There’s no question that traditional file services (e.g. Windows file servers, NAS filers, etc.) are slowly being usurped in the enterprise, by cloud storage vendors such as Microsoft OneDrive, Google Drive, Box, Dropbox and Citrix Sharefile. And while some organizations justifiably still have concerns about putting their corporate documents and data in the cloud, I think the trend will only increase over time, especially as cloud storage costs continue to be driven downwards. To that end, I thought it would be interesting to look at how the current system of allowing user data to roam with the user via Group Policy and Folder Redirection, would work in a cloud storage environment.
The one common denominator to make this scenario work, is the synchronization client that most, if not all, cloud storage vendors provide. This sync client will typically get installed on a machine and allow you to be able to access your cloud folders when you are offline. For example, OneDrive provides the sync client as a separate installation for Windows 7, and as an integrated feature in Windows 8. OneDrive files are typically mapped to someplace within the user’s existing profile directory (e.g. %userprofile%\OneDrive) and a shortcut is added to Windows Explorer favorites to allow you to easily get access to that data.
Traditionally, shops that used Group Policy Folder Redirection, would redirect a user’s profile folders, such as Documents, Music, Videos, etc., to a server share. This would allow the user the benefit of having offline access to their files, when not connected to the server, while at the same time, giving the user a way of backing up their critical data, as it syncs up to the server. Of course, this required maintaining lots of file server storage, with the attendant costs and challenges around keeping up with users’ voracious storage appetites. Today, with cloud storage in the mix, you no longer need a file server to keep user data. The file server is the cloud, and it will automatically follow the user to whatever machine they’re logged into, provided the sync client is installed and they’ve authenticated to the cloud storage. This means that the final piece of the puzzle, as it relates to folder redirection, is to simply redirect the user’s profile folders to ensure they always use cloud storage when opening and saving documents.
This is easy enough to accomplish using our friend Group Policy. Here are the steps you’ll need to take to accomplish this goal:
1. Move the contents of the user’s profile folder (e.g. Documents) to be redirected, to the cloud storage sync location on their local hard drive. For example, if you’re using OneDrive, for the Documents folder, move %userprofile%\documents to $userprofile%\Onedrive\Documents.
2. Create a GPO to redirect the folder of interest (e.g. Documents) from %userprofile%\Documents to %userprofile%\Onedrive\Documents. This can be done using either Folder Redirection policy, or a registry poke via GP Preferences registry extension.
3. Ensure that the OneDrive (or your favorite cloud storage vendor) sync client is installed on every machine where users will roam.
4. When the user logs in the first time to a machine, they will need to authenticate to their cloud storage provider using the credentials required. Note that unless you are federating identities with your cloud storage provider, this may be a different id from the user’s domain credentials (for example, OneDrive uses a Microsoft Account).
So, let’s look at how this works. Remember my goal here is two-fold. I want the user’s Documents folder to default to my OneDrive (or other cloud storage) folder, and I want this redirected Documents folder (and my documents in OneDrive) to appear wherever I log in. As I mentioned above, the first step is to move the user’s documents folder contents from where they are now (either in the local profile under %userprofile%\documents or on a server share) to their local cloud storage sync folder (e.g. %userprofile%\OneDrive\Documents). Note for clarity sake, I created an explicit “Documents” folder under my OneDrive folder, because I don’t want the full contents of my Documents folder to go to the root of the OneDrive sync folder. It just makes things cleaner. Now, in terms of how to do the data copy, you have two choices–you could do it manually for each user (or have them do it), or you could use Folder Redirection policy to handle the copy for you, as it has a switch that provides this option when the user first processes the policy, as shown here:
Now, when you use this option, keep in mind that Folder Redirection has to do the file copy while the user is logging in the first time this policy applies to them (it also requires a synchronous foreground processing cycle, which means it might take two logons to take effect). As a result, if the user has a lot of data, this could take awhile. I tend to prefer the manual, or even scripted copy approach because they can be done out-of-band of the user.
Once the copy is complete and the data is in the correct OneDrive sync folder, the next step is to build the actual redirection policy to redirect Documents to point at the OneDrive folder. Again, if you used Folder Redirection Policy to do the file copy, then it makes sense that you would use Folder Redirection to do the actual redirection of Documents, as shown here:
The alternative, and the approach I prefer because it does not rely on Folder Redirection, is to use GP Preferences to redirect the “User Shell Folders” registry value(s) to the appropriate locations. Of course, this assumes I’ve found another way to copy the user data to the cloud sync folder, but if I have, then this GPP approach works well. In fact, I had a unique case to deal with. On one of my machines, running Windows 7, I had originally installed SkyDrive, the predecessor to OneDrive. As such, it created my local sync folder under %userprofile%\skydrive. On another machine I had, running Windows 8, it comes with the OneDrive sync client pre-installed and it defaults to %userprofile%\onedrive. So, I had to create two GP Preferences registry items–one for each variation. In order to ensure the right redirection happened on the right machine, I created Item-level targeting to test for the presence of each folder first, before doing the redirection. So, let’s see what this looks like. First, the registry value I’m redirecting:
Note that the full registry key path for this is HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders, and also note that the Documents folder equates to a registry value name called “Personal”. Now this particular GPP registry policy is for OneDrive. I have a second one in the GPO for “SkyDrive” redirection. And remember I said I used Item-level targeting to filter the correct policy for the correct folder location. That looks like this:
So, once this preference is in place (remember that this is under User Configuration\Preferences\Windows Settings\Registry) and my user account processes it, any machine I log into will have my documents available, by virtue of the OneDrive sync client, and will have my Documents profile location directed to that sync folder.
Items to Keep in Mind
One thing to keep in mind. The OneDrive sync client on Windows 8 has different behavior from the one that shipped/ships with Skydrive for Windows 7. Namely, the Windows 8 client will show you all of the files and folders available on OneDrive, but will not automatically sync them offline. The Windows 7 client does sync offline. So, imagine you have Windows 7 throughout your environment, and you sit down at a new machine, that you’ve never logged into before. You login and your Documents folder is redirected to %userprofile%\Onedrive\Documents. Except, most of your files are not there yet because they haven’t synced. This is problematic for two reasons–one, if you have a lot of data, it may take a long time to sync. Two, and this is not really exclusive to this approach, but it does mean that every machine you log into will have a copy of your cloud storage data synced locally.
Another thing to keep in mind–the default state for most cloud storage vendors is to require you to enter some cloud identity credentials when you first install or activate the cloud sync client. For OneDrive, this means entering a Microsoft account anywhere you log in. Now, if you have some kind of SSO/Federation going on between your cloud storage vendor and your own AD, then this process may be seamless, but if not, your users will need some education around this, or they may not find their documents when they log into a new system.