Google Gears, Google Earth, Adobe Acrobat, Apple QuickTime and Microsoft Silverlight. It also appears that this folder is neither redirected nor part of the roaming profile therefore all information stored into this folder is local to the computer and will not roaming with the user.
Updated: Should you enabled Local AppData Folder Redirection?
Should AppData Local be redirected? No… Because you Can’t… Hence the name “LOCAL”. In Windows XP days a users would either have their AppData folder online or offline and not matter how slow your connection was to the server so long as your still got a response you would stay online thus bringing your entire computer to a grinding halt. But if the Administrator did not enable folder redirection for the users this normally resulted in them having a MASSIVE roaming profile that would take forever to sync during the logon and logoff process. The work around to this was to exclude the entire AppData folder from the roaming profile but this meant you risked losing some of the users personal data.
As Aaron mentioned in the comments the decision to enable Application Data folder redirection is one that should not be taken lightly and can have real negative consequences for the performance of your users. As I mentioned above having AppData folder redirection enabled to a location that is performing slow will have very noticeable performance impact for your users especially if you are running Windows XP. However not having AppData redirection could mean that you are likely to lose some of the users settings and data if their computer’s hard drive fails. A good article to read on the the matter is Should AppData be Redirected or Left in the User Profile? which discuses the Pro’s and Con’s of enabling AppData Redirection.
However now with Windows 7 (and to a lesser extent Vista) the decision to enable folder redirection for Local AppData is tricky at best. Not made any easier by Microsoft on one hand by providing a specific Roaming\AppData folder for persistent information but on the other making improvements to the OS that makes it a far more practical option to enable.
The new Windows 7 features called Transparent Caching and Background Sync for offline files the issues with redirecting the Local AppData folder are now largely mitigated as the users will automatically work on the local copy of the file whenever network performance is poor. Thus making it far more practical to enable Local AppData folder redirection while still not something that you really should do…
Updated: Roaming AppData
The “Roaming” AppData folder is located on the user local hard drive at “C:\Users\USERNAME\AppData\Roaming” this is the folder where applications should store all the users persistent information.
AppData\Roaming is part of the users roaming profile so when a user log’s off their computer the files are location are copied up to “\\PROFILESERVER\Users$\USERNAME\Profile.v2\AppData\Roaming”. Any well written application for Windows Vista or later should be aware of the Roaming Application Data folder and should use this folder to save persistent information. A good example of something that should be saved to this location is a users custom dictionary or a browsers internet cookies.
Roaming folder for application specific data, such as custom dictionaries, which are machine independent and should roam with the user profile.
Below is a screen shot of a users AppData\Roaming folder as stored on the local computer and the same location stored on the server.
Note: Unlike the users Registry information in the ntuser.dat file on Windows 7 the AppData\Roaming folder cannot be synchronised using the Background upload of a roaming user profile’s registry file while user is logged on setting.
|AppData\Roaming on the local computer||AppData\Roaming store on the Server|
So Should you enable this “AppData(Roaming)” folder redirection option? Probably not…. Why? You should ensure that your computers it is always using the local HDD which should give MAXIMUM performance (unless you driver is REALLY slow). This with all the improvements in Roaming Profiles Syncing such as Background Synchronisation (See What’s New in Folder Redirection and User Profiles) then the user AppData(Roaming) will still be saved to the network to reduce chance of any data loss for the user.
Updates: Excluding AppData Folders
Some applications may not be well written (SHOCKER) and as such save a numerous or large files to this location to the AppData\Roaming folder. This significantly adds to the logon and logoff with all the extra it takes to transfer all the excess files. Therefore you should fully understand where applications save the applications specific configuration and look at excluding these folders from the users roaming profile so they are not copied up to the network thus saving a lot of time during logoff and logon.
For a good starting point of a list of common applications that save large amount of information into the AppData\Roaming folder check out Stealthpuppy: Reduce logon times by excluding the bloat .
User State Virtualization Folder Structure Explained
Now that we have configured the user roaming profile and folder redirections the next time a users logon they will automatically create the required folders on the network for them to enable User State Virtualization.
As you can see below in the image below a user personal folders are part of their roaming profile. The files in these folders (e.g. documents and music) are saved locally and are synchronised asynchronously in the background with the server. Having no folder redirection also means that a users will take some time to logon to a computer for the first time as you will need to download a copy of the entire profile.
User State Virtualization Folder Structure before Folder Redirection is Applied
After folder redirection is applied to the user you can see that all the user folders (excluding AppData) have been moved up a folder out of the profile and into the root folder for the users data.
User State Virtualization Folder Structure after Folder Redirection is Applied
Folder redirection does not work, every configuration is correct….
Posible reason: ReFS file system? created another folder on a NTFS volume. Still does not work.
To be solved….
Checked the log in Event viewer, path: Windows Logs > Application >Event ID1530, Source User Profile Service.
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 1 user registry handles leaked from \Registry\User\S-1-5-21-3830460163-1125087907-2215381018-1210: Process 1604 (\Device\HarddiskVolume1\Windows\System32\winlogon.exe) has opened key \REGISTRY\USER\S-1-5-21-3830460163-1125087907-2215381018-1210
Solution: Create another new user for testing purpose and add it to the folder redirection security group, if this user’s profile folder can be redirected. Then it’s the user’s profile corruption reason.