User Profiles and User Folders Redirection Using GPO
Chuong K. Nguyen BSc., MCSEx2, MCSAx2, MCP, MCTS, CCNA, MCITP
Assume that you have a Microsoft Windows Server 2012 R2 installed and ADDS is configured, up and running. The following guide will show you how to configure a few policies using Group Policy Objects (GPO) to:
- Redirect User Profile (1)
- Redirect all personal stuff such as desktop, documents, Favourites, Contacts, Downloads, Links Music, Pictures, Saved Games, Searches, Start Menu, and Video. (2)
- Configure Drive Mapping to map N: drive to a public share such as \\DCD2\Shared.
- Set domain users’ home folder.
- Some other essentials properties for users.
In this above list, it is worthwhile to note that User Profile Redirection (1) – also called Roaming Profile is different from Folder Redirection (2). It is recommended (best practice) to redirect user profiles to a different location than where we store users’ foldes such as Desktop, Documents, Music, etc… If we were to place user profile and folder redirection destination to the same location, we would have defeated the purpose of folder redirection. Folder redirection is meant to detach users’ folders away from their profiles so that the OS startup and logoff is faster.
Setup two shared locations on the AD server called: UsersProfiles and UsersFolders
The first step is to setup two shared locations for user profiles and user folders respectively. In D:\ Drive, or a separate partition different than the OS partition on the server, make new Directories called UsersProfiles and UsersFolders respectively.
Do the following for both of the above folders, one at a time.
Right-click on the folder, click Properties. Choose the Sharing tab. Click Advanced sharing and share it as UsersProfiles$ (the $ is to make the share hidden). Click Permission and make sure the sharing permission is set as follows.
Everyone = FULL
Also add System and Administrators and assign share permission as follows:
System = FULL
Administrators = FULL
Choose the Security tab, hit Advanced
At the Permission tab, click Disable Inheritance.
Click Remove all inherited permissions from this object.
Click the Add button.
Click Select a principal.
Type Everyone, click OK.
Choose This folder Only and click Show advanced permissions.
Choose the following
Traverse folder / execute file
List Folder / read Data
Read Extended Attributes
Create Folders / Append Data
Click Add. Click Select a principal. Enter Creator Owner. Click OK and give it Full Control.
Click Add, click Select a principal. Enter System, click OK and give it Full Control.
Click Add, click Select a principal. Enter Domain Admins, click OK and give it Full Control.
Remember to do the same thing for UsersFolders. We will end up with the following.
Now launch gpmc.msc to open Group Policy Management Console.
Drill down to the domain DM.LOCAL, right-click on it and choose Create new GPO in this domain and link it here.
Name is RedirectMapGPO and click OK.
Right-click on the newly created Policy and click Edit…
Now note that the Group Policy Management Editor is divided into two types of configurations: Computer Configuration and User Configuration.
To Redirect the Desktop Folder:
Under User Configurations click Policies, Windows Settings, Folder Redirrection, Right-click AppData(Roaming) and choose Properties.
In the Target tab, choose Basic – Redirect everyone’s folder to the same location
Target Folder Location choose Create a folder for each iuser under the root path
Root Path: \\DCD2\UsersFolders$.
Yes to continue.
Click the Settings tab. Checkmarks on the following items:
Grant the user exclusive rights to Desktop
Move contents of Desktop to new location
Under Physical Removal, choose Leave folder in the new location when the policy is removed.
Click OK when done.
Repeat the same settigs for the following folders: Desktop, Start Menu, Documents, Pictures, Music, Videos, Favourites, Contacts Downloads, Links, Searches, and Saved Games.
Folder Redirection is now completed. Let’s move on to redirecting user profiles.
Redirecting System/User Profiles
The following section describes how to redirect System / User profile to a remote network location.
You can redirect user’s profile to a network location using mainly two methods. The first method is through the Computer Configuration. The second method is through User Properties.
- Configure User Profile Redirection through Computer Configuration.
Go to Computer Configuration, Policies, Administrative Templates: Policy, System, User Profiles, click on it. Locate the setting called “Set roaming profile path for all users logging into this computer.” Double-click this setting.
Select Enabled. Enter the path for user profiles to be: \\DCD2\UsersProfiles$\%Username%
- Configure User Profile Redirection through User’s Properties.
Note that this is the method I am using in this lab, so in the “Set roaming profile path for all users logging onto this computer” described above is set to Disabled, as shown.
Now we configure the user’s profile redirection based on the user’s properties.
Launch dsa.msc, go to each user and choose Properties. Make sure of the followings
Or, instead of doing one by one on a per user basis, select all users at once and choose Properties. Change their profile path as follows:
This means that the user “test” will have its profile stored in \\DCD2\UsersProfiles$\test as shown.
User profile redirection is now completed. Let’s configure a few more settings to perfect our GPO configuration for use in a domain environment.
Now we want to provide a mapped drive called H: that links to the users Home Directory. This is the UsersFolders path.
To do this, we enable the following under User Configurations.
Under User Configuration, click Preferences, expand Windows Settings, click Drive Maps.
Right-click in an empty area and choose New, Mapped Drive.
The drive mapping options are as follows:
This is the final result.
Accessory Policies (Optional)
Let’s perfect our GPO by providing the following policies as well for the domain environment. This has nothing to do with Folder/Profile redirection but I include here for completeness.
Computer Configurations, Policies, Windows Settings, Local Policies, Security Options,
Domain controller: Refuse machine account password changes Enabled
Domain member: Disable machine account password changes Enabled
Interactive logon: Do not display last user name Enabled
Interactive logon: Do not require CTRL+ALT+DEL Enabled
Under Computer Settings, Policies, Administrative Templates, System, also enable the following settings.
Display highly detailed status messages Enabled
Under Computer Settings, Policies, Administrative Templates, System, Logon
Assign a default domain for logon: Enabled
Default Logon domain: DM.LOCAL
Update the GPO
The settings are all done, now we need to update the GPO. Launch the command prompt and type
This is to update the policy to make it effective.
When prompting to log off, type N as we do not to log off from the server.
Test by logging into a computer with a domain credentials. Verify that all the settings stay on the server. If you have a compuer already on the domain and logged in, remember to restart it and also perform a gpupdate /force on it.
Let’s log into a Windows 7 workstation to check out the settings. Login as test.
Click Start then right-click on Computer. Choose Properties. Choose Advanced System Settings.
Under User Profiles click Settings.
You can see that the user test is actually using Roaming Profile.
Now, let do a few things.
- Create a folder and a file on the desktop
- Change the desktop background
- Make a Bookmark in Firefox
- Store a folder and a file in Documents
- Launch an application such as notepad and resize the windows.
All of the above settings should persist across all computers. This is tested in my environment that it is so.