Monday, October 1, 2007

Folder Redirection: Specifying a target share

Now that the User Files Folders have been covered, it's time to get fancy and start discussing Folder Redirection. In short, Folder Redirection is a feature which redirects the locally stored User Files Folders to a network share. I touched on Folder Redirection in a previous blog article titled Introducing the User Files Folders!.

I have no plans to give you a complete education on Folder Redirection. Rather, my intent is to highlight issues that I have encountered in order to save you gobs of time configuring your environment. If you are unfamiliar with Folder Redirection you should read the Microsoft primer on Folder Redirection and Roaming Profiles. It has the most detail Microsoft has ever provided on the topic - it turned out to be my bible. For purposes of this article, you will want to pay close attention to the section titled Basic Redirection and Advanced Redirection. For those of you without a large network who wish to configure workstations individually, you need to know about Manual Folder Redirection.

Now that you have read the articles mentioned above, we need to talk about specifying a target network share for your redirected folders. Here is the most important bit of this entire article - you can only provide a UNC path when specifying a target. This may not sound like a big deal to those managing a small environment, but it was devastating to us.

As a large, distributed organization we have almost 50 servers hosting user-specific shares. Naturally, we expect to redirect the User Files Folders to a location within a user's personal share space. In the XP days we simply mapped the H: drive to the user's share wherever it might be and then simply redirected the 'My Documents' folder to H:\. Simple.

You won't see any mention in the lengthy Microsoft articles I linked to, but the fact is that this simple implementation is no longer possible in Vista. You can only specify a drive letter as a target if the drive is a local device. If it is a network device, a UNC path must be used. The explanation from Microsoft is that Folder Redirection occurs much earlier in the logon process - before any drive mappings are established. I suspect this is because Vista can now redirect the Desktop and Start Menu so it must find its way back to the network locations that store that data as early as possible.

Remember I mentioned 50 servers for user shares? That translates into 50 UNC paths! Microsoft expects me to abandon Basic Redirection and happily sign on to Advanced Redirection. The way Advanced Redirection works is that you list all the possible UNC targets and associate a security group with each one. This is, of course, assuming I have already grouped my thousands of users into 50 individual groups - if not, it's time to get to work.
Not crazy enough for you yet? Try this next bit of math... In the XP days I basically had one folder to redirect, the 'My Documents' folder. Vista now has 11 User Files Folders - plus 2 additional folders in the user's profile - which must be redirected individually. There is absolutely no way to redirect a single parent folder like you did in XP. We now have 50 X 13 (650!) folder redirection UNC targets that we must specify. Can you say 'nightmare'? Can you imagine the maintenance headache if you ever choose to change one of those UNC paths in the future?

I decided to attack the problem from a different angle. Decide for yourself if it is better, but so far I am happy with the results...

If you read Microsoft's primer you might have overlooked the small note that they inserted which says 'Folder redirection only supports %USERNAME%, %USERPROFILE%, %HOMESHARE%, and %HOMEPATH% environment variables.'. This note is accurate - and key to my solution! It turns out that %HomeShare% is a valid UNC path for the Folder Redirection GPO! If your user's H: drive isn't mapped to an individual user share, then %HomeShare%%HomePath% is an equally valid UNC path. By utilizing these environment variables, it is possible to revert back to Basic Redirection and have only one UNC target per folder - 13 UNC targets definitions in all. -- phew.

What? You say those variables don't return any values? I now need to show you how to populate them with valid UNC paths. For those of you who do get UNC paths out of those variables, this concludes my first article on Folder Redirection. Much more nastiness to come - so check back often!

Alright you nul variable bums, now that we have gotten rid of those lucky UNC laden admins, let's finish the rest of this ugly tale.

The %HomeShare% and %HomePath% variables pick up their values from each user's profile properties in AD (see pic). The Home Folder path is split into those two variables. The server and share specified in the path make up the UNC path stored in %HomeShare% and remaining folders in the path are put into %HomePath%. The choice to use a Local Path or Connect to a specific drive letter is yours and doesn't affect Folder Redirection (hence the reason for this article :-)

Now I know what some of you are thinking "But Gord, we abandoned that setting years ago in favour of more modern ways of mapping - like GPO logon scripts." Trust me, I did to. But it is necessary to go back if you want to save yourselves loads of work. I even had Microsoft support argue with me on this one until he realized what he was asking for. In fact, you will also notice from the attached screen cap that I have also reverted back to launching the logon script from the AD profile rather than from GPO. This is another Vista necessity that I will cover in a future article.

Now, before you start thinking that modifying the path for thousands of user accounts leaves you no further ahead than using the Advanced Redirection option, I need to remind you about LDAP queries. I won't teach you about LDAP queries, but a short reminder is in order. DO NOT modify all your user accounts individually/manually. Active Directory Users and Computers (ADUC) allows you to perform LDAP queries/searches which enable you to target the objects you need so that you can make changes en masse. You can filter users on almost any property you wish such as group or OU membership. When you get a resultant list of users, you can simply highlight all of the objects and make one change.

Now, you may be worried that this won't be possible for you since each user's path must include the user's name. ADUC also happens to behave well in this regard. The path I have specified in my example '\\Server\Share\GMartin' is not the path I had provided. Instead I had provided the path '\\Server\Share\%Username%. ADUC automatically substituted the appropriate username for each user object (thank goodness it didn't put my name in all the paths).
LDAP is also the feature you will rely on to manage these paths in the future when changes are necessary. In the future you can do a search for all users who use a specific share and then change them again en masse - so learn LDAP!

That is all. Have I failed to anticipate one of your questions? Drop me a message and I'll do my best to improve it.


Scott said...

Thanks for the HomeShare/HomePath trick. Combine that with the registry manipulation trick in your "Folder Redirection: A Case Study" blog, and I'm much happier with the results than before. Of course, I do wish MS would either endorse this method or provide a decent alternative... (Normally I'd be nervous switching registry entries out from under Windows' nose, but I think this one is okay since even if some part of Windows does cache the old value somewhere, the new entry and old both resolve to exactly the same place.)

One question, though: could you clarify why you're launching the login script via AD instead of using GPOs (or point me to the blog you explained it in)? I'm curious because I have yet to find a need for this method... am I missing something? Thanks!

Gordon Martin said...

Hi Scott,

Thanks for your feedback! I'm glad I'm making a difference. All kudos aside, I'm afraid I have let you down with the registry mod. I'm sure you love it and are having a great time with it - but it has turned out to be a trap. DO NOT INSTALL SP1 RC1 if you are sticking the drive letter in the registry. For some reason SP1 RC1 goes haywire and decides to delete your redirected folders off of the server instead. It's a very strange problem and didn't happen with SP1 Beta. You need to stop using the drive letter substitution. I will be updating my articles this weekend to reflect this development.

I do have Microsoft looking at the problem - hopefully they will find a solution. In the mean time... if you have any applications that rely on a drive letter, you will have to stop redirecting AppData to a server. If you liked the registry hack for protecting you from the move data strangeness, substitute variables in the registry instead - use: "%HomeShare%%HomePath%\_____".

In regards to your comment about Microsoft providing a decent alternative... I have begun a DCR process with Microsoft to get them to change the design of the Folder Redirection GPOs - but I'm sure this process will take months.

In answer to your last question, I'm saving the article for the logon script behavior until after I've talked about UAC a little more. Here's a teaser. UAC prevents a logon script GPO from properly mapping drives. I'm sure you have had to use a workaround to get mapping to work. Either by using a scheduled task or a registry mod or something. Tell me which solution you used and I will tell you what's wrong with it. If you had absolutely no trouble getting a GPO script to map drives, tell me what local groups your users are members of (i.e. Power Users or Users, etc.)

Scott said...
This comment has been removed by the author.
Scott said...

Arrgh! Well, that does figure, doesn't it? No need to apologize -- all of us out looking for creative solutions to annoying problems know (or ought to know) that we use them at our own risk. Unsupported solutions sometimes gives unexpected and/or unpleasant results. How were you to know that such a radical behavior change would be introduced between SP1 Beta and RC1? Here's hoping MS spots (and fixes) the issue, or that your DCR process goes quicker than expected. : )

Yes, I've got an application (X-Win32 v8 & v9, so I'm using eXcursion for now) which chokes on AppData UNC paths, and yes, I do like the protection from the data migration quirks (I'll definitely be keeping the %HOMESHARE%%HOMEPATH% trick), but what I liked best about your registry mod was the improved user experience. I only administer a 25-machine university student lab, so migration isn't as big a concern, but the UI makes a big difference. Like you said, students get confused when all of a sudden they're in a strange folder structure out on the network, and I can't say I blame them!

I'm loathe to can the AppData redirection because some users aren't good about keeping it small, and not all of those would know how to fix it (and very well may not ask for help for a slow logon problem). I guess the UI mess will have to be fixed another day... it was nice while it lasted. :)

As for the mapped drive issue, I'll have to get back to you soon. I use the "net use" command from a batch file launched from a VBScript specified in specified in a GPO's Windows Settings\Scripts\Logon property. I also have the UAC prompt disabled for normal users (no need to encourage password guessing... :) I haven't modified the default local group memberships. I'm 99% positive that the maps are working fine, but I'm in the middle of transitioning to new server hardware (my lab is down right now before the semester starts), so I can't easily check at the moment. I'll let you know!

Gordon Martin said...

I feel your pain. It was too good to be true.

Let me know how you get your application to work while redirecting AppData to a UNC path. You might try changing the AppData environment variable to point to a drive letter from within a CMD prompt - then launch your program while within the CMD prompt - perhaps it will be fooled. It's funny how Vista has advanced technologies like Registry Virtualization but forgets the small things like a path variable - the result is the same in the end.

Yes it's the disabled UAC prompt that is saving you from drive mapping troubles. - Not an option for many of us.

Anonymous said...

I use the same trick (adding the user's name to the home folder path) to specify a target share; however, when I enable folder redirection on a vista box, it changes the folder name "\\home\share\user1" to "\\home\share\Documents". Is there a way to stop this behavior?

Gordon Martin said...

The name of the folder displayed to the user is controlled by the Desktop.ini in that folder. You would need to change that property in the INI to affect what the user sees in Windows Explorer. I have a few articles about this on this blog - take a look in the topics section or search for dekstop.ini via the google search on this page.

But it will be tricky if you want to automatically have the proper value in the dekstop.ini whenever one gets created. The Desktop.ini gets moved from the user's computer - the first time they get hit by folder redirection. The one on the computer probably comes from the default profile or something. You will have to track it back to the start and change what gets created by default - either that or go around modifying the file after the user has put a file on the share. Whatever the case, it's messy and irritating. Please post if you come up with a workable solution. Maybe we can write an article based on what you come up with.

ief said...

I have a Windows 2003 domain with XP clients. I'am seperated the home directories over multiple servers. On the application data folder i tried to basic redirect it to the home folder with the %HomeShare%%HomePath%, but i does not work. Do you know what's going wrong?

Gordon Martin said...

It's hard to answer without more details - feel free to add more information. Also, keep in mind that I went through all my troubleshooting with Vista, not XP.

Some questions I have:

1) Will XP redirect to a UNC path? Or does it want a drive letter path instead (I've only ever used the latter).
2) Can XP redirect the Application Data folder? Don't forget that Vista supports the redirection of many more folders than XP. Juts because the GPO offers it doesn't mean that the OS responds to it.