Folder Redirection
Folder Redirection is a GPO option in Active Directory that allows an admin to select one or several folders from a list of Windows folders to be replicated from a Workstation or server to a corresponding folder on a network share.
Overview
Folder Redirection is a Computer Configuration policy option set within a GPO.
This policy folder has individual policy options for each of the following folders, which receive their own policy:
- AppData/Roaming
- Contacts
- Desktop
- Documents
- Downloads
- Favorites
- Links
- Music
- Pictures
- Saved Games
- Searches
- Start Menu
- Videos
It is important to ensure that the correct sharing permissions are met on the share that will host redirection. If not, several errors will occur and redirection will either not start, start and stop, or be inconsistent. The share should have the following permissions:
In addition, the security tab on the folder should have the following settings:
Where Users, Administrators, the singular Administrator, and SYSTEM all have Full control over all files. In addition, confirm that inheritance is disabled, and if there are any inherited permissions, reset them.
Offline Files
Offline Files is a feature that ensures that, if a host loses connection to the file server (say, during an update), there are local copies of the files onboard. It will automatically temporarily switch over to use those copies until the file server comes back online, then sync new changes to the file server. One can easily determine if Offline Files is enabled and working by whether or not they see this at the bottom of a File Explorer window:
By default, Offline Files is enabled whenever Folder Redirection is enabled, but this does not apply to clients running Windows Server. Workstations running Windows 7, 10, 11 should automatically receive this.
It can be enabled forcefully using GPO: https://learn.microsoft.com/en-us/windows-server/storage/folder-redirection/enable-always-offline
Setup
- The first step to setting up Folder Redirection on a domain is to create a Network Share on a server with sufficient storage. If you have a Domain Controller and a separate file server, the file server is the best place, but if you only have one server, acting as a DC, it'll work fine. Create a folder and go to Properties → Sharing and make sure that you add a dollar sign ($) to the end of the name. This ensures that the share is hidden and prevents both unwanted access and prevents clutter in the Network discovery tab. Under permissions, ensure that Everyone has Full Control, Read, and Change.
- In Active Directory Users and Computers, create an OU for Folder Redirection, where all users inside will have their selected folders synced. Folder Redirection is a user policy, not a computer policy. You're selecting the individual profiles.
- In Group Policy Management, right click the OU and select Create a GPO in this domain, and Link it here...
- Right click the new GPO and select Edit...
- Under the Editor, navigate to GPO → User Configuration → Policies → Windows System → Folder Redirection. For demonstration we'll use the Documents folder.
- Under Folder Redirection select Documents and select Properties from the right-click menu.
- Under Setting in the Documents Properties dialogue, choose Basic - Redirect everyone's folder to the same location.
- This gives you the following two selections: Target folder location: Create a folder for each user under the root path Root Path: [empty string]
- Set the Root Path to the network path of the share you created previously. For instance, \\AD01\FolderRedirection$\
- Underneath this, it will show you the hierarchy of the rest of the path, as such: For user Clair, this folder will be redirected to: \\AD01\FolderRedirection$\Clair\Documents
- In the Settings tab, ensure that Policy Removal is set to "Redirect the folder back to the local userprofile location when policy is removed." This ensures that if Folder Redirection has to be taken out of production, the files are available locally.
- If necessary, follow the steps to put an Always Offline GPO in place as seen above.
- Close the GPO editor
Now that the GPO is created, wait for this to replicate to all ADs if there are several. Ensure that there are users in the redirection OU.
Then, either wait for each machine to run a GPO update, or to get immediate results, open an Administrator Powershell on each workstation and run gpudate (with or without the /force flag).
If all works, it will prompt a reboot. Allow this.
On reboot, as the machine comes back up, after logging in, it should display a message that Folder Redirection is being applied. When this is done, there should be a green sync circle next to the default shortcut on this folder. If not, this means Offline Files is not enabled, but redirection itself might be.