The reason for having a file server and applications is so that users can share and access company data. It’s your job to make sure that data is safe and easily accessible. With IntelliMirror, you can easily control data on your network by redirecting users' folders to a server, allowing for centralized backup and roaming access from any computer on the network.
The benefits of controlling user data
Having users save all their data in the My Documents folder on their computer can help reduce the number of times you’ll have to help a user find a lost document. However, if you don't implement some sort of backup plan for that data, and a user accidentally deletes a file or suffers a hard drive failure, data can be lost. Although you could back up users’ individual systems, it's just impractical. Moving users' data to a centralized server improves your chances helping a user recover lost data, because you can more easily back up that one server than you can back up individual systems.
Redirecting user data from a folder on the desktop to a server allows you to implement roaming profiles, where users can log on from any computer on the network and receive the same desktop, documents, and working settings. However, a user’s My Documents folder can easily grow to several hundred megabytes; I’ve seen cases where a single profile consumed several gigabytes—a good argument for disk quotas. When you consider that a user’s mail store is often located in his or her roaming profile, you can see the potential for a profile to consume a lot of space. Large roaming profiles use a lot of disk space, generate a lot of network traffic, and increase logon time as the profile copies across the network from the server to the user’s local computer.
A great solution to all of these problems is to redirect users’ actual folders to a server so the data never actually leaves the server, but it appears to be local to the user. Doing this simplifies backup and disaster recovery and reduces network traffic and speeds logon for roaming profiles.
Consider folder redirection in the light of other IntelliMirror functions:
- The user’s OS is deployed through RIS.
- You deploy applications with IntelliMirror.
- You redirect folders to a network server so no data is stored locally.
- Custom desktop settings are applied through IntelliMirror and group policy.
Suppose the user’s system dies, a victim of a power spike or some other problem. All you have to do to get the user back online is provide a new computer with a blank hard disk. The user connects it to the network and boots it. RIS installs the OS and the user logs on to the domain using his or her existing account. IntelliMirror automatically installs all of the applications to the computer. Then, the user can access his or her documents, because they are safely stored on the server. You need only to set up a new computer, and IntelliMirror takes care of the rest.
Through group policy, you can redirect four common user data folders: Application Data, Desktop, My Documents, and Start Menu. You have three options for each one:
- No Administrative Policy Specified leaves the user folder at the default location. In the case of nonroaming users, the folder remains on the user’s local computer. For roaming users, the folder resides in the roaming profile and is copied across the network to the user’s workstation at logon.
- Basic—Redirect Everyone’s Folder To The Same Location can redirect all users to the same folder—which is handy when you want all users to share a single folder for applications or desktop—but you can also redirect users to their own folders. For example, you might configure this setting to point the users’ folders to \\server\share\%username%, which would cause each user to be directed to his or her own home folder. Here, you’re specifying redirection of folders regardless of how the security group membership is set.
- Advanced—Specify Locations For Various User Groups provides more flexibility by allowing you to specify redirection based on group membership. Rather than specify a single location for all users to which the policy applies, you add groups to a list and specify which folder location each group receives. As with the Basic option, you can redirect a group to a single folder by specifying an absolute path or redirect each member of a group to his or her own folder by using the %username% variable.
Why would you use one option over another? The Basic option takes the least time to configure and is a good choice when you want all users to share a common folder or when all users work from the same server. The Advanced option works well when each group of users needs a specific set of applications or desktop. For example, you might assign a particular Desktop folder to all administrators to provide quick access to administrative tools through shortcuts on the desktop. The same holds true for providing a common desktop and shortcuts for users.
Choose the Advanced option when you’re using multiple servers to host user folders. You can create a security group for each server, add the group to the policy, and point it to the appropriate server. Then, add the users to a group to redirect them to a specific server. For example, assume you’re using three servers to host folders for three different groups: accounting, sales, and engineering. Each group’s folders need to reside on a different server. Through the Advanced policy setting, you redirect each group to its target server, which would be either to a common folder on the server or to individual user folders on the server.
Configuring folder redirection
To configure folder redirection, first determine which users you want to redirect and where to locate their folders. Decide if you can redirect all users to the same location (as with the Basic option) or if you need to use security groups to provide varying redirection (as with the Advanced option). Then, look at your Active Directory’s (AD's) structure to determine if your existing domain and OU structure will accommodate the folder redirection. If not, create new OUs and move users and computers as needed.
When the AD structure is ready, open the Active Directory Users And Computers console, right-click the container at which you want to apply the policy, such as at the domain level or a specific OU, and choose Properties. Click the Group Policy tab and either edit an existing group policy object (GPO) or create a new one.
In the Group Policy editor, open the User Configuration | Windows Settings | Folder Redirection branch. You’ll find each of the four folders as a separate branch, with My Pictures as a subbranch of My Documents. Right-click a folder branch and choose Properties. On the Target tab, select either Basic or Advanced, depending on the type of redirection you want to employ.
When you choose an option, additional controls will appear on the page. With the Basic option, you must specify the path to the target folder. You can specify an absolute path or use a variable such as %username% in the path to create an implicit path that is applied when the policy is applied. With the Advanced option, add security groups to a list and then add the target folder for each group.
After you specify the target folders, click the Settings tab. The options available will depend on which redirection option and folder type that you choose. However, you can choose from these options:
- Grant The User Exclusive Rights To <folder> configures permissions on the folder so the user and local system have full access but no other users have access (including administrators). If this option is not selected, no changes are made to the folder’s permissions.
- Move The Contents Of <folder> To The New Location redirects the contents of the source folder to the target folder. For example, you would enable this option to have a user’s local My Folders contents moved to a server.
- Leave The Folder In The New Location When Policy Is Removed allows files to remain in the redirected location even if the group policy no longer applies.
- Redirect The Folder Back To The Local User Profile Location When Policy Is Removed moves the folder back to the original location when the group policy no longer applies.
- Make My Pictures A Subfolder Of My Documents redirects My Pictures along with My Documents. The default location for My Pictures is as a subfolder of My Documents.
- Do Not Specify Administrative Policy For My Pictures allows My Pictures to remain in its default location as defined by the user’s profile.
Save the GPO and then configure policies for other OUs or domains as needed. You can link the same GPO to multiple containers, so you might save some time by creating only a few GPOs and linking them at the appropriate locations.
To create a safer, more efficient network environment, you should consider using IntelliMirror to control user data. With it, you can redirect data to safe locations on a server so you can easily back up files and provide users with file access from anywhere on the network.