Configure roaming profiles, folder redirection and disk quotas on Windows Server 2008 R2 / 2012

2. Setting up the folder redirection

As you could see, the advantage of roaming profiles is that the user keeps its documents and its settings.
That said, the problem is that this can slow openings and closings of sessions if the user has a lot of data.
To solve this problem, we'll also use the folder redirection for user documents.

As shown in technet de Microsoft.

To avoid conflicts between the redirected documents and those currently present in the roaming profile of your users, we will first remove the folders containing these roaming profiles.

2.1. Create the network share

Then, on our partition "Users data", we will create a "users-data" folder to contain the redirected folders of our users.
In our case : "My Documents" (including : My pictures, My music and My video) and "Downloads" folders.

As earlier (at step 1.2), you must share the folder with a $ at the end of the name and allowing the "Total control" for the "Everyone" group.
Once the folder will be shared, the folder status will be "Shared" (as shown at the bottom of this image).

2.2. Security policies for the folder redirection

To configure the folder redirection, everything happens in group policies.
To do this, go back in the start menu -> Administrative Tools -> Goup Policy Management.

Then, because we will use the folder redirection for roaming profiles, we must first exclude the desired folders of roaming profiles.
For this, go to : User Configuration -> Policies -> Administrative Templates -> System -> Users Profiles.

In this section, you will find the policy "Exclude directories in roaming profile".

Enable this policy and specify this to exclude "My Documents" and "Downloads" folders : Documents;Downloads
Note that these names must be in English, even if you use Windows Server in another language.

Then, we will configure the folder redirection.
For this, go to : User Configuration -> Policies -> Windows Settings -> Folder Redirection.
As you can see, with these policies, you can redirect all personal folders that are present in a roaming profile.
However, we will only redirect documents and user downloads, because these are the heaviest folders.

To begin, right click on "Documents" and click "Properties".

Then, select :

• Setting : Basic - Redirect everyone's folder to the same location
• Target folder location : Create a folder for each user under the root path

Then, specify the network path of your "user-data" folder. In our case, the network path is : \\AD-SERVER\users-data$

As you can see at the bottom of the image below, documents of "Claire" will be redirected to the folder : \\AD-SERVER\users-data$\Claire\Documents

Then, go to the "Settings" tab and check these boxes :

• Move the contents of Documents to the new location : which makes it possible to recover the documents that users would have already created before the redirection of this folder and to transfer them to the server.
• Also apply redirection policy to Windows 2000, XP, ... : This will allow you to also redirect "My Pictures", ... folders in the "Documents" folder of the user. As under Windows XP, ...

In addition, we recommend that you uncheck the "Grant the user exclusive rights to Documents".
Indeed, when this box is checked, only the user has access to its documents. So, the administrator will not have access to this folder from the server.
To allow the administrator to access this folder, you should uncheck this box.

As stated in the warning, the application of the parameter for Windows 2000 operating systems, XP, ... will also cause the Images, Musics, ... after him.
This allows us to redirect 4 folders at one go (documents, images, ...).
In addition, it allows you to have backward compatibility with operating systems: Windows XP, ...

Click on Yes.

Do the same for the "Download" folder.
Right click -> Properties.

Select "Basic ..." and "Create a folder for each user ..." and specify the same network path as before.

In the "Settings" tab, uncheck the "Grant the user exclusive rights to Downloads" box to allow the administrator to access to users's downloads.
Note : the line about Windows 2000, ... is grayed out, because this folder doesn't exist on older versions of Windows.

Click Yes.

2.3. "Offline Files" feature

As shown on the Microsoft technet, when you use the folder redirection, the "Offline Files" feature of Windows will automatically be enabled by default.

If you log on a client PC with a user which some personal folders have been redirected, you will see that the concerned folders will have a green icon.
This icon means that these folders will be automatically synchronized by Windows with your server.
Also, you'll notice that a green icon appeared at the bottom right of the screen.

Note : To access to the User folder (like the picture below), click on the favorite "Desktop" on the left, then double-click the folder named with the user's name.

If you go to the folder "My Documents", you will see that the 3 folders "My Music", "My Pictures" and "My Videos" were also redirected.
Also, if you create a file in the "User1\My Pictures" folder, you will see that the file will also be displayed in the "My Documents\My Pictures" folder. Windows has added the necessary redirections.

If you go in the Control Panel and you access the "Sync Center".

You will see that the "Offline Files" feature was automatically configured.

If you double-click on that line, you will see that Windows is configured to synchronize user data (redirected folders) with the "users-data$" network share of your server : AD-SERVER.

This synchronization is automatic of course, but if the user wishes, he can also run it manually by doing a right click -> Synchronize users-data$ (\\SERVER-AD).

Or using the context menu of the icon in the taskbar.

Now that folder redirection works properly and that you have seen that redirected folders will be synchronized automatically by Windows, here are some interesting policies that allow you to configure the synchronization as you like.

For this, go back to the group policies and go to : Computer Configuration -> Policies -> Administrative Templates -> Network -> Offline Files.

In this section, we will enable these policies :

• Configure Background Sync
• Exclude files from being cached (on Windows Server 2008 R2) or Enable File Filters (on Windows Server 2012)
• Enable Transparent Caching
• Synchronize all offline files before logging off

For more information about the configuration of offline files, refer to the TechNet of Microsoft.

As you could see, the background synchronization is enabled by default if you use folder redirection.
But if you want to configure the synchronization yourself, you must enable and configure the "Configure Background Sync" policy.

To prevent your users saturate your server storage space, you can use disk quotas that we will see later, but you can also prevent your users from storing some kinds of files in the folders that will be available offline.
You could, for example, exclude video files with these extensions : avi, mov, ...

This policy is named "Exclude files from being cached" on Windows Server 2008 R2 and "Enable File Filters" on Windows Server 2012.

To optimize the use of files present in redirected folders, you can enable the setting transparent cache.
When you enable this policy and a user access 2 times to the same file, the file will be downloaded once from the server (except if the file has been modified in the meantime). This also saves bandwidth.

And finally, when the "Offline Files" feature is enabled, it's very important to enable the "Synchronize all offline files before terminating the session" policy.
Indeed, if you don't enable it and a user logs off before synchronization occurs, its latest changes will not be synchronized with the server.

But, if you enable this policy, you will be sure that all offline files of the user will have been automatically synchronized with your server.

2.4. Configure a network drive (optional)

When roaming profiles and/or folder redirection are used, companies, schools, ... adds a network drive that allows the user to have access to these documents as if they were on a partition of a hard disk.
In reality, it's a letter associated with a network share to facilitate access for the average user.

In our case, documents and downloads of the user "User1" are stored in the "D:\users-data\User1" folder of the server. This file is available by the user by this network path : \\AD-SERVER\users-data$\User1

To configure the network drive for each user, we will use the Group Policy (GPO).
To do this, go to "User Configuration -> Preferences -> Windows Settings -> Drive Maps", then right-click in the empty list at right.
Then, click : New -> Mapped Drive.

Because each user data is stored in a folder with their user name, we will use the "%Username%" variable for the network location of the network drive.

To configure the network drive :

• select "Action : Update".
• Specify the path "\\AD-SERVER\users-data$\%Username%" as location
• Select "Drive Letter / Use : Z"
• Select "Show this drive" and "Show all drives" options at the bottom of the window.

Restart the client PC and log in with one of your roaming users.
You should see a new drive with the name of your user.

If you enter into this network drive, you will see that it contains documents and downloads of your user.

As you can see in the address bar of the client PC, Windows displays by default the network path associated with the network drive where you just entered.
However, if the user tries to access documents of another user (for example, by typing the address "\\AD-SERVER\users-data$\User2"), Windows deny him access because each user can only access to their redirected folders.

If you look NTFS rights assigned to the "User1" folder on the server, containing redirected folders of User1, you will see that it's the only one user authorized to access that folder.
This means that User2 can't access them.