There’s no question that traditional file services (e.g. Windows file servers, NAS filers, etc.) are slowly being usurped in the enterprise, by cloud storage vendors such as Microsoft OneDrive, Google Drive, Box, Dropbox and Citrix Sharefile. And while some organizations justifiably still have concerns about putting their corporate documents and data in the cloud, I think the trend will only increase over time, especially as cloud storage costs continue to be driven downwards. To that end, I thought it would be interesting to look at how the current system of allowing user data to roam with the user via Group Policy and Folder Redirection, would work in a cloud storage environment.
The one common denominator to make this scenario work, is the synchronization client that most, if not all, cloud storage vendors provide. This sync client will typically get installed on a machine and allow you to be able to access your cloud folders when you are offline. For example, OneDrive provides the sync client as a separate installation for Windows 7, and as an integrated feature in Windows 8. OneDrive files are typically mapped to someplace within the user’s existing profile directory (e.g. %userprofile%\OneDrive) and a shortcut is added to Windows Explorer favorites to allow you to easily get access to that data.
Traditionally, shops that used Group Policy Folder Redirection, would redirect a user’s profile folders, such as Documents, Music, Videos, etc., to a server share. This would allow the user the benefit of having offline access to their files, when not connected to the server, while at the same time, giving the user a way of backing up their critical data, as it syncs up to the server. Of course, this required maintaining lots of file server storage, with the attendant costs and challenges around keeping up with users’ voracious storage appetites. Today, with cloud storage in the mix, you no longer need a file server to keep user data. The file server is the cloud, and it will automatically follow the user to whatever machine they’re logged into, provided the sync client is installed and they’ve authenticated to the cloud storage. This means that the final piece of the puzzle, as it relates to folder redirection, is to simply redirect the user’s profile folders to ensure they always use cloud storage when opening and saving documents.
This is easy enough to accomplish using our friend Group Policy. Here are the steps you’ll need to take to accomplish this goal:
1. Move the contents of the user’s profile folder (e.g. Documents) to be redirected, to the cloud storage sync location on their local hard drive. For example, if you’re using OneDrive, for the Documents folder, move %userprofile%\documents to $userprofile%\Onedrive\Documents.
2. Create a GPO to redirect the folder of interest (e.g. Documents) from %userprofile%\Documents to %userprofile%\Onedrive\Documents. This can be done using either Folder Redirection policy, or a registry poke via GP Preferences registry extension.
3. Ensure that the OneDrive (or your favorite cloud storage vendor) sync client is installed on every machine where users will roam.
4. When the user logs in the first time to a machine, they will need to authenticate to their cloud storage provider using the credentials required. Note that unless you are federating identities with your cloud storage provider, this may be a different id from the user’s domain credentials (for example, OneDrive uses a Microsoft Account).
Implementation
So, let’s look at how this works. Remember my goal here is two-fold. I want the user’s Documents folder to default to my OneDrive (or other cloud storage) folder, and I want this redirected Documents folder (and my documents in OneDrive) to appear wherever I log in. As I mentioned above, the first step is to move the user’s documents folder contents from where they are now (either in the local profile under %userprofile%\documents or on a server share) to their local cloud storage sync folder (e.g. %userprofile%\OneDrive\Documents). Note for clarity sake, I created an explicit “Documents” folder under my OneDrive folder, because I don’t want the full contents of my Documents folder to go to the root of the OneDrive sync folder. It just makes things cleaner. Now, in terms of how to do the data copy, you have two choices–you could do it manually for each user (or have them do it), or you could use Folder Redirection policy to handle the copy for you, as it has a switch that provides this option when the user first processes the policy, as shown here:
Now, when you use this option, keep in mind that Folder Redirection has to do the file copy while the user is logging in the first time this policy applies to them (it also requires a synchronous foreground processing cycle, which means it might take two logons to take effect). As a result, if the user has a lot of data, this could take awhile. I tend to prefer the manual, or even scripted copy approach because they can be done out-of-band of the user.
Once the copy is complete and the data is in the correct OneDrive sync folder, the next step is to build the actual redirection policy to redirect Documents to point at the OneDrive folder. Again, if you used Folder Redirection Policy to do the file copy, then it makes sense that you would use Folder Redirection to do the actual redirection of Documents, as shown here:
The alternative, and the approach I prefer because it does not rely on Folder Redirection, is to use GP Preferences to redirect the “User Shell Folders” registry value(s) to the appropriate locations. Of course, this assumes I’ve found another way to copy the user data to the cloud sync folder, but if I have, then this GPP approach works well. In fact, I had a unique case to deal with. On one of my machines, running Windows 7, I had originally installed SkyDrive, the predecessor to OneDrive. As such, it created my local sync folder under %userprofile%\skydrive. On another machine I had, running Windows 8, it comes with the OneDrive sync client pre-installed and it defaults to %userprofile%\onedrive. So, I had to create two GP Preferences registry items–one for each variation. In order to ensure the right redirection happened on the right machine, I created Item-level targeting to test for the presence of each folder first, before doing the redirection. So, let’s see what this looks like. First, the registry value I’m redirecting:
Note that the full registry key path for this is HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders, and also note that the Documents folder equates to a registry value name called “Personal”. Now this particular GPP registry policy is for OneDrive. I have a second one in the GPO for “SkyDrive” redirection. And remember I said I used Item-level targeting to filter the correct policy for the correct folder location. That looks like this:
So, once this preference is in place (remember that this is under User Configuration\Preferences\Windows Settings\Registry) and my user account processes it, any machine I log into will have my documents available, by virtue of the OneDrive sync client, and will have my Documents profile location directed to that sync folder.
Items to Keep in Mind
Offline Syncing
One thing to keep in mind. The OneDrive sync client on Windows 8 has different behavior from the one that shipped/ships with Skydrive for Windows 7. Namely, the Windows 8 client will show you all of the files and folders available on OneDrive, but will not automatically sync them offline. The Windows 7 client does sync offline. So, imagine you have Windows 7 throughout your environment, and you sit down at a new machine, that you’ve never logged into before. You login and your Documents folder is redirected to %userprofile%\Onedrive\Documents. Except, most of your files are not there yet because they haven’t synced. This is problematic for two reasons–one, if you have a lot of data, it may take a long time to sync. Two, and this is not really exclusive to this approach, but it does mean that every machine you log into will have a copy of your cloud storage data synced locally.
Identity
Another thing to keep in mind–the default state for most cloud storage vendors is to require you to enter some cloud identity credentials when you first install or activate the cloud sync client. For OneDrive, this means entering a Microsoft account anywhere you log in. Now, if you have some kind of SSO/Federation going on between your cloud storage vendor and your own AD, then this process may be seamless, but if not, your users will need some education around this, or they may not find their documents when they log into a new system.
Good write up Darren, thanks for taking the time.
We will be moving more to cloud storage over the months and years and your article helped to crystalise the implications this has for our business regarding standardisation for me.
Some good technical guidance in there too 🙂
Cheers
Carl
Great post. One other thing to keep in mind, is you need to be careful how you roll out the policy as your network could take a really big hit if everyone starts syncing their data to the cloud for the first time all at once.
Absolutely Greg. That’s another argument for not using Folder Redirection to automatically copy content. Essentially roll out the content copy and user shell folder redirection in groups (or by OU) to make it less impactful.
Darren
I am trying to test this and it’s not working. Even configuring it via GPP. Help!
Mark-
What part isn’t working? Have you pre-synced the data or…?
Darren
I have tried the same option via GOP but no luck.
Great post. I’ve used this for Google Drive as we use Google Apps Unlimited here. Works a treat!
So, we’re testing this out with just a few users. Right now, we’ve been doing folder redirection to a network share. I’ve only applied the policy to a few users. For my own account, I run into the following error on a bunch of machines I login to. I login the first time, configure OneDrive and let it sync. In Event Viewer, I have an error the redirect did not work because the path is invalid, that’s expected. On my next login, it tries to do the redirect and it fails with the error below, but my OneDrive is connected and the folder does exist. Microsoft was useless when I opened a ticket asking for help with this error. Anything you can think of?
Failed to apply policy and redirect folder “Documents” to “C:\Users\XYXYX\OneDrive – My Work”.
Redirection options=0x1210.
The following error occurred: “Can not create folder “C:\Users\XYXYX\OneDrive – My Work””.
Error details: “This security ID may not be assigned as the owner of this object.
“.
That error sounds like you are trying to grant exclusive access to the folder and the permissions on the parent folder are preventing that. Can you verify that you are trying to grant exclusive rights?
Has anyone got this to work with ShareFile yet?
@ Darren
Great article but I have a few questions to follow up with. For the policy design, your article uses $ (dollar sign) vs % (percent) for the user profile variable. Is this a typo? I ask because it leads into my second question.
**2. Create a GPO to redirect the folder of interest (e.g. Documents) from $userprofile%\Documents to $userprofile%\Onedrive\Documents.**
If pursuing the Folder Redirection option, the UI will not accept %userprofile% as an acceptable entry (for not being UNC path). On Windows 10 1709, whenever you accept the warning and click OK to use the variable anyway, it completely wipes it out and sets the FR policy back to default values. Yet, if you use the dollar sign $userprofile%, it sticks. Have you seen this similar behavior?
Jeffrey–first off, good catch–the $ sign should not have been in there. Second, I have to admit that it’s been a while since I tested this so I’ll have to go back to Folder Redirection and see what the current state of affairs is, but to be honest, I prefer the GP Preferences approach since Folder Redirection doesn’t buy me much if I don’t need it to move the files. I can certainly understand the need to use that if it’s across many users so let me look into it. In terms of the $ in FR, I don’t think it actually does anything, other than maybe work around the warning. So I suspect it’s not valid to use it.
Darren
I have the exact same issue, and am wondering if you have been able to make it work?