# USER PROFILES AND USER FOLDERS REDIRECTION USING GPO [http://dalaris.com/user-profiles-and-user-folders-redirection-using-gpo/](http://dalaris.com/user-profiles-and-user-folders-redirection-using-gpo/) Assume that you have a Microsoft Windows Server 2012 R2 installed and ADDS is configured, up and running. The following guide will show you how to configure a few policies using Group Policy Objects (GPO) to: - Redirect User Profile (1) - Redirect all personal stuff such as desktop, documents, Favourites, Contacts, Downloads, Links Music, Pictures, Saved Games, Searches, Start Menu, and Video. (2) - Configure Drive Mapping to map N: drive to a public share such as \\\\DCD2\\Shared. - Set domain users’ home folder. - Some other essentials properties for users. In this above list, it is worthwhile to note that User Profile Redirection (1) – also called Roaming Profile is different from Folder Redirection (2). It is recommended (best practice) to redirect user profiles to a different location than where we store users’ foldes such as Desktop, Documents, Music, etc… If we were to place user profile and folder redirection destination to the same location, we would have defeated the purpose of folder redirection. Folder redirection is meant to detach users’ folders away from their profiles so that the OS startup and logoff is faster. **Setup two shared locations on the AD server called: UsersProfiles and UsersFolders** The first step is to setup two shared locations for user profiles and user folders respectively. In D:\\ Drive, or a separate partition different than the OS partition on the server, make new Directories called **UsersProfiles** and **UsersFolders** respectively. ![](http://dalaris.com/wp-content/uploads/2015/09/090115_2056_UserProfile1.png) Do the following for both of the above folders, one at a time. Right-click on the folder, click Properties. Choose the Sharing tab. Click **Advanced sharing** and share it as **UsersProfiles$** (the $ is to make the share hidden). Click Permission and make sure the sharing permission is set as follows. ![](http://dalaris.com/wp-content/uploads/2015/09/090115_2056_UserProfile2.png) **Everyone** = FULL ![](http://dalaris.com/wp-content/uploads/2015/09/090115_2056_UserProfile3.png) Also add System and Administrators and assign share permission as follows: **System** = FULL **Administrators** = FULL ![](http://dalaris.com/wp-content/uploads/2015/09/090115_2056_UserProfile4.png) ![](http://dalaris.com/wp-content/uploads/2015/09/090115_2056_UserProfile5.png) Choose the **Security** tab, hit **Advanced** ![](http://dalaris.com/wp-content/uploads/2015/09/090115_2056_UserProfile6.png) At the Permission tab, click Disable Inheritance. ![](http://dalaris.com/wp-content/uploads/2015/09/090115_2056_UserProfile7.png) Click **Remove all inherited permissions from this object**. ![](http://dalaris.com/wp-content/uploads/2015/09/090115_2056_UserProfile8.png) Click the **Add** button. ![](http://dalaris.com/wp-content/uploads/2015/09/090115_2056_UserProfile9.png) Click **Select a principal**. ![](http://dalaris.com/wp-content/uploads/2015/09/090115_2056_UserProfile10.png) Type **Everyone**, click **OK**. ![](http://dalaris.com/wp-content/uploads/2015/09/090115_2056_UserProfile11.png) Choose **This folder Only** and click **Show advanced permissions.** ![](http://dalaris.com/wp-content/uploads/2015/09/090115_2056_UserProfile12.png) Choose the following Traverse folder / execute file List Folder / read Data Read Attributes Read Extended Attributes Create Folders / Append Data Read Permissions Hit **OK**. ![](http://dalaris.com/wp-content/uploads/2015/09/090115_2056_UserProfile13.png) Click Add. Click **Select a principal**. Enter **Creator Owner**. Click OK and give it **Full Control**. ![](http://dalaris.com/wp-content/uploads/2015/09/090115_2056_UserProfile14.png) Click Add, click Select a principal. Enter **System,** click OK and give it Full Control. ![](http://dalaris.com/wp-content/uploads/2015/09/090115_2056_UserProfile15.png) Click Add, click Select a principal. Enter **Domain Admins**, click OK and give it Full Control. ![](http://dalaris.com/wp-content/uploads/2015/09/090115_2056_UserProfile16.png) Remember to do the same thing for **UsersFolders**. We will end up with the following. ![](http://dalaris.com/wp-content/uploads/2015/09/090115_2056_UserProfile17.png) Now launch **gpmc.msc** to open **Group Policy Management Console**. Drill down to the domain DM.LOCAL, right-click on it and choose Create new GPO in this domain and link it here. ![](http://dalaris.com/wp-content/uploads/2015/09/090115_2056_UserProfile18.png) Name is RedirectMapGPO and click OK. ![](http://dalaris.com/wp-content/uploads/2015/09/090115_2056_UserProfile19.png) Right-click on the newly created Policy and click Edit… ![](http://dalaris.com/wp-content/uploads/2015/09/090115_2056_UserProfile20.png) Now note that the Group Policy Management Editor is divided into two types of configurations: Computer Configuration and User Configuration. ![](http://dalaris.com/wp-content/uploads/2015/09/090115_2056_UserProfile21.png) **To Redirect the Desktop Folder:** Under **User Configurations** click **Policies**, **Windows Settings**, **Folder Redirrection**, Right-click **AppData(Roaming)** and choose **Properties**. ![](http://dalaris.com/wp-content/uploads/2015/09/090115_2056_UserProfile22.png) In the Target tab, choose **Basic – Redirect everyone’s folder to the same location** Target Folder Location choose **Create a folder for each iuser under the root path** Root Path: \\\\DCD2\\UsersFolders$. Click **Apply**. ![](http://dalaris.com/wp-content/uploads/2015/09/090115_2056_UserProfile23.png) Yes to continue. ![](http://dalaris.com/wp-content/uploads/2015/09/090115_2056_UserProfile24.png) Click the **Settings** tab. Checkmarks on the following items: Grant the user exclusive rights to Desktop Move contents of Desktop to new location Under **Physical Removal**, choose **Leave folder in the new location when the policy is removed.** Click **OK** when done. ![](http://dalaris.com/wp-content/uploads/2015/09/090115_2056_UserProfile25.png) Repeat the same settigs for the following folders: Desktop, Start Menu, Documents, Pictures, Music, Videos, Favourites, Contacts Downloads, Links, Searches, and Saved Games. Folder Redirection is now completed. Let’s move on to redirecting user profiles. **Redirecting System/User Profiles** The following section describes how to redirect System / User profile to a remote network location. You can redirect user’s profile to a network location using mainly two methods. The first method is through the Computer Configuration. The second method is through User Properties. 1. Configure User Profile Redirection through Computer Configuration. Go to Computer Configuration, Policies, Administrative Templates: Policy, System, User Profiles, click on it. Locate the setting called “Set roaming profile path for all users logging into this computer.” Double-click this setting. ![](http://dalaris.com/wp-content/uploads/2015/09/090115_2056_UserProfile26.png) Select **Enabled**. Enter the path for user profiles to be: \\\\DCD2\\UsersProfiles$\\%Username% ![](http://dalaris.com/wp-content/uploads/2015/09/090115_2056_UserProfile27.png) 1. Configure User Profile Redirection through User’s Properties. Note that this is the method I am using in this lab, so in the “Set roaming profile path for all users logging onto this computer” described above is set to **Disabled**, as shown. ![](http://dalaris.com/wp-content/uploads/2015/09/090115_2056_UserProfile28.png) Now we configure the user’s profile redirection based on the user’s properties. Launch dsa.msc, go to each user and choose Properties. Make sure of the followings ![](http://dalaris.com/wp-content/uploads/2015/09/090115_2056_UserProfile29.png) Or, instead of doing one by one on a per user basis, select all users at once and choose Properties. Change their profile path as follows: ![](http://dalaris.com/wp-content/uploads/2015/09/090115_2056_UserProfile30.png) This means that the user “test” will have its profile stored in \\\\DCD2\\UsersProfiles$\\test as shown. ![](http://dalaris.com/wp-content/uploads/2015/09/090115_2056_UserProfile31.png) User profile redirection is now completed. Let’s configure a few more settings to perfect our GPO configuration for use in a domain environment. **Mapped Drives** Now we want to provide a mapped drive called H: that links to the users Home Directory. This is the UsersFolders path. To do this, we enable the following under User Configurations. Under User Configuration, click Preferences, expand Windows Settings, click Drive Maps. Right-click in an empty area and choose New, Mapped Drive. ![](http://dalaris.com/wp-content/uploads/2015/09/090115_2056_UserProfile32.png) The drive mapping options are as follows: ![](http://dalaris.com/wp-content/uploads/2015/09/090115_2056_UserProfile33.png) This is the final result. ![](http://dalaris.com/wp-content/uploads/2015/09/090115_2056_UserProfile34.png) **Accessory Policies (Optional)** Let’s perfect our GPO by providing the following policies as well for the domain environment. This has nothing to do with Folder/Profile redirection but I include here for completeness. Computer Configurations, Policies, Windows Settings, Local Policies, Security Options, Domain controller: Refuse machine account password changes **Enabled** ![](http://dalaris.com/wp-content/uploads/2015/09/090115_2056_UserProfile35.png) Domain member: Disable machine account password changes **Enabled** ![](http://dalaris.com/wp-content/uploads/2015/09/090115_2056_UserProfile36.png) **Interactive logon**: Do not display last user name **Enabled** ![](http://dalaris.com/wp-content/uploads/2015/09/090115_2056_UserProfile37.png) **Interactive logon**: Do not require CTRL+ALT+DEL **Enabled** ![](http://dalaris.com/wp-content/uploads/2015/09/090115_2056_UserProfile38.png) Under Computer Settings, Policies, Administrative Templates, System, also enable the following settings. Display highly detailed status messages **Enabled** ![](http://dalaris.com/wp-content/uploads/2015/09/090115_2056_UserProfile39.png) Under Computer Settings, Policies, Administrative Templates, System, Logon Assign a default domain for logon: **Enabled** Default Logon domain: **DM.LOCAL** ![](http://dalaris.com/wp-content/uploads/2015/09/090115_2056_UserProfile40.png) **Update the GPO** The settings are all done, now we need to update the GPO. Launch the command prompt and type **gpupdate /forge** This is to update the policy to make it effective. When prompting to log off, type N as we do not to log off from the server. ![](http://dalaris.com/wp-content/uploads/2015/09/090115_2056_UserProfile41.png) **Testing** Test by logging into a computer with a domain credentials. Verify that all the settings stay on the server. If you have a compuer already on the domain and logged in, remember to restart it and also perform a gpupdate /force on it. Let’s log into a Windows 7 workstation to check out the settings. Login as **test**. ![](http://dalaris.com/wp-content/uploads/2015/09/090115_2056_UserProfile42.png) Click Start then right-click on Computer. Choose Properties. Choose Advanced System Settings. ![](http://dalaris.com/wp-content/uploads/2015/09/090115_2056_UserProfile43.png) Under User Profiles click Settings. ![](http://dalaris.com/wp-content/uploads/2015/09/090115_2056_UserProfile44.png) You can see that the user test is actually using Roaming Profile. ![](http://dalaris.com/wp-content/uploads/2015/09/090115_2056_UserProfile45.png) Now, let do a few things. 1. Create a folder and a file on the desktop 2. Change the desktop background 3. Make a Bookmark in Firefox 4. Store a folder and a file in Documents 5. Launch an application such as notepad and resize the windows. All of the above settings should persist across all computers. This is tested in my environment that it is so.