Folder redirection best practice configuration in Windows
Содержание
You need to configure folder redirection in Windows Server environments. This article provides step-by-step information on how to configure folder redirection. The instructions in this article are applicable to Windows 7 or later client operating systems and Windows Server 2012 R2 or later operating systems.
What is folder redirection?
Folder redirection maps a local user folder to another location (either another local disk or a network path). This saves much storage space consumed on each local machine as well as provides roaming functionality for each domain user. Folder redirection applies to both domain joined workstations as well as to any user accessing an Active Directory environment using a VDI/SBC solution, such as Citrix Virtual Apps and Desktops. In the case of on-premise domain-joined PCs, the redirected folders are from the local workstation. In the case of Citrix or other DaaS solution, the redirected folders are from the Citrix VDA (or equivalent) servers.
Take into account that the more folders you redirect, the more storage space you will need for your users. It is a good idea to configure a quota at the top SMB share level, so that each user cannot go over their set quota, depending on your organization storage capacity.
The following folders can be redirected:
Solution
File server requirements
Beware of antimalware applications and the File Screening feature of the WIndows File server. These items can have an impact on the folder redirection operations. Also you may need to plan for DFS for high availability. Another option for high availability is file server cluster based on Windows Failover Clustering.
SMB settings
Create a top level share in your file server, let’s call it R:\UserHomes$ and provide a corresponding UNC path, let’s call it \\fileserver\userhomes.
The following SMB permissions should be applied at this level (R:\UserHomes$).
- Authenticated users = Read,Change
- Domain Admins = Full control
- All domain workstation computer objects = Full control
- All Citrix VDA (or equivalent) servers = Full control
Also set the following SMB parameters:
- Access based enumeration (ABE) = Enabled
- Continuous availability = Enabled
- Caching/Branch Cache = disabled
- Encrypt data access = disabled but you can optionally enable. This increases security but decreases performance.
Note on offline files and Branch Cache
Ensure that caching is set to off. Do not enable offline files or branch cache.
Offline Files can be configured at computer level by setting the following policy Computer Configuration Policies Administrative Templates Network Offline Files.
At a user level the same policy can be found at User Configuration Policies Administrative Templates Network Offline Files. Set the policy “Prevent use of Offline Files” to Enabled.
NTFS permissions
The following SMB permissions should be applied at this level (R:\UserHomes$). Inheritance should be disabled at this level and proper NTFS permissions should be created from scratch as shown below.
- SYSTEM = Full control on folder, subfolders and files.
- CREATOR OWNER = Full control on subfolders and files only. Remember that each new user logging on to the domain will be creating its own new redirected folder and will be set automatically as the owner of that folder (i.e. full NTFS permissions).
- BackupAdmins = Full Control on folder, subfolders and files. BackupAdmins is a security group which can be used for the purposes of backing up the user data. No other users or administrators should have access to each user’s data.
- Domain users or Citrix users or other VDI-related AD group = must have special permissions on this folder only, as shown in the screenshot below.
Also all Citrix VDA servers or equivalent and all on-premise domain workstations must have the following permissions:
For any existing users which may need to be migrated from another environment/domain, also the following permissions must be applied on each user redirected folder (e.g. R:\UserHomes$\ExistingUserA):
- User must be made owner of their folder and all subfolders and files.
- User must have full permissions on their folder and all subfolders and files.
Group policy settings
The following group policy should be configured, depending on which folders you need to redirect:
User Configuration Policies Windows Settings Folder Redirection.
Folder Redirection GPO
Set the following options (for a Desktop redirection example):
In case of special purpose computers such as kiosks, folder redirection must be prevented by using Group Policy loopback processing with the Replace option. This way the user policies for kiosk users will be determined only based on the user policies applied at the Computer OU level where the users logon and the folder redirection policy will be ignored for them.
Further hints and tips
Always test in a simulated environment which is as close to your production as possible. Ideally you should be using with a physical workstation which is domain joined in the production domain and with at least 2-3 domain-joined users. Also ensure that there is a solid end-user communication and training plan in place if they will be using folder redirection for the first time. If users have created shortcuts to documents or folders inside folders which are being redirected, it is possible to end up with broken shortcuts and broken Recent Documents, so make sure you test extensively and provide guidance to end users.
Источник: