You are currently offline, waiting for your internet to reconnect

How to dynamically create security-enhanced redirected folders by using folder redirection in Windows 2000 and in Windows Server 2003

Support for Windows Server 2003 ended on July 14, 2015

Microsoft ended support for Windows Server 2003 on July 14, 2015. This change has affected your software updates and security options. Learn what this means for you and how to stay protected.

This article was previously published under Q274443
In Microsoft Windows 2000 and in Microsoft Windows Server 2003, as an administrator, you can customize desktops by using Folder Redirection. You can redirect the following folders by using Active Directory and Group Policy:
  • Application Data
  • Desktop
  • My Documents
  • My Documents/My Pictures
  • Start Menu
You can find more information about Folder Redirection by searching Windows Help for Folder Redirection.

When you redirect folders to a shared location on a network, users need both read and write access to this location so that the users can read the contents these folders. However, in some scenarios, you may not want to grant read access.

Create security-enhanced redirected folders

To make sure that only the user and the domain administrators have permissions to open a particular redirected folder, do the following:
  1. Select a central location in your environment where you would like to store Folder Redirection, and then share this folder. In this example, FLDREDIR is used.
  2. Set Share Permissions for the Everyone group to Full Control.
  3. Use the following settings for NTFS Permissions:
    • CREATOR OWNER - Full Control (Apply onto: Subfolders and Files Only)
    • System - Full Control (Apply onto: This Folder, Subfolders and Files)
    • Domain Admins - Full Control (Apply onto: This Folder, Subfolders and Files)
    • Everyone - Create Folder/Append Data (Apply onto: This Folder Only)
    • Everyone - List Folder/Read Data (Apply onto: This Folder Only)
    • Everyone - Read Attributes (Apply onto: This Folder Only)
    • Everyone - Traverse Folder/Execute File (Apply onto: This Folder Only)
  4. Configure Folder Redirection Policy as outlined in Windows Help. Use a path similar to \\server\FLDREDIR\username to create a folder under the shared folder, FLDREDIR.
Because the Everyone group has the Create Folder/Append Data right, the group members have the proper permissions to create the folder; however, the members are not able to read the data afterwards. The Username group is the name of the user that was logged on when you created the folder. Because the folder is a child of the parent folder, it inherits the permissions that you assigned to FLDREDIR. Also, because the user is creating the folder, the user gains full control of the folder because of the Creator Owner Permission setting.
For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
232692 Folder Redirection Feature in Windows
Folder Redirection Secure redirect CSC client side caching client-side caching Offline Files

Article ID: 274443 - Last Review: 11/28/2007 19:05:46 - Revision: 6.6

Microsoft Windows Server 2003, Standard Edition (32-bit x86), Microsoft Windows 2000 Server SP1, Microsoft Windows 2000 Advanced Server SP1, Windows Server 2008 R2 Datacenter, Windows Server 2008 R2 Enterprise, Windows Server 2008 R2 Standard, Windows Server 2008 Datacenter, Windows Server 2008 Enterprise, Windows Server 2008 Standard, Microsoft Windows Server 2003 R2 Datacenter Edition (32-Bit x86), Microsoft Windows Server 2003 R2 Datacenter x64 Edition, Microsoft Windows Server 2003 R2 Enterprise Edition (32-Bit x86), Microsoft Windows Server 2003 R2 Enterprise x64 Edition, Microsoft Windows Server 2003 R2 Standard Edition (32-bit x86), Microsoft Windows Server 2003 R2 Standard x64 Edition

  • kbactivedirectoryrepl kbgpo kbhowtomaster kbprofiles KB274443
or="var m=document.createElement('meta');'ms.dqp0';m.content='true';document.getElementsByTagName('head')[0].appendChild(m);" onload="var m=document.createElement('meta');'ms.dqp0';m.content='false';document.getElementsByTagName('head')[0].appendChild(m);" src="">