The
following instructions work for redirecting My Documents/Documents. I
cannot guarantee it will work for other redirected folders but it
follows the same pattern so there is no reason why it shouldn't.
When setting up the root folder for redirected folders:
Setting the NTFS permissions
Create the folder in the required location (ie. E:\Users)
Disable inheritance of permissions from the parent and remove all inherited permissions by clicking the appropriate button.
One entry will already be in the DACL: Local Administrators.
- Alter Local Administrators: Full Control: This folder, subfolders and files
- Add SYSTEM: Full Control: This folder, subfolder and files.
- Add CREATOR OWNER: Full Control: This folder, subfolders and files.
- Add Authenticated Users: List folder / read data, Create folders / append data: This folder only
- Add Domain Admins: Full Control: This folder, subfolders and files.
- Click OK.
These
permissions grant users the ability to create their redirected folder
in the root folder but not the ability to browse the contents of other
people's folders. Best practice dictates that you should allow the
redirected folder locations to create themselves as users log on.
Create the share and add share permissions
Share the root folder created earlier as \\SERVER\Users (or if you want to hide it, \\SERVER\Users$\
Adjust the share permissions as follows:
- Remove Everyone
- Grant Authenticated Users Full Control
- Grant Domain Admins Full Control (Not necessary but useful for completeness)
Configure the GPO
- Open Group Policy Manager
- Create a new GPO or edit your existing one.
- Expand User Configuration > Policies > Windows Settings > Folder Redirection
- Right-click My Documents/Documents and click Properties.
- Choose Basic - Redirect everyone's folder to the same location
- Under Target folder location choose Create a folder for each user under the root path
- Set the Root Path: to \\SERVER\Users
- As you type, you will see an example location listed to show you how the folders will be created as users log on.
- On the Settings tab, uncheck Grant the user exclusive rights to Documents
- Under Policy Removal, select your preferred option depending on your requirements.
- Link the GPO at the appropriate OU.
Despite
assurances from Microsoft in another article, granting users exclusive
rights to My Documents in the GPO will stop you from being able to
access the contents of a users' folder. Probably not good for backup!
No comments:
Post a Comment