Most administrators know that no matter how stern your company's policies and warnings, believing that users will back up their document files is tantamount to believing in Santa Claus. Windows 2000's new folder redirection feature lets you move special user folders—the Application Data, Desktop, My Documents, and Start Menu subfolders under the user's Documents and Settings folder—from local computers to servers, thereby ensuring regular backup of user files.
Backup insurance isn't the only advantage you gain from folder redirection. When you implement redirection, roaming users no longer need to download their documents during logon and upload the files during logoff. Instead, Win2K sends the pointer to the server-based folder during the logon, thereby speeding the logon and logoff processes. (See the sidebar "Folder Redirection vs. Offline Folders," page 144, for an explanation of how this feature differs from offline folders.) Additionally, you can impose disk quotas against the server that holds user documents, thus "encouraging" users to clean out their My Documents folders occasionally.
The downside of folder redirection is that it requires a lot of disk space on the server. Also, users can't get to documents when the server is unavailable. Because redirection is server-configured, however, you can easily move the pointers to another server (or even back to users' local computers) when the original server is scheduled for maintenance. If a server goes down unexpectedly, you can restore its backup to another server and change the pointers. This option lets users get back to work in a reasonably short time.
The best practice is to redirect only the My Documents subfolder. You shouldn't, however, redirect My Pictures, which resides under My Documents: The size of the graphics files in My Pictures can overwhelm your server's disk-space capacity. I can't think of any good reasons to redirect the other available subfolders, and doing so might prevent users from employing local applications when the server is down. To protect user documents, you must redirect folders to servers that use NTFS.
Setting Up Folder Redirection for My Documents
Folder redirection is a Group Policy feature, so Win2K implements redirection through Active Directory (AD). Before you start the policy configuration process, create a parent folder on each server that will hold redirected folders, and share that folder. By default, the new folder will provide Full Control for the Everyone group; you can keep this default because individual user folders will maintain individual permission schemes. If you have some reason to deny Full Control, you must provide at least Modify permissions for the Everyone group.
If you're redirecting folders for users in a domain or organizational unit (OU), open the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in. You can use the MMC Active Directory Sites and Services snap-in to apply Group Policy at the site level. However, common practice is to establish a basic set of policies on a domainwide basis, then establish policies that apply to individual OUs. Another reason to start at the domain level is that the domain's Default Domain Policy provides one place to view or edit policies. (Sites don't have a Default Site Policy.) However, if you've created a site-based architecture for your enterprise, applying policies on a site-by-site basis might make sense.
In the console pane of the appropriate MMC, right-click the domain, OU, or site container that contains the user accounts for which you want to redirect folders. Choose Properties from the shortcut menu to open the container's Properties dialog box.
Move to the Group Policy tab. From this tab, you can add the folder redirection policy to an existing policy or create a new policy, depending on the way you like to organize your AD. (You might prefer to put all policies in one policy object or keep similar policies in individual policy objects.) Select the new or existing policy object and click Edit to open the Group Policy Editor (GPE) snap-in. Expand the User Configuration object in the GPE's console pane, expand Windows Settings, and select the Folder Redirection node.
Separate My Pictures from My Documents
To eliminate My Pictures from the redirected folder settings, you must first separate the My Pictures subfolder from the My Documents folder. Otherwise, these folders behave as one unit.
Expand My Documents in the console pane and right-click My Pictures. Choose Properties to open the My Pictures Properties dialog box. The Target tab shows the current location for My Pictures; by default, the setting is Follow the My Documents folder. Click the arrow at the right of the Setting box and select No administrative policy specified. Click OK to separate My Pictures' policies and My Documents' policies.
Redirect My Documents
Right-click My Documents in the GPE's console pane, select Properties, and move to the Target tab. My Documents' default Target setting is No administrative policy specified. Click the arrow at the right of the Setting box to display the following redirection choices:
- BasicRedirect everyone's folder to the same location. Choose this option to redirect My Documents for all users in the selected container (e.g., the domain, the OU) and to use the same server for all redirected folders.
- AdvancedSpecify locations for various user groups. Choose this option to redirect My Documents for only mem-bers of particular groups or to specify different servers for different groups' folders.
The Basic redirection option is straightforward; all you need to do is establish the target folder on the server. The Advanced redirection option lets you be selective about the target users and target folders. You can use this option to redirect folders for specific users according to their group memberships. For example, if you've created a security group for mobile users, this option provides a way to exclude those users from the redirected folders policy. (If you haven't created a security group for mobile users, you should create one or more OUs for them and apply the redirected folders policy at the OU level.) The Advanced option requires more steps, so I'll describe the process for configuring this option. If you choose the Basic option, simply follow the step for specifying the target folder.
When you select the Advanced option, a Security Group Membership section appears on the Target tab. To add a group to the list, click Add. This action opens the Specify Group and Location dialog box, which you use to select groups and to specify the location of each group's redirected folders.
Click Browse in the Security Group Membership section to open the Select Group dialog box. Select the security group to which you want to apply folder redirection and click OK. The group's name appears in the Security Group Membership section's text box.
In the Target Folder Location section's text box, type the Uniform Naming Convention (UNC) path to the server share you created to hold the redirected folders. To this path, add the variable %username%. If you don't remember the UNC path, you can click Browse and select the folder, but the Target Folder Location box then displays the folder's path with a drive letter instead of a UNC path. Delete the drive letter and use the UNC path format instead. Figure 1, page 144, shows the specifications to redirect folders for my domain's accounting department (i.e., members of the Accntg group in the WESTERN domain) to a parent folder (i.e., the Userdocs folder on the server west).
Repeat these steps to continue adding groups. You can place each group's redirected folders on different servers or in different parent shares, or you can put all the redirected folders into the same share on the same server. When you've added all the groups you want to target, move to the Properties dialog box's Settings tab to configure the redirection settings for the policy. Figure 2, page 144, shows the recommended options.
If you didn't previously separate My Pictures and My Documents, the options in the Settings tab's My Pictures Preferences section are inaccessible. Wherever you redirect My Documents, My Pictures comes along for the ride.
Automatically Creating User Subfolders
The next time an affected user logs on, the system automatically creates the \%username% subfolder on the server and copies all existing user documents to that subfolder. As the user saves and opens documents, the user's system transparently accesses the server-based folder.
If you want to verify the creation of a user's folder, you (or the user) can right-click the My Documents folder on the client desktop and select Properties. The Target box under the Folder Location section should display the UNC path for the server-based folder (instead of the user's subfolder under the local Documents and Settings folder). You can also check the server to make sure the folder you created adds a \%username% subfolder as each affected user logs on.
Protecting User Privacy
As I mentioned earlier, the folder redirection feature provides safeguards for user privacy: The redirected documents are available only to the user. (Even an administrator who tries to open a user's subfolder on the server receives an error message stating that access is denied.) Each \%username% subfolder has the following default permissions:
- %username% (i.e., the user)—Full Control
- Everyone—No Access
- System—Full Control
I use folder redirection because it's the only surefire scheme for backing up user-created documents. The additional advantages of freeing up disk space on client computers and giving roaming users the ability to quickly get to their documents makes redirection a worthwhile feature that every administrator should investigate.