Deploy Folder Redirection with Offline Files

Applies To: Windows 11, Windows 10, Windows Server 2022, Windows Server 2019, Windows Server 2016

This article describes the requirements for deploying Folder Redirection and Offline Files together, including the steps that you need to follow to control access to the redirected files.

Prerequisites

Before you begin, make sure your environment meets the following requirements.

Administration requirements

  • To administer Folder Redirection, you must be signed in as a member of the Domain Administrators security group, the Enterprise Administrators security group, or the Group Policy Creator Owners security group.
  • A computer must be available that has Group Policy Management and Active Directory Administration Center installed.

File server requirements

The file server is the computer that hosts the redirected folders. Make sure your file server meets the following requirements.

Interoperability with Remote Desktop Services

Your remote access configuration affects how you configure the file server, file shares, and policies. If your file server also hosts Remote Desktop Services, there are a few deployment steps that differ.

  • You don't have to create a security group for folder redirection users.
  • You have to configure different permissions on the file share that hosts the redirected folders.
  • You have to precreate folders for new users, and set specific permissions on those folders.

Important

Most of the procedures in the rest of this section apply to both remote access configurations. The procedures or steps that are specific to one configuration or the other are labeled as such.

Restricting access

Apply the following changes to the file server, as appropriate for your configuration:

  • All configurations: Make sure only required IT administrators have administrative access to the file server. The procedure in the next step configures access for the individual file shares.
  • Servers that don't also host Remote Desktop Services: Disable the Remote Desktop Services service (termserv) on your file server if it's not also hosting Remote Desktop Services.

Interoperability with other storage features

To make sure Folder Redirection and Offline Files interact correctly with other storage features, check the following configurations.

  • If the file share uses DFS Namespaces, the DFS folders (links) must have a single target to prevent users from making conflicting edits on different servers.
  • If the file share uses DFS Replication to replicate the contents with another server, users must be able to access only the source server to prevent users from making conflicting edits on different servers.
  • When using a clustered file share, disable continuous availability on the file share to avoid performance issues with Folder Redirection and Offline Files. When continuous availability is enabled, Offline Files might not transition to offline mode for 3-6 minutes after a user loses access to the file share. The delay could frustrate users who aren’t yet using the Always Offline mode of Offline Files.

Client requirements

  • Client computers must run Windows 11, Windows 10, Windows Server 2022, Windows Server 2019, or Windows Server 2016.
  • Client computers must be joined to the Active Directory Domain Services (AD DS) domain that you're managing.
  • Client computers must run x64-based or x86-based processors. Folder Redirection isn't supported on PCs powered by ARM processors.

Important

Some newer features in Folder Redirection have additional client computer and Active Directory schema requirements. For more information, see Deploy primary computers for Folder Redirection and Roaming User Profiles, Disable Offline Files on individual redirected folders, Enable Always Offline mode for faster access to files, and Enable optimized moves of redirected folders.

Step 1: Create a folder redirection security group

If you're running Remote Desktop Services on the file server, skip this step. Instead, assign permissions to the users when you precreate folders for new users.

This procedure creates a security group that contains all users to which you want to apply Folder Redirection policy settings.

  1. On a computer that has Active Directory Administration Center installed, open Server Manager.

  2. Select Tools > Active Directory Administration Center. Active Directory Administration Center appears.

  3. Right-click the appropriate domain or OU, and then select New > Group.

  4. In the Create Group window, in the Group section, specify the following settings:

    • In Group name, enter the name of the security group, for example: Folder Redirection Users.
    • In Group scope, select Security > Global.
  5. In the Members section, select Add. The Select Users, Contacts, Computers, Service Accounts or Groups dialog box appears.

  6. Enter the names of the users or groups to which you want to deploy Folder Redirection, select OK, and then select OK again.

Step 2: Create a file share for redirected folders

If you don't already have a file share for redirected folders, use the following procedure to create a file share on a server that runs Windows Server 2016 or a later version.

Note

Some functionality might differ or be unavailable if you create the file share on a server that runs a different version of Windows Server.

  1. In the Server Manager navigation pane, select File and Storage Services > Shares to display the Shares page.

  2. In the Shares page, select Tasks > New Share. The New Share Wizard appears.

  3. On the Select Profile page, choose the option that corresponds to your File Server Resource Manager configuration:

    • If you have File Server Resource Manager installed and are using folder management properties, select SMB Share - Advanced.
    • If you don't have File Server Resource Manager installed or you aren't using folder management properties, select SMB Share – Quick.
  4. On the Share Location page, select the server and volume on which you want to create the share.

  5. On the Share Name page, enter a name for the share (for example, Users$) in the Share name box.

    Tip

    When you create the share, hide the share by putting a $ (dollar sign) after the share name. This change hides the share from casual browsers.

  6. On the Other Settings page, clear the Enable continuous availability checkbox, if present. Optionally, select the Enable access-based enumeration and Encrypt data access checkboxes.

  7. On the Permissions page, select Customize permissions to open the Advanced Security Settings dialog box.

  8. Select Disable inheritance, and then select Convert inherited permissions into explicit permission on this object.

  9. Set the permissions as described in the following tables and figures.

    Important

    The permissions that you use depend on your remote access configuration, so make sure you use the correct table.

    • Permissions for file servers without Remote Desktop Services

      User Account Permission Applies to
      System Full Control This folder, subfolders, and files
      Administrators Full Control This folder only
      Creator/Owner Full Control Subfolders and files only
      Security group of users who need to put data on the share (Folder Redirection Users) List folder/read data1
      Create folders/append data1
      Read attributes1
      Read extended attributes1
      Read permissions1
      Traverse folder/execute file1
      This folder only
      Other groups and accounts None (Remove any accounts that this table doesn't list)

      1 Advanced permissions

      Screenshot of the advanced permissions page showing the permissions configuration for the separate server configuration.

    • Permissions for file servers with Remote Desktop Services

      User Account or Role Permission Applies to
      System Full Control This folder, subfolders, and files
      Administrators Full Control This folder, subfolders, and files
      Creator/Owner Full Control Subfolders and files only
      Other groups and accounts None (remove any other accounts from the access control list)

      Screenshot of the advanced permissions page showing the permissions configuration for the colocated server configuration.

  10. If you chose the SMB Share - Advanced profile earlier in this procedure, follow these extra steps:

    • On the Management Properties page, select the User Files Folder Usage value.
    • Optionally, select a quota to apply to users of the share.
  11. On the Confirmation page, select Create.

Step 3: Precreate folders for new users on servers that also host Remote Desktop Services

If the file server also hosts Remote Desktop Services, use the following procedure to precreate folders for new users and assign the appropriate permissions to the folders.

  1. In the file share that you created in the previous procedure, navigate to the file share's root folder.

  2. Use one of the following methods to create a new folder.

    • Right-click the root folder, and then select New > Folder. For the name of the folder, enter the user name of the new user.

    • Alternatively, to use Windows PowerShell to create the new folder, open a PowerShell Command Prompt window and run the following cmdlet:

      New-Item -Path 'c:\shares\frdeploy\<newuser>' -ItemType Directory
      

      In this command, <newuser> represents the user name of the new user.

  3. Right-click the new folder, and then select Properties > Security > Advanced > Owner. Verify that the folder owner is the Administrators group.

  4. Set the permissions as described in the following table and figure. Remove permissions for any groups and accounts that aren't listed here.

    User Account Permission Applies to
    System  Full control This folder, subfolders, and files
    Administrators Full Control This folder, subfolders, and files
    Creator/Owner Full Control Subfolders and files only
    newuser1 Full Control This folder, subfolders, and files
    Other groups and accounts None (remove any other accounts from the access control list)

    1 newuser represents the user name of the new user's account.

    Screenshot of setting the permissions for a new user’s folder under the root of the Folder Redirection share.

Step 4: Create a GPO for Folder Redirection

If you don't already have a Group Policy object (GPO) that manages the Folder Redirection and Offline Files functionality, use the following procedure to create one.

  1. On a computer that has Group Policy Management installed, open Server Manager.

  2. Select Tools > Group Policy Management.

  3. In Group Policy Management, right-click the domain or OU in which you want to set up Folder Redirection, and then select Create a GPO in this domain, and Link it here.

  4. In the New GPO dialog box, enter a name for the GPO (for example, Folder Redirection Settings), and then select OK.

  5. Right-click the newly created GPO, and then clear the Link Enabled checkbox. This change prevents the GPO from being applied until you finish configuring it.

  6. Select the GPO. Select Scope > Security Filtering > Authenticated Users, and then select Remove to prevent the GPO from being applied to everyone.

  7. In the Security Filtering section, select Add.

  8. In the Select User, Computer, or Group dialog box, configure the option that corresponds to your configuration:

  9. Select Delegation > Add, and then enter Authenticated Users. Select OK, and then select OK again to accept the default Read permission.

    Important

    This step is necessary because of security changes made in MS16-072. You must give the Authenticated Users group delegated Read permissions to the Folder Redirection GPO. If you don't, the GPO isn't applied to users, or if it's already applied, the GPO is removed, redirecting folders back to the local PC. For more information, see Deploying Group Policy Security Update MS16-072.

Step 5: Configure the Group Policy settings for Folder Redirection and Offline Files

After you create a GPO for Folder Redirection settings, follow these steps to edit the Group Policy settings that enable and configure Folder Redirection.

Note

By default, the Offline Files feature is enabled for redirected folders on Windows client computers, and disabled on Windows Server computers. Users can enable this feature, or you can use Group Policy to control it. The policy is Allow or disallow use of the Offline Files feature.

For information about some of the other Offline Files Group Policy settings, see Enable Advanced Offline Files Functionality, and Configuring Group Policy for Offline Files.

  1. In Group Policy Management, right-click the GPO you created (for example, Folder Redirection Settings), and then select Edit.

  2. In the Group Policy Management Editor window, navigate to User Configuration > Policies > Windows Settings > Folder Redirection.

  3. Right-click a folder that you want to redirect (for example, Documents), and then select Properties.

  4. In the Properties dialog box, from the Settings box, select Basic - Redirect everyone’s folder to the same location.

    (Optional) In the Policy Removal section, select Redirect the folder back to the local userprofile location when the policy is removed. This setting can help make Folder Redirection behave more predictably for administrators and users.

  5. In the Target folder location section, select Create a folder for each user under the root path.

  6. In the Root Path box, enter the path to the file share that stores the redirected folders, such as \\fs1.corp.contoso.com\users$.

  7. Select OK, and then select Yes in the Warning dialog box.

Step 6: Enable the Folder Redirection GPO

After you finish configuring the Folder Redirection Group Policy settings, the next step is to enable the GPO. This change allows the GPO to be applied to affected users.

Tip

If you plan to implement primary computer support or other policy settings, do so now, before you enable the GPO. Implementing these settings prevents user data from being copied to non-primary computers before primary computer support is enabled.

  1. Open Group Policy Management.
  2. Right-click the GPO that you created, and then select Link Enabled. A checkbox appears next to the menu item.

Step 7: Test Folder Redirection

To test Folder Redirection, sign in to a computer by using a user account that is configured to use redirected folders. Then confirm that the folders and profiles are redirected.

  1. Sign in to a primary computer (if you enabled primary computer support) by using a user account for which you have enabled Folder Redirection.

  2. If the user has previously signed in to the computer, open an elevated command prompt, and then enter the following command to ensure that the latest Group Policy settings are applied to the client computer:

    gpupdate /force
    
  3. Open File Explorer.

  4. Right-click a redirected folder (for example, the My Documents folder in the Documents library), and then select Properties.

  5. Select the Location tab, and confirm that the path displays the file share you specified instead of a local path.

Appendix A: Checklist for deploying Folder Redirection

Complete Task or item
Prepare domain and other prerequisites
- Join computers to domain
- Create user accounts
- Check file server prerequisites and compatibility with other services
- Does the file server also host Remote Desktop Services?
- Restrict access to the file server
Step 1: Create a folder redirection security group
- Group name:
- Members:
Step 2: Create a file share for redirected folders
- File share name:
Step 3: Precreate folders for new users on servers that also host Remote Desktop Services
Step 4: Create a GPO for Folder Redirection
- GPO name:
Step 5: Configure the Group Policy settings for Folder Redirection and Offline Files
- Redirected folders:
- Windows 2000, Windows XP, and Windows Server 2003 support enabled?
- Offline Files enabled? (enabled by default on Windows client computers)
- Always Offline Mode enabled?
- Background file synchronization enabled?
- Optimized Move of redirected folders enabled?
(Optional) Enable primary computer support:
- Computer-based or User-based?
- Designate primary computers for users
- Location of user and primary computer mappings:
- (Optional) Enable primary computer support for Folder Redirection
- (Optional) Enable primary computer support for Roaming User Profiles
Step 6: Enable the Folder Redirection GPO
Step 7: Test Folder Redirection