Folder Redirection for Unusual Paths [Group Policy]

March 12, 2010 by Screenbeard

This entry is part 2 of 2 in the series Group Policy Rewrite

As part of my Group Policy Rewrite I’m attempting to make use of Folder Redirection which lets you specify where common important Windows folders reside on the network.

Normally when you first log on, Windows makes a few folders under your user document folder for things such as Music, Favourites[1], Downloads etc. On a standalone machine these are usually stored under your user profile folder (C:\Users\{username}\Downloads in Win 7 for example) but they can be moved when you’re on a network[2].

In Group Policy, expand User Configuration > Policies > Windows Settings > Folder Redirection. Right click on one of the folders listed and select “Properties”. Documents is a good place to start, as I’ll show you how all the others can hang off that.

If you’ve worked with group policy before I won’t insult your intelligence more by explaining everything in here, suffice to say that in our environment, I’ve chosen to use the settings as shown below:

folderredirectionsettings.png Settings for redirecting My Documents to a shared network location.

For all the other folders I redirect, I use the same settings on the right there, and only change the Target folder location property on the left.

What this does is specify that you want all the users folders redirected to what you’ve specified in the Home folder property for the user in Active Directory (usually H: somewhere on your network). This is I suspect how most admins configure their document folders. The issue comes with the other folders later on. Lets work with the Desktop folder for example.

To redirect the Desktop, you again access the properties of that folder. This time, you’ll notice you lose the option to “Redirect to the user’s home folder”. This is fair enough, as we don’t want every folder type pointing to the same location. Unfortunately though, Microsoft don’t offer a simple way to redirect to a subfolder of the new Documents location, although they do suggest this:
The USERNAME variable may be used as part of the redirection path, thus allowing the system to dynamically create a newly redirected folder for each user to whom the policy object applies.
Folder Redirection feature in Windows KB Article.

What they are suggesting is using \\server\share\%USERNAME%\Desktop to specify the location, but what if your AD structure is more complicated than that? For instance, we have our year levels separated into folders to make it easy for teachers to locate a certain kid’s work. There just isn’t a variable to insert a specific folder into this path based on the user’s location or position in AD — ie. you can’t use \\server\share\%groupfolder%\%username%\Desktop as it just doesn’t exist.

The next logical step was to try inserting the mapped drive into this field: “H:\Desktop”. The problem here was that at the point that the logon process connects to the desktop, the H: has not yet been mapped, leaving a blank desktop and an error in the Application log. It was at this point a few years ago I gave up. Until this week.

Lucky for us!

When you view the GP report for Folder Redirection you’ll notice that MS includes the VARIABLES that it uses to fill in the user’s home folder path (as shown):
documentssettings.png AH! Variables!

In my initial tests, I set the Target folder location to “Redirect to the following location”, and the Root Path: to “%HOMESHARE%%HOMEPATH%\Desktop”. This did NOT work. I can’t remember the error exactly, and I think it may not have even mapped at all.

My next test was to try with “%HOMESHARE%\Desktop” and lo-and-behold, it worked! Now when a user logs in they get a H Drive, and a desktop that routes to a folder in that drive, regardless of the path the user data is in. If they inadvertently save something to their desktop[3] it will be securely tucked in their home drive where they can find it again later, or on their desktop the next time they log in.

Going through the rest of the folders in Folder Redirection I did the same (except for the Start Menu, although I suspect this will work exactly the same way). Now all my data is secure in my home drive, without using true roaming profiles (which can end up pulling a lot of data around the network in a school environment).

Some caveats

Even after multiple iterations and rewrites, Adobe software still cannot handle expanded network paths for saving application data. If you redirect AppData to “%HOMESHARE%\AppData” even something as new as Adobe Photoshop CS4 refuses to load. The only solution I have found for this is to use “H:\AppData” or nothing at all for that folder. This seems to work acceptably for the AppData folder, even though it doesn’t for the Desktop.

Wrong! H:\AppData has the same problem outlined above, that is, H is only mapped after folder redirection. Instead I followed the advice on this Adobe Getsatisfaction page by Ge3oR who suggested giving users permission to c:\users\USERXX\appdata\Locallow, which for some reason Adobe products need, but cannot create themselves. So in GP I added a Folder rule in GP Preferences to create a folder in C:\users\%username%\appdata\Locallow, and everything is working, and I have redirected AppData once more!

Also! I haven’t actually tested this extensively in a production environment (although it works day-to-day on a couple of test desktops), so test this with your apps and bits before making these changes wholesale to your network.

I’ve also found while writing this post[4] that this information is included in part in Microsoft’s Managing Roaming User Data Deployment Guide.doc found here. As I wasn’t using roaming profiles I didn’t read it. Plus it’s unclear as to the best way to redirect and I still would have written this post to clear it up for you.

I hope this tip can help you get Folder Redirection working for you if your environment is a bit unusual. Let me know what you find!

Series Navigation«Deploy Printers with Group Policy without using Local Loopback
Footnotes
  1. actually Favorites, but I’m not American 
  2. they can be moved on a standalone machine too, but that’s a different post 
  3. and come on, who doesn’t do this 
  4. thanks to this helpful gent 
Print
The Folder Redirection for Unusual Paths [Group Policy] by Joshua Nunn, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 2.5 Australia License.

Share: Bookmark on Delicious Short link: http://e01.li/8Zwd64
Tags: , , , , , , ,
Categories: TechPermalinkView Comments

  • Adam
    Josh. This was helpful. I'm trying to migrate a legacy folder redirection GPO based on 2003/XP to 2008/Win7. The later is much more granular and allows me to leave music locally while putting documents, favorites, links and pictures on our network drive.

    %HOMESHARE%\Documents
    %HOMESHARE%\Desktop
    %HOMESHARE%\Favorites
    %HOMESHARE%\Links

    all work well, redirecting the test folders to the test user's W drive root.

    However:

    %HOMESHARE%\Pictures exhibits the same behavior as the other setting of "Follow the Documents" directory. It's as if the ghost of XP is still alive and requires My Pictures to be a sub of My Documents. It's not super critical, but I'm curious if you've had any luck putting Pictures at the same level as documents in a redirected policy?

    Thanks for the excellent writeup.
  • 'Fraid I haven't tried doing it that way. I have Documents in the root, and all the others off it. I may actually re-do it your way eventually though, so thanks for the heads up!
  • Thanks for the info. I ended up doing the my docs redirection via GP and the Desktop and favorites via the registry change via GP preferences.

    Regarding the variable discussion, ZCM 10 lets you specify variables for use in software deployment at the "OU" level. It is very handy for couple applications. For instance, I put all of the computers for one classroom in the same OU. Then I am able to specify variables for that classroom. I specify a variable for th teacher computer name, then when I deploy my SynchronEyes app, I am able to use variable to point the student computers to the teachers computer all with the same app.
  • Andrew
    Keln, did you get My docs redirected in XP or Windows 7 ( Documents ) ? I can not get folders redirection to work in ZCM10.3 via GP in Win 7 ( importing from AD domain GP ), if you have indeed succeeded could you please elaborate a bit more on that ?
  • Drewfus
    "...you can’t use \\server\share\%groupfolder%\%username%\Desktop as it just doesn’t exist."

    This reminded me of something i've been thinking about - domain level variables.
    We have user variables, local machine variables - why not domain variables?

    > set GroupFolder=1styear /domain
  • That could come in quite handy. Where would you put the option to set
    something like that? Keeping in mind that the computer would have to
    translate all the variables at login. And used badly, it could
    complicate login and fault finding even further.

    Of course if it gets too complicated you begin to enter territory
    where scripts might be a simpler option anyway!

    One wy it could work automatically might be to allow you to use OU
    names as variables. That would mean you'd need totally unique OU
    names, but it might be a useful trade off. Who knows, in Server 2012
    they may include something like that.
  • Drewfus
    Well i suppose it could just be an option switch added to the set or setx commands.

    For set,

    > set GroupFolder=1styear /domain

    For setx, the -d switch is taken (additional delimiters), and so is -a (absolute coordinates). So perhaps -g for Global?

    > setx GroupFolder 1styear -g

    I'm not sure how the client machine would pick up the domain variables, but perhaps something like a registry hive file in the Netlogon share?

    \\%logonserver%\netlogon\EnvVars.hiv

    Yes, OU names as variables could be handy.
  • I appreciate you posts on Group Policy, especially the printer post.

    I have been unable to get the setting: “%HOMESHARE%\Desktop” to work in XP. Were you using XP or a later OS?
  • If I recall correctly, I did have this working once at another school but I think I used registry settings to do it. In the registry of my mandatory user profile I set
    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop and HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders to H:\Desktop.

    My memory is very vague though (hence these posts written somewhere I'll never lose them) so that might not be all it took to get it working on XP.
  • I've been doing my testing in Win7. I've done the same for my XP users too, but haven't actually checked that it works as they have lived without it up till now, and it's only a matter of days before I have Win7 rolled out to everyone.
blog comments powered by Disqus