نمایش نتایج: از شماره 1 تا 7 از مجموع 7
سپاس ها 9سپاس
  • 2 توسط patris1
  • 2 توسط patris1
  • 1 توسط patris1
  • 1 توسط patris1
  • 1 توسط patris1
  • 1 توسط patris1
  • 1 توسط patris1

موضوع: Folder Redirection

  
  1. #1
    نام حقيقي: 1234

    مدیر بازنشسته
    تاریخ عضویت
    Jul 2009
    محل سکونت
    5678
    نوشته
    5,634
    سپاسگزاری شده
    2513
    سپاسگزاری کرده
    272

    Folder Redirection

    Folder Redirection Overview

    Folder Redirection Overview
    Folder Redirection

    User settings and user files are normally stored in the local user profile, under the Users folder. The files in local user profiles are accessible only from the current computer, which makes it difficult for users who use more then one computer to work with their data and synchronize settings between multiple computers. Two different technologies exist to address this problem: Roaming Profiles and Folder Redirection. Both of these technologies have their advantages, and they can be used separately or together to create a seamless user experience from one computer to another. They also provide additional options for administrators managing user data.
    Folder Redirection allows administrators to redirect the path of a folder to a new location. The location can be a folder on the local computer or a directory on a network file share. Users have the ability to work with documents on a server as if the documents were based on a local drive. The documents in the folder are available to the user from any computer on the network. Folder Redirection is located under Windows Settings in the console tree when editing domain-based Group Policy using the Group Policy Management Console (GPMC). The path is [Group Policy Object Name]\User Configuration\Policies\Windows Settings\Folder Redirection.

    New in Windows Vista

    Folder Redirection through the GPMC in Windows Vista includes new features:

    • The ability to redirect more folders in the user profile folders than in earlier Windows operating systems. This includes the Contacts, Downloads, Favorites, Links, Music, Saved Games, Searches, and Videos folders.
    • The ability to apply settings for redirected folders to Microsoft Windows 2000, Windows 2000 Server, Windows XP, and Windows Server 2003 computers. You have the options of applying the settings you configure on Windows Vista to only Windows Vista computers, or applying them in addition to these earlier Windows operating systems. For these earlier Windows operating systems, you can apply these settings to folders that can be redirected, which are the Application Data, Desktop, My Documents, My Pictures, and Start Menu folders. This option is available in the Settings tab in the Properties for the folder, under Select the redirection settings for [FolderName].
    • The option to have the Music, Pictures, and Videos folders follow the Documents folder. In earlier Windows operating systems, these folders were subfolders of the Documents folder. By configuring this option, you take care of any issues related to naming and folder structure differences between Windows Vista and earlier Windows operating systems. This option is available in the Target tab in the Properties for the folder, under Settings.
    • The ability to redirect the Start Menu folder to a specific path for all users. In Windows XP, the Start Menu folder could be redirected only to a shared target folder.

    Note This capability is new only to the Start Menu folder. All other redirectable folders in Windows Vista can also be redirected to a specific path for all users.

    Folders that can be redirected

    You can use the Group Policy Management Console to redirect folders in Windows Vista and folders in earlier Windows operating systems.


    Windows Vista Equivalent Folder in Earlier Windows Operating System AppData/Roaming
    Application Data
    Contacts
    N/A
    Desktop
    Desktop
    Documents
    My Documents
    Downloads
    N/A
    Favorites
    N/A
    Links
    N/A
    Music
    N/A
    Pictures
    My Pictures
    Saved Games
    N/A
    Searches
    N/A
    Start Menu
    Start Menu
    Videos
    N/A

    Advantages of Folder Redirection


    • Even if a user logs on to various computers on the network, their data is always available.
    • Offline File technology (which is turned on by default) gives users access to the folder even when they are not connected to the network. This is particularly useful for people who use portable computers.
    • Data that is stored in a network folder can be backed up as part of routine system administration. This is safer because it requires no action on the part of the user.
    • If you use Roaming User Profiles, you can use Folder Redirection to reduce the total size of your Roaming Profile and make the user logon and logoff process more efficient in terms of time for the end user. When you deploy Folder Redirection with Roaming User Profiles, the data synchronized via Folder Redirection is not part of the roaming profile and is synchronized in the background using Offline Files after the user has logged on. As a result the user does not need to wait for this data to be synchronized at logon/logoff as is the case with Roaming User Profiles.
    • Data that is specific to a user can be redirected to a different hard disk on the user's local computer from the hard disk that holds the operating system files, making the user's data safer in case the operating system has to be reinstalled.
    • As an administrator, you can use Group Policy to set disk quotas, limiting the amount of space that is taken up by user profile folders.


    Selecting a Folder Redirection target

    The Target tab of the folder's Properties box enables you to select the location of the redirected folder on a network or in the local user profile. You can choose between the following settings:

    • Basic—Redirect everyone's folder to the same location. This setting enables you to redirect everyone's folder to the same location and will be applied to all users included in the Group Policy object (GPO). For this setting you have the following options in specifying a target folder location:
      • Create a folder for each user under the root path. This option will create a folder in the form \\server\share\User Account Name\Folder Name. Each user will get a unique path to their redirected folder.


    Note If you enable the Also apply redirection policy to Windows 2000, Windows 2000 Server, Windows XP, and Windows Server 2003 operating systems option on the Settings tab, this option is not available for the Start Menu folder.

    • Redirect to the following location. This option will use an explicit path to the redirection location. This can cause multiple users to share the same path to the redirected folder.
    • Redirect to the local user profile location. This option will move the location of the folder to the local user profile under the Users folder.


    • Advanced—Specify locations for various user groups. This setting enables you to specify redirection behavior for the folder based on the security group memberships for the GPO.
    • Follow the Documents folder. This option is available only for the Music, Pictures, and Videos folders. This option resolves any issues related to naming and folder structure differences between Windows Vista and earlier Windows operating systems. If you choose this option, you will not be able to configure any additional redirection options or policy removal options for these folders and settings will be inherited from the Documents folder.

    Note This behavior will also occur by default if you enable the Also apply redirection policy to Windows 2000, Windows 2000 Server, Windows XP, and Windows Server 2003 operating systems option on the Settings tab when configuring redirection settings for the Documents folder.

    • Not configured. This is the default setting. This setting specifies that policy-based folder redirection has been removed for that GPO and the folders will be redirected to the local user profile location or stay where they are based on the redirection options selected if any existing redirection policies have been set. No changes are being made to the current location of this folder.


    Configuring additional settings for the redirected folder

    In the Settings tab in the Properties box for a folder, you can enable these settings:

    • Grant the user exclusive rights. This setting is enabled by default and is a recommended setting. This setting specifies that the administrator and other users to not have permissions to access this folder.
    • Move the contents of [FolderName] to the new location. This setting moves all the data the user has in the local folder to the shared folder on the network.
    • Also apply redirection policy to Windows 2000, Windows 2000 Server, Windows XP, and Windows Server 2003 operating systems. This enables folder redirection to work with both Windows Vista and earlier Windows operating systems. This option applies only to redirectable folders in earlier Windows operating systems, which are the Application Data, Desktop, My Documents, My Pictures, and Start Menu folders.

    Note The AppData/Roaming (previously Application Data in earlier Windows operating systems) folder in Windows Vista now contains a number of folders that were previously under the root folder of the User Profile folder in earlier Windows operating systems. For example, in earlier Windows operating systems, the Start Menu folder was not under the Application Data folder. It might not make sense to redirect all of the folders under Application Data when you enable the Also apply redirection policy to Windows 2000, Windows 2000 Server, Windows XP, and Windows Server 2003 operating systems setting. Therefore if you choose this setting, Windows Vista does not redirect the following folders automatically: Start Menu, Network Shortcuts, Printer Shortcuts, Templates, Cookies, Sent To. If you do not choose this setting, Windows Vista will automatically redirect all folders under the Application Data folder.

    • Policy Removal. The following table summarizes the behavior of redirected folders and their contents when the GPO no longer applies, based on your selections for policy removal. The following policy removal options are available in the Settings tab, under Policy Removal.



    Policy Removal option Selected setting Result Redirect the folder back to the user profile location when policy is removed
    Enabled

    • The folder returns to its user profile location.
    • The contents are copied, not moved, back to the user profile location.
    • The contents are not deleted from the redirected location.
    • The user continues to have access to the contents, but only on the local computer.

    Redirect the folder back to the user profile location when policy is removed
    Disabled

    • The folder returns to its user profile location.
    • The contents are not copied or moved to the user profile location.

    Note If the contents of a folder are not copied to the user profile location, the user cannot see them.
    Leave the folder in the new location when policy is removed
    Either Enabled or Disabled

    • The folder remains at its redirected location.
    • The contents remain at the redirected location.
    • The user continues to have access to the contents at the redirected folder.


    Additional considerations

    For step-by-step information about how to use folder redirection, see Specify the Location of Folders in a User Profile.




    موضوعات مشابه:
    ARM و mcmilad سپاسگزاری کرده‌اند.

  2. #2
    نام حقيقي: 1234

    مدیر بازنشسته
    تاریخ عضویت
    Jul 2009
    محل سکونت
    5678
    نوشته
    5,634
    سپاسگزاری شده
    2513
    سپاسگزاری کرده
    272
    How to Configure Folder Redirection


    How to Configure Folder Redirection
    Updated: March 1, 2002
    Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
    Administrators manage Folder Redirection settings by using the Group Policy snap-in.
    To configure Folder Redirection:

    1. To start the Group Policy snap-in from the Active Directory Users and Computers snap-in, click Start, point to Programs, click Administrative Tools, and then click Active Directory Users and Computers.
    2. In the MMC console tree, right-click the domain or the OU for which to access Group Policy, click Properties, and click Group Policy.
    3. To create a new Group Policy object (GPO), right-click the domain or OU you want to associate with the GPO, select Properties from the context menu, and then in the domain or OU containers Properties page, click the Group Policy tab.
    4. Click New, and type the name to use for the GPO. For example, type Redirect MyDocuments GPO.
    5. Click Edit to open the Group Policy snap-in and edit the new GPO.
    6. In the Group Policy console, expand the User Configuration, Windows Settings, and Folder Redirection nodes. Icons for the personal folders that can be redirected will be displayed.
    7. To redirect any of these folders, right-click the folder name, click Properties, and then select one of the following options from the Setting drop-down box:
      • Basic - Redirect everyone's folder to the same location. All folders affected by this Group Policy object will be stored on the same network share.
      • Advanced Specify locations for various user groups. Folders are redirected to different network shares based on security group membership. For example, folders belonging to users in the Accounting group can be redirected to the Finance server, while folders belonging to users in the Sales group are redirected to the Marketing server.

    8. On the My Documents Properties page, in the Target folder location drop down box select Create a folder for each user under the root path. In the Root Path text box, type the name of the shared network folder to use, or click Browse to locate it. Note: Unlike Windows 2000, you do not need to type in the %username% variable. The folder redirection code will automatically create a My Documents folder for each user, inside a folder based on their user name. For example, type \\FolderServer\MyDocumentsFolders rather than \\FolderServer\MyDocumentsFolders\%username% as you would on Windows 2000.
    9. In the folders Properties dialog box, select the Settings tab, configure the options you want to use, and then click Finish to complete the Folder Redirection. The available options for settings are:
      • Grant the user exclusive rights to My Documents. If selected, this sets the NTFS security descriptor for the %username% folder to Full Control for the user and local system only; this means that administrators and other users do not have access rights to the folder. This option is enabled by default. Note: Changing this option after the policy has been applied to some users will only effect new users receiving the policy.
      • Move the contents of My Documents to the new location. Moves any document the user has in the local My Documents folder to the server share. This option is enabled by default.
      • Leave the folder in the new location when policy is removed. Specifies that files remain in the new location when the Group Policy object no longer applies. This option is enabled by default.
      • Redirect the folder back to the local user profile location when policy is removed. If enabled, specifies that the folder be copied back to the local profile location if the Group Policy object no longer applies.

        The My Documents Properties page provides two additional options for the My Pictures folder:

        Make My Pictures a subfolder of My Documents. If selected, when the My Documents folder is redirected, My Pictures remains a subfolder of My Documents. By default, My Pictures automatically follows the My Documents folder.

        Do not specify administrative policy for My Pictures. If selected, Group Policy does not control the location of My Pictures; this is determined by the user profile.


    An important point to note is that you should not pre-create the directory defined by user name. Folder Redirection will handle setting the appropriate ACLs on the folder. If you choose to pre-create folders for each user, be sure to set the permissions correctly (see the permissions tables in the Best Practices section later in this paper).
    For more information about using the Group Policy snap-in and the Folder Redirection extension, refer to the Windows Server 2003 online Help and the Step-by-Step Guide to User Data and User Settings at http://www.microsoft.com/technet/pro...p/usrdata.mspx.
    Changing settings after Folder Redirection policy has been applied.

    It is possible to change the Folder Redirection options on the Settings tab after the policy has been applied, you should note that changing the value of the Grant the user exclusive rights to <folder name> setting will only apply to new users effected by the policy. Any existing users that received the policy will use the original Grant the user exclusive rights to <folder name> setting.

    Folder Redirection and environment variables

    The folder redirection client side extension is only able to process two environment variables: %username% and %userprofile%. Other environment variables such as %logonserver%, %homedrive% and %homepath% will not work with folder redirection.

    Folder Redirection and mapped drives

    Because folder redirection is processed early in the logon process, drives mapped via logon scripts (including the homedrive for folders other than My Documents), the folder redirection client side extension is not able to redirect to these locations. At the time that redirection takes place, the drives do not exist hence redirection fails.

    Folder Redirection Troubleshooting.

    Folder redirection processing contains 5 steps:

    1. Determine which folders to redirect based on changes to policy at logon time.
    2. Determine desired redirected location and verify access.
    3. If folder does not exist: create folders, set ACLs.
    4. If folder exists, check ACLs and ownership.
    5. If desired, move contents.

    Folder redirection failures only affect the folder redirection extension on a per folder basis. If you're pre-creating folders rather than letting the folder redirection extension automatically create the folder, typical errors include:

    • Redirecting to a folder that is incorrectly ACLd.
    • User is not the owner of the folder.
    • Destination does not exist.

    Enabling logging

    In addition to logging events in the Application Event log, Folder Redirection can provide a detailed log to aid troubleshooting. To create a detailed log file for folder redirection, use the following registry key:

    • HKLM\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics
    • Set: FdeployDebugLevel = Reg_DWORD 0x0f

    Note The log file can be found at: %windir%\debug\usermode\fdeploy.log




    Using Logon Scripts to Redirect Folders

    Although using Group Policy to redirect users folders is the recommended method, there are alternate ways to achieve similar results. You can use logon scripts to set the values of the User Shell Folders key in the registry, which will give you basic functionality similar to Folder Redirection.
    Alternatively, you could use Windows NT 4.0 system policies to set the appropriate values. However if you choose to do this, you loose the advantages of using Group Policy to set folder paths, such as automatic moving of files when the path changes, and the registry settings will persist.











    ARM و mcmilad سپاسگزاری کرده‌اند.

  3. #3
    نام حقيقي: 1234

    مدیر بازنشسته
    تاریخ عضویت
    Jul 2009
    محل سکونت
    5678
    نوشته
    5,634
    سپاسگزاری شده
    2513
    سپاسگزاری کرده
    272
    How To Configure Folder Redirection


    Introduction

    Folder redirection can limit the amount of data that is copied between the Roaming Profile Share and the Terminal Server at each logon and logoff. This is accomplished by redirecting folders like Desktop, My Documents, and Application Data to a Network Share outside of the Roaming Profile Share, so it is not copied at each logon and logoff.
    Folder redirection can also provide locked down Desktop and Start Menu Folders by redirecting to Network Shares from which the end users can only read, or it can be set up so users' individual Start Menu and Desktop folders reside on a File Share instead of being copied back and forth with the rest of the roaming profile. This reduces the amount of data being transferred at each logon/logoff and provides a more stable environment for users that log on to multiple terminal server sessions at the same time. This is because there is no risk of data loss by one copy of the roaming profile’s Desktop Folder overwriting a previously saved copy, as they are always referring to the directory on the file share, not to a local profile folder.
    Terminal Server Group Policy Best Practice

    Before we dig into configuring Folder Redirection, let’s review how to configure Group Policies for use with Terminal Services. Best Practice for applying Settings to Users only when they log on to Terminal Servers would be to:

    1. Create an OU to contain a set of Terminal Servers
    2. Block Policy Inheritance on the OU (Properties -> Group Policy). This prevents settings from higher-up in AD from affecting your Terminal Servers.
    3. Move the Terminal Server Computer Objects into the OU. Do NOT place User Accounts in this OU.
    4. Create an Active Directory Security Group called “Terminal Servers” (or something similar that you’ll recognize) and add the Terminal Servers from this OU to this group.
    5. Create a GPO called “TS Machine Policy” linked to the OU
    6. Check “Disable User Configuration settings” on the GPO
    7. Enable Loopback Policy Processing in the GPO
    8. Edit the Security of the Policy so Apply Policy is set for “Authenticated Users” and the Security Group containing the Terminal Servers
    9. Create additional GPOs linked to this OU for each user population, i.e. “TS Users”, “TS Administrators”.
    10. Check “Disable Computer Configuration settings” on these GPO
    11. Edit the Security on these User Configuration GPOs so Apply Policy is enabled for the target user population, and Deny Apply Policy is enabled for user to which the policy should not apply.

    With GPOs configured this way the Machine Policy applies to everyone that logs on to the Terminal Server (only the Computer Configuration Settings of the Machine Policy are processed) in addition to the appropriate User Configuration GPO (only the User Configuration portion of the GPO is processed) for the target user population.
    Folder Redirection GPO Settings

    Since Folder Redirection is in the User Configuration portion of a GPO, one can create multiple different policies and apply one to each distinct user population by filtering the security settings in the properties of the GPO. This allows administrators to redirect some users' folders to pre-configured directories, that the users do not have sufficient NTFS Permission to alter, and to redirect other users to folders that are self maintained.
    Folder Redirection settings are located in User Configuration-> Windows Settings -> Folder Redirections. In that node one will find:

    To configure an item, right-click and select “Properties”. This exposes the configuration UI for the specified folder. In a single GPO one can either configure the folder to redirect to a specified location for all users to which the GPO applies, or one can configure the folder to redirect to a specified location based upon group membership.

    NTFS and Share Permissions

    For folder redirection to work properly, the destination shared folder NTFS and Share Permissions must be properly configured. If redirecting a folder to a location that the end user should not change, i.e. the Start Menu or Locked Down Desktop the following permissions should be applied:

    • Share Permissions:
      • Everyone – Full Control
      • Administrators – Full Control
      • System – Full Control

    • NTFS Permissions:
      • Everyone – Read and Execute
      • Administrators – Full Control
      • System – Full Control

    If Group Policy is configured to redirect to a location where the GPO will automatically create the destination folder, i.e. user’s individual Application Data, Desktop or My Documents folders the following permissions should be applied to the parent folder:

    • Share Permissions:
      • Everyone – Full Control
      • Administrators – Full Control
      • System – Full Control

    • NTFS Permissions:
      • Everyone - Create Folder/Append Data (This Folder Only)
      • Everyone - List Folder/Read Data (This Folder Only)
      • Everyone - Read Attributes (This Folder Only)
      • Everyone - Traverse Folder/Execute File (This Folder Only)
      • CREATOR OWNER - Full Control (Subfolders and Files Only)
      • System - Full Control (This Folder, Subfolders and Files)
      • Domain Admins - Full Control (This Folder, Subfolders and Files)

    It’s important to note that when redirecting folders such as My Documents to a location that already exists, i.e. the User’s Home Folder there is another setting to consider, ownership. If the user is not the owner of the destination directory, folder redirection will fail with the default Folder Redirection settings. When this is the case, one must deselect “Grant the user exclusive rights to My Documents”

    If this is not configured, folder redirection will fail and the following will be written to the Terminal Server’s Event Log:
    Event ID: 101
    User: username
    Computer: computername
    Description:
    Failed to perform redirection of folder foldername. The new directories for the redirected folder could not be created. The folder is configured to be redirected to \\servername\sharename\%username%, the final expanded path was \\servername\sharename\username. The following error occurred:
    Access is denied.
    Notes:

    • User Configuration Settings in Group Policy take effect upon the first logon after the policy is saved and replicated to the user’s logon server.
    • Computer Configuration Settings in Group Policy take effect when the machine boots and logs on to Active Directory. With this in mind, one needs to reboot a terminal server before Computer Configuration setting changes will be applied.
    • Folder Redirection does not exist in Local Policy. If one wants to redirect folders without using Active Directory they should investigate redirecting folders by editing the registry at:
      [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Explorer\Shell Folders]
    • If redirecting the Start Menu, one should be aware that “by default” users right clicking on Start Button to Explore will explore starting at the redirected folder’s network location, even if you have restricted access to My Network Places. To avoid this, one can edit the following registry entry:
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shell\e xplore\ddeexec]
      @="[ExploreFolder(\"DriveLetter:\\\", DriveLetter:\\, %S)]"





    ARM سپاسگزاری کرده است.

  4. #4
    نام حقيقي: 1234

    مدیر بازنشسته
    تاریخ عضویت
    Jul 2009
    محل سکونت
    5678
    نوشته
    5,634
    سپاسگزاری شده
    2513
    سپاسگزاری کرده
    272
    Profile and Folder Redirection In Windows Server 2003


    Profile and Folder Redirection In Windows Server 2003


    Assigning roaming profiles to users can greatly reduce your day to day workload. However, implementing roaming profiles can become a nightmare unless you know how to avoid the performance problems associated with them. In this article I will discuss the advantages and the common pitfalls associated with roaming profiles.


    I’ve always considered dealing with end users to be about as much fun as a trip to the dentist or a tax audit. Fortunately, there are some things that you can do to help keep the users happy (a happy user is a quiet user). The techniques that I am going to be showing you in this article center around the use of roaming profiles and folder redirection. Right now you might be wondering how something like roaming profiles can make your life easier. Well, there are several situations in which roaming profiles and folder redirections pay off big time.
    For example, any decent administrator will instruct their users to save their data on a network drive so that the data gets backed up each night. Inevitably though, some users will save data to the local hard drive. If that hard drive happens to crash, then the user will lose all of their data and will be upset because you didn’t back it up. One of the techniques that I will show you will redirect the user’s My Documents folder to a network share.
    Another example of how roaming profiles and folder redirections can make your life easier involves a situation in which the user gets a new PC. Normally, you would have to manually move all of the user’s documents and settings from the old PC to the new one. You would have to be careful not to leave anything behind to avoid upsetting the user and to accidentally exposing the user’s files to whoever inherits the user’s old PC. With roaming profiles though, each user’s files and settings follow them from PC to PC, so there is no need to move anything.
    Another situation in which roaming profiles and folder redirections come in handy is when a user’s workstation crashes. Management can easily have the user whose computer crashed use someone else’s PC for the day and all of the user’s normal files and settings will be there. This frees up your time so that you can focus on resurrecting the dead computer.
    I could go on and on with more examples of how roaming profiles and folder redirections can improve the quality of your life, but I think you probably get the idea. Instead, I want to move on and show you how it’s done.
    The Anatomy of A Profile

    Before I show you how to set up a roaming profile, you need to understand that any time a user logs into a Windows XP workstation, Windows automatically creates a profile for that user (unless the machine already contains a profile for the user). The profiles are stored in the Documents and Settings folder and are contained within a sub-folder bearing the user’s name. For example, if I logged onto a machine as Brien, then Windows would place my profile in a folder named C:\Documents and Settings\Brien.
    The profile itself is fairly intricate because it contains the user’s documents and any settings that are user specific. For example, a profile contains things like the user’s application settings (EX: how Outlook is configured to allow that user access to their E-mail), Internet Explorer favorites and cookies, the user’s desktop, and the user’s Start Menu. Figure A shows the contents of a profile directory, and should give you a better idea of what all information is stored within a user’s profile.

    Figure A: This is a user’s profile folder
    Defining A Roaming Profile

    Now that you know what a profile looks like, let’s talk about making the profile mobile. The basic technique behind creating a roaming profile involves creating a shared folder on the server, creating the user a folder within the share, and then defining the user’s profile location through the group policy.
    For example, suppose that you wanted to implement roaming profiles in your own organization. The first thing that you would have to do is to create an empty folder on one of your file servers. You can call the folder anything that you want, but I have traditionally named this folder PROFILES. After you create the Profiles folder, you must share the folder. I recommend sharing the folder in a way that gives everyone full control at the share level. I would then recommend controlling permissions at the NTFS level.
    When I define the NTFS permissions, I allow everyone to have read access to the PROFILES folder. I then create sub folders for each user. The sub folder’s name should match the user’s name. As you create each user’s individual folder, you will need to define some NTFS permissions. I recommend granting the Administrator and the user full control over the folder. You should also make the user the owner of the folder. After you have set these permissions, you should block parent permissions from propagating to the folder. Otherwise, everyone will be able to read anything in the user’s profile folder.
    In most situations, this will take care of the necessary permissions. However, I have seen at least one network in which the backup software was unable to backup the user’s profile directories until the backup program’s service account was granted access to each user’s folder. That is the exception rather than the rule though.
    Once you have created the necessary folders and defined the appropriate permissions, it’s time to redirect the user’s profile. To do so, open the Active Directory Users and Computers console, right click on a user account, and select the Properties command from the resulting shortcut menu. When you do, you will see the user’s properties sheet. Now, select the properties sheet’s Profile tab. The very first field on the tab is the profile path. Enter the user’s profile path as: \\server_name\share_name\user_name. For example, if you created a share named PROFILES on a server named TAZ, then the path to Brien’s profile should be \\TAZ\PROFILES\Brien. Click OK and then the user’s profile will be roaming starting with the next login.
    Folder Redirection

    After you enable roaming profiles for a couple of users, the first thing that you will probably notice is that logins and log offs become extremely slow for those users. The reason for this is that the user’s profile is actually being maintained in multiple locations.
    The first time that a user logs in after roaming profiles have been enabled, a roaming profile does not exist for the user, so Windows uses the profile that’s stored in the local C:\Documents and Settings\ folder. When the user logs off, the entire contents of the local profile (minus the Internet Explorer cache) is copied to the server. If the user has lots of big files, this process can take a long time to complete.
    The next time that the user logs on, a roaming profile does exist. The roaming profile takes precedence over any local profile that might exist. Therefore, the entire profile is copied from the server to the local C:\Documents and Settings folder as a part of the login process. As before, if the user has a lot of large files, this can take a long time to complete. I have personally seen situations in which a login has taken over an hour because the user’s profile was so massive.
    Once the login process completes, the user works off of the local copy of the profile (which is now a mirror of the network copy). However, it’s very possible that the user could modify the profile by creating a document, placing an icon on the desktop, changing wallpapers, or whatever. Therefore, Windows considers the local profile to be the most current and copies it to the network when the user logs off.
    The solution to obscenely long logons and log offs is to use folder redirection. Folder redirection allows you to save portions of the user’s profile in a different location on the network. The advantage to using folder redirection is that once a folder has been redirected to an alternate location, it no longer has to be copied every time that the user logs on or off. Windows just understands that those particular folders will always reside on the network. Windows will only touch those folders when it needs to open a file from one of them.
    You can’t redirect every folder in a user’s profile, but you can redirect the ones that tend to be the largest and take the longest to copy each time a user logs in or out. The folders that you can redirect are Application Data, Desktop, My Documents, and Start Menu.
    You can actually redirect these folders to a user’s local profile, but that defeats the purpose of implementing roaming profiles. Therefore, I recommend creating a share point on the server to which you can redirect these folders. Creating a share point for folder redirection is a lot easier than creating a share point for roaming profiles. Basically, you can just create a folder, share it, and give everyone full control at the share level.
    The actual folder redirection is done through the group policy. To redirect a folder, open the Group Policy Editor and navigate to User Settings | Windows Settings | Folder Redirection. The group policy requires you to redirect each of the four folders separately, but the procedure for doing so is the same for each folder. Set the folder’s Setting option to Basic – Redirect Everyone’s Folder To The Same Location. Next, select the Create A Folder For Each User Under The Root Path option from the Target Folder Location drop down list. Finally, enter your root path in the place provided. For example, on my test server, I just created a share called USERS on a server named TAZMANIA. Therefore, I entered \\TAZMANIA\USERS as the root path. If you look at Figure B, you will notice that in the example under the root path, Windows automatically fills in the user name and the folder name. This occurs because Windows will automatically create all of the necessary folders and will set the required permissions as well.

    Figure B: Windows will automatically create the necessary folders beneath the root path and set the required permissions



    ARM سپاسگزاری کرده است.

  5. #5
    نام حقيقي: 1234

    مدیر بازنشسته
    تاریخ عضویت
    Jul 2009
    محل سکونت
    5678
    نوشته
    5,634
    سپاسگزاری شده
    2513
    سپاسگزاری کرده
    272
    Folder Redirection feature in Windows


    Folder Redirection feature in Windows


    Windows provides the ability to redirect specific user folders to server locations, using a group policy extension called Folder Redirection.

    Many administrators may wish to use folder redirection in such a way that a user's folders are automatically redirected to a newly created folder for each user. This article discusses how to redirect to the new folder location and the minimum NTFS Access Control List (ACL) permissions you need to complete the redirection successfully. Back to the top
    Set Up

    Folder Redirection is a User group policy. This means that a user for whom you configure folder redirection must have a group policy linked to some folder structure where their user object is subordinate, such as a site, domain, or organizational unit.

    Once you create the group policy and link it to the appropriate folder object, an administrator can designate which folders to redirect and where To do this, the administrator needs to navigate to the following location in the Group Policy Object: User Configuration\Windows Settings\Folder Redirection
    In the Properties of the folder, you can choose Basic or Advanced folder redirection, and you can designate the server file system path to which the folder should be redirected.

    The %USERNAME% variable may be used as part of the redirection path, thus allowing the system to dynamically create a newly redirected folder for each user to whom the policy object applies. Back to the top
    Security Requirements

    If you configure Folder Redirection to create new subfolders for each user, that user needs sufficient Share and NTFS ACL permissions to create the subfolder in the appropriate location.

    When a user does not have sufficient Share and NTFS ACL permissions, their folder is not redirected and you can view one of the following event messages in the local application event log: Event ID: 101

    User: username

    Computer: computername

    Description:
    Failed to perform redirection of folder foldername. The new directories for the redirected folder could not be created. The folder is configured to be redirected to \\servername\sharename\%username%, the final expanded path was \\servername\sharename\username. The following error occurred:
    Access is denied.
    -or-
    Event ID: 101

    User: username

    Computer: computername

    Description:

    Failed to perform redirection of the folder application data. The files for the redirected folder could not be moved to the new location. The folder is configured to be redirected to path. Files were being moved from path to path. The following error occurred: The security descriptor structure is invalid.
    For additional information about the permissions that are required for a share that will host redirected folders, click the following article number to view the article in the Microsoft Knowledge Base: 274443 (How to dynamically create security-enhanced redirected folders by using folder redirection in Windows 2000 and in Windows Server 2003 ) How to dynamically create security-enhanced redirected folders by using folder redirection in Windows 2000
    Back to the top

    APPLIES TO


    • Microsoft Windows 2000 Server
    • Microsoft Windows 2000 Advanced Server
    • Microsoft Windows 2000 Professional Edition





    ARM سپاسگزاری کرده است.

  6. #6
    نام حقيقي: 1234

    مدیر بازنشسته
    تاریخ عضویت
    Jul 2009
    محل سکونت
    5678
    نوشته
    5,634
    سپاسگزاری شده
    2513
    سپاسگزاری کرده
    272
    Security Recommendations for Folder Redirection: Group Policy


    Security Recommendations for Folder Redirection
    Updated: March 28, 2003
    Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
    Use the following guidelines when you create the shares for redirected folders to ensure you set access permissions appropriately, and to help provide the most secure configuration.
    Restricting access to the share

    Redirected folders contain personal information such as documents and EFS certificates so it is important to protect this data.

    • Create a security group for users who have redirected folders on a particular share and limit access only to those users
    • Create a hidden share by putting a dollar sign ($) after the share name. The share is not visible in the network neighborhood.
    • Grant users the minimum permissions that are required to access the data.


    Assigning permissions for root folder, shares, and user’s redirected folder

    Tables 7.12, 7.13, and 7.14 show the permissions for the folder redirection root, share, and the users’ redirected folders.
    Table 7.12 NTFS Permissions for Folder Redirection Root Folder


    User Account Minimum Permissions Required Creator Owner
    Full Control, Subfolders and Files Only
    Administrator
    None
    Security group of users that need to put data on share
    List Folder/Read Data, Create Folders/Append Data - This Folder Only
    Everyone
    No Permissions
    Local System
    Full Control, This Folder, Subfolders and Files
    Table 7.13 Share level (SMB) Permissions for Folder Redirection Share


    User Account Default Permissions Minimum permissions required Everyone
    Full Control
    No permissions
    Security group of users that need to put data on share.
    N A
    Full Control
    Table 7.14 NTFS Permissions for Users’ Redirected Folders


    User Account Default Permissions Minimum permissions required %Username%
    Full Control, Owner of Folder
    Full Control, Owner of Folder
    Local System
    Full Control
    Full Control
    Administrators
    No permissions
    No permissions
    Everyone
    No permissions
    No permissions

    Host redirected file shares on servers running Windows 2000 or Windows Server 2003

    To provide the best protection as data is transmitted over the network, ensure that you set up the redirected folders shares on servers running Windows 2000 and later. The Kerberos, IPSec, and SMB signing security features of Windows 2000 and Windows Server 2003 help protect the users’ data.

    Using the NTFS file system for user data volumes

    Always configure the servers hosting redirected files to use NTFS to provide the most secure configuration.

    Do not rely on EFS to encrypt users’ files when transmitted over the network

    When you use EFS to encrypt files on a remote server, the data is encrypted only while it is stored on the disk, not when it is transmitted over the network. The exceptions to this are when your system includes IPSec or Web Distributed Authoring and Versioning (WebDAV). IPSec encrypts data while it is transported over a TCP/IP network. If the file is encrypted before being copied or moved to a WebDAV folder on a server, it remains encrypted during the transmission and while it is stored on the server.

    Encrypting the Offline Files cache

    While access control lists (ACLs) protect the Offline Files cache on NTFS partitions by default, encrypting the cache enhances security on a local computer. By default, the cache on the local computer is not encrypted, so any encrypted files that are cached from the network are not encrypted on the local computer. This might pose a security risk in some environments.
    When you enable encryption, all files in the Offline Files cache are encrypted, including existing files and any files that you add later. The cached copy on the local computer is affected, but the associated network copy is not.
    You can encrypt the cache in one of two ways:

    • By using Group Policy to enable the Encrypt the offline files cache policy setting. This setting is in the Computer Configuration\Administrative Templates\Network\Offline Files node in the Group Policy Object Editor snap-in.
    • Manually, by clicking Folder Options on the Tools menu in Windows Explorer. Click the Offline Files tab, and then select the Encrypt offline files to secure data check box.

    Note

    • Encryption of the Offline File cache is only available in Windows XP and Windows Server 2003; it is not possible to encrypt the cache on Windows 2000–based computers.

    For information about encrypting the Offline Files cache for Windows XP, see the How to Encrypt Offline Files link on the Web resources page at Windows Resource Kits - Web Resources. For information about encrypting files for Windows 2000, see the Encrypting File System for Windows 2000 link on the Web resources page.










    ARM سپاسگزاری کرده است.

  7. #7
    نام حقيقي: 1234

    مدیر بازنشسته
    تاریخ عضویت
    Jul 2009
    محل سکونت
    5678
    نوشته
    5,634
    سپاسگزاری شده
    2513
    سپاسگزاری کرده
    272
    How to dynamically create security-enhanced redirected folders by using folder redirection in Windows 2000 and in Windows Server 2003


    How to dynamically create security-enhanced redirected folders by using folder redirection in Windows 2000 and in Windows Server 2003


    In Microsoft Windows 2000 and in Microsoft Windows Server 2003, as an administrator, you can customize desktops by using Folder Redirection. You can redirect the following folders by using Active Directory and Group Policy:
    • Application Data
    • Desktop
    • My Documents
    • My Documents/My Pictures
    • Start Menu

    You can find more information about Folder Redirection by searching Windows Help for Folder Redirection.

    When you redirect folders to a shared location on a network, users need both read and write access to this location so that the users can read the contents these folders. However, in some scenarios, you may not want to grant read access.Back to the top
    Create security-enhanced redirected folders

    To make sure that only the user and the domain administrators have permissions to open a particular redirected folder, do the following:
    1. Select a central location in your environment where you would like to store Folder Redirection, and then share this folder. In this example, FLDREDIR is used.
    2. Set Share Permissions for the Everyone group to Full Control.
    3. Use the following settings for NTFS Permissions:
      • CREATOR OWNER - Full Control (Apply onto: Subfolders and Files Only)
      • System - Full Control (Apply onto: This Folder, Subfolders and Files)
      • Domain Admins - Full Control (Apply onto: This Folder, Subfolders and Files)
      • Everyone - Create Folder/Append Data (Apply onto: This Folder Only)
      • Everyone - List Folder/Read Data (Apply onto: This Folder Only)
      • Everyone - Read Attributes (Apply onto: This Folder Only)
      • Everyone - Traverse Folder/Execute File (Apply onto: This Folder Only)

    4. Configure Folder Redirection Policy as outlined in Windows Help. Use a path similar to \\server\FLDREDIR\username to create a folder under the shared folder, FLDREDIR.

    Because the Everyone group has the Create Folder/Append Data right, the group members have the proper permissions to create the folder; however, the members are not able to read the data afterwards. The Username group is the name of the user that was logged on when you created the folder. Because the folder is a child of the parent folder, it inherits the permissions that you assigned to FLDREDIR. Also, because the user is creating the folder, the user gains full control of the folder because of the Creator Owner Permission setting.Back to the top

    REFERENCESFor additional information, click the article number below to view the article i...


    For additional information, click the article number below to view the article in the Microsoft Knowledge Base: 232692 (Folder Redirection feature in Windows ) Folder Redirection Feature in Windows
    Back to the top

    APPLIES TO


    • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
    • Microsoft Windows 2000 Service Pack 1
    • Microsoft Windows 2000 Advanced Server SP1


    Back to the top
    Keywords:

    kbactivedirectoryrepl kbgpo kbhowtomaster kbprofiles KB274443



    ARM سپاسگزاری کرده است.

کلمات کلیدی در جستجوها:

Failed to get folder redirection capabilities

The following error occurred: Failed to get folder redirection capabilities.

cannot redirect parent into descendant

The following error occurred: Failed to redirect because the destination directory is offline.

can not redirect parent into descendantcan not redirect descendant into parentthe following error occurred: failed to get folder redirection capabilitiesthe following error occurred: can not redirect parent into descendant.the following error occurred failed to get folder redirection capabilitiesThe following error occurred: Failed to get folder redirection capabilities. Error details: The system cannot find the file specified.Failed to redirect because the destination directory is offline. The following error occurred: Can not redirect descendant into parent.cannot redirect parent into descendant the specified path is invalid the following error occurred: failed to redirect because the destination directory is offline.failed to redirect because the destination directory is offlineThe following error occurred: Cannot redirect descendant into parent.windows 7 failed to get folder redirection capabilities1failed to redirect because the destination directory is offline windows 7 the following error occurred: can not redirect parent into descendant.Failed to get folder redirection capabilities.can not redirect descendant into parent.The following error occurred: Failed to redirect because the destination directoryfolder redirectionprecreate security-enhanced redirected folders

برچسب برای این موضوع

مجوز های ارسال و ویرایش

  • شما نمی توانید موضوع جدید ارسال کنید
  • شما نمی توانید به پست ها پاسخ دهید
  • شما نمی توانید فایل پیوست ضمیمه کنید
  • شما نمی توانید پست های خود را ویرایش کنید
  •