User Profiles and User Folders Redirection Using GPO

User Profiles and User Folders Redirection Using GPO

Chuong K. Nguyen BSc., MCSEx2, MCSAx2, MCP, MCTS, CCNA, MCITP

Assume that you have a Microsoft Windows Server 2012 R2 installed and ADDS is configured, up and running. The following guide will show you how to configure a few policies using Group Policy Objects (GPO) to:

  • Redirect User Profile (1)
  • Redirect all personal stuff such as desktop, documents, Favourites, Contacts, Downloads, Links Music, Pictures, Saved Games, Searches, Start Menu, and Video. (2)
  • Configure Drive Mapping to map N: drive to a public share such as \\DCD2\Shared.
  • Set domain users’ home folder.
  • Some other essentials properties for users.

In this above list, it is worthwhile to note that User Profile Redirection (1) – also called Roaming Profile is different from Folder Redirection (2). It is recommended (best practice) to redirect user profiles to a different location than where we store users’ foldes such as Desktop, Documents, Music, etc… If we were to place user profile and folder redirection destination to the same location, we would have defeated the purpose of folder redirection. Folder redirection is meant to detach users’ folders away from their profiles so that the OS startup and logoff is faster.

Setup two shared locations on the AD server called: UsersProfiles and UsersFolders

The first step is to setup two shared locations for user profiles and user folders respectively. In D:\ Drive, or a separate partition different than the OS partition on the server, make new Directories called UsersProfiles and UsersFolders respectively.

Do the following for both of the above folders, one at a time.

Right-click on the folder, click Properties. Choose the Sharing tab. Click Advanced sharing and share it as UsersProfiles$ (the $ is to make the share hidden). Click Permission and make sure the sharing permission is set as follows.

Everyone = FULL

Also add System and Administrators and assign share permission as follows:

System = FULL

Administrators = FULL

Choose the Security tab, hit Advanced

At the Permission tab, click Disable Inheritance.

Click Remove all inherited permissions from this object.

Click the Add button.

Click Select a principal.

Type Everyone, click OK.

Choose This folder Only and click Show advanced permissions.

Choose the following

Traverse folder / execute file

List Folder / read Data

Read Attributes

Read Extended Attributes

Create Folders / Append Data

Read Permissions

Hit OK.

Click Add. Click Select a principal. Enter Creator Owner. Click OK and give it Full Control.

Click Add, click Select a principal. Enter System, click OK and give it Full Control.

Click Add, click Select a principal. Enter Domain Admins, click OK and give it Full Control.

Remember to do the same thing for UsersFolders. We will end up with the following.

Now launch gpmc.msc to open Group Policy Management Console.

Drill down to the domain DM.LOCAL, right-click on it and choose Create new GPO in this domain and link it here.

Name is RedirectMapGPO and click OK.

Right-click on the newly created Policy and click Edit…

Now note that the Group Policy Management Editor is divided into two types of configurations: Computer Configuration and User Configuration.

To Redirect the Desktop Folder:

Under User Configurations click Policies, Windows Settings, Folder Redirrection, Right-click AppData(Roaming) and choose Properties.

In the Target tab, choose Basic – Redirect everyone’s folder to the same location

Target Folder Location choose Create a folder for each iuser under the root path

Root Path: \\DCD2\UsersFolders$.

Click Apply.

Yes to continue.

Click the Settings tab. Checkmarks on the following items:

Grant the user exclusive rights to Desktop

Move contents of Desktop to new location

Under Physical Removal, choose Leave folder in the new location when the policy is removed.

Click OK when done.

Repeat the same settigs for the following folders: Desktop, Start Menu, Documents, Pictures, Music, Videos, Favourites, Contacts Downloads, Links, Searches, and Saved Games.

Folder Redirection is now completed. Let’s move on to redirecting user profiles.

Redirecting System/User Profiles

The following section describes how to redirect System / User profile to a remote network location.

You can redirect user’s profile to a network location using mainly two methods. The first method is through the Computer Configuration. The second method is through User Properties.

  1. Configure User Profile Redirection through Computer Configuration.

Go to Computer Configuration, Policies, Administrative Templates: Policy, System, User Profiles, click on it. Locate the setting called “Set roaming profile path for all users logging into this computer.” Double-click this setting.

Select Enabled. Enter the path for user profiles to be: \\DCD2\UsersProfiles$\%Username%

  1. Configure User Profile Redirection through User’s Properties.

Note that this is the method I am using in this lab, so in the “Set roaming profile path for all users logging onto this computer” described above is set to Disabled, as shown.

Now we configure the user’s profile redirection based on the user’s properties.

Launch dsa.msc, go to each user and choose Properties. Make sure of the followings

Or, instead of doing one by one on a per user basis, select all users at once and choose Properties. Change their profile path as follows:

This means that the user “test” will have its profile stored in \\DCD2\UsersProfiles$\test as shown.

User profile redirection is now completed. Let’s configure a few more settings to perfect our GPO configuration for use in a domain environment.

Mapped Drives

Now we want to provide a mapped drive called H: that links to the users Home Directory. This is the UsersFolders path.

To do this, we enable the following under User Configurations.

Under User Configuration, click Preferences, expand Windows Settings, click Drive Maps.

Right-click in an empty area and choose New, Mapped Drive.

The drive mapping options are as follows:

This is the final result.

Accessory Policies (Optional)

Let’s perfect our GPO by providing the following policies as well for the domain environment. This has nothing to do with Folder/Profile redirection but I include here for completeness.

Computer Configurations, Policies, Windows Settings, Local Policies, Security Options,

Domain controller: Refuse machine account password changes     Enabled

Domain member: Disable machine account password changes     Enabled

Interactive logon: Do not display last user name Enabled

Interactive logon: Do not require CTRL+ALT+DEL Enabled

Under Computer Settings, Policies, Administrative Templates, System, also enable the following settings.

Display highly detailed status messages Enabled

Under Computer Settings, Policies, Administrative Templates, System, Logon

Assign a default domain for logon: Enabled

Default Logon domain: DM.LOCAL

Update the GPO

The settings are all done, now we need to update the GPO. Launch the command prompt and type

gpupdate /forge

This is to update the policy to make it effective.

When prompting to log off, type N as we do not to log off from the server.

Testing

Test by logging into a computer with a domain credentials. Verify that all the settings stay on the server. If you have a compuer already on the domain and logged in, remember to restart it and also perform a gpupdate /force on it.

Let’s log into a Windows 7 workstation to check out the settings. Login as test.

Click Start then right-click on Computer. Choose Properties. Choose Advanced System Settings.

Under User Profiles click Settings.

You can see that the user test is actually using Roaming Profile.

Now, let do a few things.

  1. Create a folder and a file on the desktop
  2. Change the desktop background
  3. Make a Bookmark in Firefox
  4. Store a folder and a file in Documents
  5. Launch an application such as notepad and resize the windows.

All of the above settings should persist across all computers. This is tested in my environment that it is so.