Deploy Folder Redirection with Offline Files
Applies to: Windows Server 2022, Windows 10, Windows 7, Windows 8, Windows 8.1, Windows Vista, Windows Server 2019, Windows Server 2016, Windows Server 2012, Windows Server 2012 R2, Windows Server 2008 R2
This article describes the requirements for deploying the Folder Redirection and Offline Files features together, including the steps that you need to follow to control access to the redirected files.
Because of the security changes made in MS16-072), we updated Step 4: Create a GPO for Folder Redirection of this article so that Windows can properly apply the Folder Redirection policy (and not revert redirected folders on affected client computers).
For a list of recent changes to this article, see Change history.
- To administer Folder Redirection, you must be signed in as a member of the Domain Administrators security group, the Enterprise Administrators security group, or the Group Policy Creator Owners security group.
- A computer must be available that has Group Policy Management and Active Directory Administration Center installed.
File server requirements
The file server is the computer that hosts the redirected folders.
Interoperability with Remote Desktop Services
Your remote access configuration affects how you configure the file server, file shares, and policies. If your file server also hosts Remote Desktop Services, there are a few deployment steps that differ:
- You don't have to create a security group for folder redirection users.
- You have to configure different permissions on the file share that hosts the redirected folders.
- You have to pre-create folders for new users, and set specific permissions on those folders.
Most of the procedures in the rest of this section apply to both configurations. The procedures or steps that are specific to one configuration or the other are labeled as such.
Apply the following changes to the file server, as appropriate for your configuration:
- All configurations. Make sure that only required IT administrators have administrative access to the file server. The procedure in the next step configures access for the individual file shares.
- Servers that do not also host Remote Desktop Services. Disable the Remote Desktop Services service (termserv) on your file server if it's not also hosting Remote Desktop Services.
Interoperability with other storage features
To make sure that Folder Redirection and Offline Files interact correctly with other storage features, check the following configurations.
- If the file share uses DFS Namespaces, the DFS folders (links) must have a single target to prevent users from making conflicting edits on different servers.
- If the file share uses DFS Replication to replicate the contents with another server, users must be able to access only the source server to prevent users from making conflicting edits on different servers.
- When using a clustered file share, disable continuous availability on the file share to avoid performance issues with Folder Redirection and Offline Files. Additionally, Offline Files might not transition to offline mode for 3-6 minutes after a user loses access to a continuously available file share, which could frustrate users who aren’t yet using the Always Offline mode of Offline Files.
- Client computers must run Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008.
- Client computers must be joined to the Active Directory Domain Services (AD DS) domain that you are managing.
- Client computers must run x64-based or x86-based processors. Folder Redirection is not supported on PCs powered by ARM processors.
Some newer features in Folder Redirection have additional client computer and Active Directory schema requirements. For more info, see Deploy primary computers, Disable Offline Files on folders, Enable Always Offline mode, and Enable optimized folder moving.
Step 1: Create a folder redirection security group
If you are running Remote Desktop Services on the file server, skip this step and instead assign permissions to the users when you pre-create folders for new users.
This procedure creates a security group that contains all users to which you want to apply Folder Redirection policy settings.
On a computer that has Active Directory Administration Center installed, open Server Manager.
Select Tools > Active Directory Administration Center. Active Directory Administration Center appears.
Right-click the appropriate domain or OU, and then select New > Group.
In the Create Group window, in the Group section, specify the following settings:
- In Group name, enter the name of the security group, for example: Folder Redirection Users.
- In Group scope, select Security > Global.
In the Members section, select Add. The Select Users, Contacts, Computers, Service Accounts or Groups dialog box appears.
Enter the names of the users or groups to which you want to deploy Folder Redirection, select OK, and then select OK again.
Step 2: Create a file share for redirected folders
If you do not already have a file share for redirected folders, use the following procedure to create a file share on a server that runs Windows Server 2012 or a later version.
Some functionality might differ or be unavailable if you create the file share on a server that runs a different version of Windows Server.
In the Server Manager navigation pane, select File and Storage Services > Shares to display the Shares page.
In the Shares page, select Tasks > New Share. The New Share Wizard appears.
On the Select Profile page, do one of the following:
- If you have File Server Resource Manager installed and are using folder management properties, select SMB Share - Advanced.
- If you do not have File Server Resource Manager installed or you are not using folder management properties, select SMB Share – Quick.
On the Share Location page, select the server and volume on which you want to create the share.
On the Share Name page, type a name for the share (for example, Users$) in the Share name box.
When you create the share, hide the share by putting a
$after the share name. This change hides the share from casual browsers.
On the Other Settings page, clear the Enable continuous availability checkbox, if present. Optionally, select the Enable access-based enumeration and Encrypt data access checkboxes.
On the Permissions page, select Customize permissions to open the Advanced Security Settings dialog box.
Select Disable inheritance, and then select Convert inherited permissions into explicit permission on this object.
Set the permissions as described in the following tables and figures.
The permissions that you use depend on your remote access configuration, so make sure that you use the correct table.
Permissions for file servers without Remote Desktop Services:
User Account Permission Applies to System Full Control This folder, subfolders, and files Administrators Full Control This folder only Creator/Owner Full Control Subfolders and files only Security group of users who need to put data on the share (Folder Redirection Users) List folder/read data1
Create folders/append data1
Read extended attributes1
Traverse folder/execute file1
This folder only Other groups and accounts None (Remove any accounts that this table does not list)
1 Advanced permissions
Permissions for file servers with Remote Desktop Services
User Account or Role Permission Applies to System Full Control This folder, subfolders, and files Administrators Full Control This folder, subfolders, and files Creator/Owner Full Control Subfolders and files only Other groups and accounts None (remove any other accounts from the access control list)
If you chose the SMB Share - Advanced profile earlier in this procedure, follow these additional steps:
- On the Management Properties page, select the User Files Folder Usage value.
- Optionally, select a quota to apply to users of the share.
On the Confirmation page, select Create.
Step 3: Pre-create folders for new users on servers that also host Remote Desktop Services
If the file server also hosts Remote Desktop Services, use the following procedure to pre-create folders for new users and assign the appropriate permissions to the folders.
In the file share that you created in the previous procedure, navigate to the file share's root folder.
Create a new folder. You can use one of the following methods:
Right-click the root folder, and then select New > Folder. For the name of the folder, enter the user name of the new user.
Alternatively, to use Windows PowerShell to create the new folder, open a PowerShell Command Prompt window and run the following cmdlet:
New-Item -Path 'c:\shares\frdeploy\<newuser>' -ItemType Directory
In this command, <newuser> represents the user name of the new user.
Right-click the new folder, and then select Properties > Security > Advanced > Owner. Verify that the folder owner is the Administrators group.
Set the permissions as described in the following table and figure. Remove permissions for any groups and accounts that are not listed here.
User Account Permission Applies to System Full control This folder, subfolders, and files Administrators Full Control This folder, subfolders, and files Creator/Owner Full Control Subfolders and files only newuser1 Full Control This folder, subfolders, and files Other groups and accounts None (remove any other accounts from the access control list)
1 newuser represents the user name of the new user's account.
Step 4: Create a GPO for Folder Redirection
If you do not already have a Group Policy object (GPO) that manages the Folder Redirection and Offline Files functionality, use the following procedure to create one.
On a computer that has Group Policy Management installed, open Server Manager.
Select Tools > Group Policy Management.
In Group Policy Management, right-click the domain or OU in which you want to set up Folder Redirection, and then select Create a GPO in this domain, and Link it here.
In the New GPO dialog box, enter a name for the GPO (for example, Folder Redirection Settings), and then select OK.
Right-click the newly created GPO, and then clear the Link Enabled checkbox. This change prevents the GPO from being applied until you finish configuring it.
Select the GPO. Select Scope > Security Filtering > Authenticated Users, and then select Remove to prevent the GPO from being applied to everyone.
In the Security Filtering section, select Add.
In the Select User, Computer, or Group dialog box, do one of the following, depending on your configuration:
- File servers without Remote Desktop Services. Enter the name of the security group that you created in Step 1: Create a folder redirection security group (for example, Folder Redirection Users), and then select OK.
- File servers with Remote Desktop Services. Enter the user name that you used for the user folder in Step 3: Pre-create folders for new users on servers that also host Remote Desktop Services and then select OK.
Select Delegation > Add, and then enter Authenticated Users. Select OK, and then select OK again to accept the default Read permission.
This step is necessary because of security changes made in MS16-072, you now must give the Authenticated Users group delegated Read permissions to the Folder Redirection GPO - otherwise the GPO won't get applied to users, or if it's already applied, the GPO is removed, redirecting folders back to the local PC. For more info, see Deploying Group Policy Security Update MS16-072.
Step 5: Configure the Group Policy settings for Folder Redirection and Offline Files
After you create a GPO for Folder Redirection settings, follow these steps to edit the Group Policy settings that enable and configure Folder Redirection.
By default, the Offline Files feature is enabled for redirected folders on Windows client computers, and disabled on Windows Server computers. Users can enable this feature, or you can use Group Policy to control it. The policy is Allow or disallow use of the Offline Files feature.
In Group Policy Management, right-click the GPO you created (for example, Folder Redirection Settings), and then select Edit.
In the Group Policy Management Editor window, navigate to User Configuration > Policies > Windows Settings > Folder Redirection.
Right-click a folder that you want to redirect (for example, Documents), and then select Properties.
In the Properties dialog box, from the Setting box, select Basic - Redirect everyone’s folder to the same location.
To apply Folder Redirection to client computers that run Windows XP or Windows Server 2003, select the Settings tab and then select the Also apply redirection policy to Windows 2000, Windows 2000 Server, Windows XP, and Windows Server 2003 operating systems checkbox.
In the Target folder location section, select Create a folder for each user under the root path and then in the Root Path box, enter the path to the file share that stores the redirected folders, for example: \\
(Optional) Select the Settings tab, and in the Policy Removal section, select Redirect the folder back to the local userprofile location when the policy is removed (this setting can help make Folder Redirection behave more predictably for administrators and users).
Select OK, and then select Yes in the Warning dialog box.
Step 6: Enable the Folder Redirection GPO
After you finish configuring the Folder Redirection Group Policy settings, the next step is to enable the GPO. This change allows the GPO to be applied to affected users.
If you plan to implement primary computer support or other policy settings, do so now, before you enable the GPO. This prevents user data from being copied to non-primary computers before primary computer support is enabled.
- Open Group Policy Management.
- Right-click the GPO that you created, and then select Link Enabled. A checkbox appears next to the menu item.
Step 7: Test Folder Redirection
To test Folder Redirection, sign in to a computer by using a user account that is configured to use redirected folders. Then confirm that the folders and profiles are redirected.
Sign in to a primary computer (if you enabled primary computer support) by using a user account for which you have enabled Folder Redirection.
If the user has previously signed in to the computer, open an elevated command prompt, and then type the following command to ensure that the latest Group Policy settings are applied to the client computer:
Open File Explorer.
Right-click a redirected folder (for example, the My Documents folder in the Documents library), and then select Properties.
Select the Location tab, and confirm that the path displays the file share that you specified instead of a local path.
Appendix A: Checklist for deploying Folder Redirection
|Complete||Task or item|
|Prepare domain and other prerequisites|
|- Join computers to domain|
|- Create user accounts|
|- Check file server prerequisites and compatibility with other services|
|- Does the file server also host Remote Desktop Services?|
|- Restrict access to the file server|
|Step 1: Create a folder redirection security group|
|- Group name:|
|Step 2: Create a file share for redirected folders|
|- File share name:|
|Step 3: Pre-create folders for new users on servers that also host Remote Desktop Services|
|Step 4: Create a GPO for Folder Redirection|
|- GPO name:|
|Step 5: Configure the Group Policy settings for Folder Redirection and Offline Files|
|- Redirected folders:|
|- Windows 2000, Windows XP, and Windows Server 2003 support enabled?|
|- Offline Files enabled? (enabled by default on Windows client computers)|
|- Always Offline Mode enabled?|
|- Background file synchronization enabled?|
|- Optimized Move of redirected folders enabled?|
|(Optional) Enable primary computer support:|
|- Computer-based or User-based?|
|- Designate primary computers for users|
|- Location of user and primary computer mappings:|
|- (Optional) Enable primary computer support for Folder Redirection|
|- (Optional) Enable primary computer support for Roaming User Profiles|
|Step 6: Enable the Folder Redirection GPO|
|Step 7: Test Folder Redirection|
The following table summarizes some of the most important changes to this topic.
|March 9, 2021||Added instructions for different configurations.||Changes required to improve access control in different configurations.|
|January 18, 2017||Added a step to Create a GPO for Folder Redirection to delegate Read permission to Authenticated Users, which is now required because of a Group Policy security update.||Customer feedback.|
- Folder Redirection, Offline Files, and Roaming User Profiles
- Deploy Primary Computers for Folder Redirection and Roaming User Profiles
- Enable Advanced Offline Files Functionality
- Microsoft's Support Statement Around Replicated User Profile Data
- Sideload Apps with DISM
- Troubleshooting packaging, deployment, and query of Windows Runtime-based apps