GPO Folder redirection

 

Configure Folder Redirection using Group Policy

• 05/15/2025

Folder Redirection allows administrators to redirect folder paths to a new location, either locally or on a network share. Using Group Policy, you can configure these locations under Windows Settings in the Group Policy Management Console (GPMC). The path is <Group Policy Object Name>\User Configuration\Policies\Windows Settings\Folder Redirection.

To learn more about Folder Redirection, see Folder Redirection, Offline Files, and Roaming User Profiles overview.

Which folders can you redirect?

You can use the GPMC to redirect the following folders:

• AppData/Roaming

• Contacts

• Desktop

• Documents

• Downloads

• Favorites

• Links

• Music

• Pictures

• Saved Games

• Searches

• Start Menu

• Videos

Types of Folder Redirection

You can configure Folder Redirection to either redirect all users' folders to a single location or assign different locations based on users' security group memberships. The following table summarizes the types of folder redirection.

You can choose between the following settings:

• Basic—Redirect everyone's folder to the same location. This setting enables you to redirect everyone's folder to the same location and is applied to all users included in the Group Policy Object. For this setting, you have the following options in specifying a target folder location:

  • Create a folder for each user under the root path. This option creates a folder in the form \\server\share\User Account Name\Folder Name. Each user has a unique path for their redirected folder.

• Redirect to the following location. This option uses an explicit path for the redirection location. If an explicit path is used, it can cause multiple users to share the same path for the redirected folder. Consider using environment variables in the path to create a unique path for each user.

• Redirect to the local user profile location. This option moves the location of the folder to the local user profile under the Users folder.

• Advanced—Specify locations for various user groups. This setting enables you to specify redirection behavior for the folder based on the security group memberships for the GPO.

• Not configured. This option is the default setting. This setting specifies that policy-based folder redirection was removed for that GPO. All folders are redirected to the local user profile location or remain where they're based on the redirection options selected. No changes are made to the current folder location.

Prerequisites for Folder Redirection

To configure Folder Redirection using Group Policy, you must meet the following prerequisites:

• An Active Directory Domain Services (AD DS) domain, with client computers joined to the domain. There are no forest or domain functional-level requirements or schema requirements.

• Permission in AD DS to create and link Group Policy Objects (GPOs) in the domain or organizational unit (OU) where the users are located.

• Client computers running Windows or Windows Server.

• A computer with the Group Policy Management Console installed.

Configuring Folder Redirection

To configure Folder Redirection using Group Policy, follow these steps:

1. Select the Start button, type Group Policy Management, open Group Policy Management from the best match list.

2. In the console tree, expand the domain or organizational unit (OU) where you want to create or edit the GPO.

3. Perform one of the following actions:

   1. To create a new Group Policy Object (GPO) that specifies which users should perform background synchronization on metered networks, right-click the appropriate domain or organizational unit (OU), and then select Create a GPO in this domain, and link it here.

   OR

   1. To edit an existing GPO that specifies which users should perform background synchronization on metered networks, right-click the appropriate GPO, and then select Edit.

4. In the Group Policy Management Editor policy navigation tree, expand User Configuration > Policies > Windows Settings > Folder Redirection.

5. Right-click the folder you want to redirect, and then select Properties.

6. On the Target tab, select the option that you want to use for the redirection target.

7. Select the target location for the folder redirection, as described in Types of Folder Redirection.

8. If necessary, enter the path for the target location. The path can be a local folder or a network share. The path must be in the form \\server\share\FolderName.

9. Select OK to save the settings.

10. Repeat the steps for each folder that you want to redirect.

To force the GPO to be applied, run the 'gpupdate /force' command on the client computers or wait for the next Group Policy refresh interval.

Configuring other settings for the redirected folder

In the Settings tab in the Properties box for a folder, you can enable the following settings.

• Grant the user exclusive rights. This setting is enabled by default and is a recommended setting. This setting specifies that the administrator and other users don't have permissions to access this folder.

• Move the contents of <FolderName> to the new location. This setting moves all the data the user has in the local folder to the shared folder on the network.

  Caution

  Moving all data can take a large amount of time, depending on the speed of the connection and volume of data. The time to move all data could be significant if both locations are remote. You might also notice a delay when pinning and unpinning files in remote locations, as the file needs to sync between the cache and the file share.

• Policy Removal. The following table summarizes the behavior of redirected folders and their contents when the GPO no longer applies, based on your selections for policy removal. The following policy removal options are available in the Settings tab, under Policy Removal.

Policy removal option	Selected setting	Result
Redirect the folder back to the user profile location when policy is removed1	Enabled	- The folder returns to its user profile location. - The contents are copied, not moved, back to the user profile location. - The contents aren't deleted from the redirected location. - The user continues to have access to the contents, but only on the local computer.
Leave the folder in the new location when policy is removed	Enabled	- The folder remains at its redirected location. - The contents remain at the redirected location. - The user continues to have access to the contents at the redirected folder.

¹ Moving all data back to the user profile can take a large amount of time, depending on the speed of the connection and volume of data. The time to move all data could be significant if both locations are remote. You might also notice a delay when pinning and unpinning files in remote locations, as the file needs to sync between the cache and the file share.

You can also use the GPMC to configure the following Folder Redirection policy settings:

• Use localized subfolder names when redirecting Start and My Documents. This policy is located in the following paths: Computer Configuration\Policies\Administrative Templates\System\Folder Redirection, or User Configuration\Policies\Administrative Templates\System\Folder Redirection.

• Do not automatically make redirected folders available offline. This policy is located in the following path: User Configuration\Policies\Administrative Templates\System\Folder Redirection.

Specify the location of folders in a user profile

You can use Group Policy to specify another location (in other words, "redirect" the location) for folders within user profiles. You can redirect folders either to one location for everyone or to different locations based on the security group membership of users. You can also configure other settings for the redirected folder. The settings that you can configure include:

• Granting exclusive user rights to the folder.
• Moving the contents of the folder to the new location.
• Applying redirection policy to earlier Windows operating systems.
• Specifying system behavior if the policy is removed.

 

Source:

 https://learn.microsoft.com/en-us/windows-server/storage/folder-redirection/folder-redirection-using-group-policy 

--------------------------

 

ISSUE:

VERDE offers built-in document redirection functionality in the virtual desktop (guest), by default the Windows "Document" folder will automatically be redirected to the virtual desktop D: drive. Some customers may need to redirect the Windows “Documents” to a shared network drive. The information below gives Windows administrators information on how to proceed.

 

SOLUTION:

1. Set the NTFS permissions

Create the folder in the desired location (i.e. X:\usershare)

From the new folder properties, disable inheritance of permissions from the parent and remove all inherited permissions by clicking the appropriate button.

One entry will already be in the DACL: Local Administrators.

1. Alter Local Administrators: Full Control: This folder, subfolders and files.
2. Alter or Add SYSTEM: Full Control: This folder, subfolder and files.
3. Alter or Add CREATOR OWNER: Full Control: This folder, subfolders and files.
4. Add Authenticated Users: List folder / read data, Create folders / append data: This folder only.
5. Add Domain Admins: Full Control: This folder, subfolders and files.
6. Click OK.

These permissions enable users to create their redirected folder in the root folder, but restrict the ability to browse the contents of other folders. Best practice dictates that you should allow the redirected folder locations to create themselves as users log on.

 

2. Create the share and add share permissions

Share the root folder created earlier as \\SERVER\usershare (or if you want to hide it, \\SERVER\usershare$\)

Adjust the share permissions as follows:

1. Remove Everyone.
2. Grant Authenticated Users Full Control.
3. Grant Domain Admins Full Control (Not necessary but useful for completeness).

3. Configure the Group Policy Object (GPO)

1. Open the Group Policy Manager.
2. Create a new GPO or edit an existing one.
3. Open User Configuration > Policies > Windows Settings > Folder Redirection.
4. Right-click Documents and click Properties.
5. Choose Basic - Redirect everyone's folder to the same location.
6. Under Target folder location choose Create a folder for each user under the root path.
7. Set the Root Path: to  \\SERVER\usershare. 
8. As the path is entered, an example location is displayed to show how the folders will be created as users log on.
9. On the Settings tab, uncheck Grant the user exclusive rights to Documents.
10. Under Policy Removal, select your preferred option depending on your requirements.
11. Link the GPO at the appropriate OU.

Once the user logs in (for example:juser) then the following folders (in bold) will be created on the shared drive c:\usershare\juser\Documents and “Documents” that used to redirect to \\host\Shares\Documents (default) will be redirected to \\SERVER\usershare\<user>\Documents.

Source:

 https://support.ncomputing.com/portal/en/kb/articles/folder-redirection-changing-the-windows-documents-to-a-network-drive

-----------------------

 

 

Active Directory count

 (Get-ADUser -Filter *).Count
(Get-ADComputer -Filter *).Count
(Get-ADGroup -Filter *).Count

$ADUser = (Get-ADUser -Filter *).Count
$ADGroup = (Get-ADGroup -Filter *).Count
$ADComputer = (Get-ADComputer -Filter *).Count
$ADObjects = $ADUser + $ADGroup + $ADComputer
$ADObjects

Count for specific OU:

(Get-ADUser -Filter * -SearchBase "OU=Users,DC=example,DC=com").Count
 

Rename Active Directory Doamin name

 

 

Renaming an Active Directory Domain: Overview and Steps

Renaming an Active Directory (AD) domain is a complex and potentially risky operation that requires careful planning, thorough backups, and a detailed understanding of your environment and dependencies. While technically possible, it is generally discouraged for large or complex infrastructures due to the risk of service disruption and the extensive manual remediation required afterward. In many cases, migrating to a new domain is a safer alternative, but for smaller or less complex environments, the rename process can be managed with the right precautions^[1][2][3][4].

Key Considerations Before You Begin

·        Backup: Ensure you have a comprehensive and tested backup of all domain controllers and critical data^[1][3][4].

·        Check Replication Health: Confirm that AD replication is healthy and DNS is functioning properly^[1].

·        No Exchange: If you have Exchange Server (except Exchange 2003), you cannot rename the domain^[1][2][5][4].

·        Review Dependencies: Identify and plan for all applications, services, trusts, certificates, group policies, and scripts that reference the old domain name^[3][4].

·        Test Environment: If possible, simulate the rename in a lab environment first^[3].

·        Downtime: Prepare for downtime and notify users and stakeholders^[3].

·        Functional Level: Your forest functional level must be at least Windows Server 2003^[6][1][4].

Step-by-Step Process

1. Prepare DNS for the New Domain Name

·        Create a new primary DNS zone for the new domain name on your domain controllers using the DNS Manager (dnsmgmt.msc)^[1][7][4].

·        Ensure the new zone replicates to all DNS servers in the domain^[1][4].

2. Use the rendom Tool to Manage the Rename

The rendom command-line tool is used for the domain rename process. The basic steps are:

1.      Generate Domain List

o   Run rendom /list to create a Domainlist.xml file with the current domain configuration^[6][7][5].

2.     Edit the Domain List

o   Edit Domainlist.xml and change the old domain name to the new domain name^[6][7][5].

3.      Upload and Prepare

o   Run rendom /upload to upload the modified file to the domain controller holding the Domain Naming Master FSMO role^[7][5].

o   Run rendom /prepare to check if all domain controllers are ready for the rename^[6][7][5].

4.     Execute the Rename

o   Run rendom /execute to apply the changes and rename the domain^[6][7][5].

5.      Reboot Domain Controllers

o   Reboot all domain controllers as required by the process^[6].

3. Post-Rename Tasks

·        Update Group Policies: Use gpfixup to update GPO references:

o   gpfixup /olddns:old.domain /newdns:new.domain

o   gpfixup /oldnb:OLDNB /newnb:NEWNB^[7][5]

·        Update DNS Records: Manually verify and update DNS records (A, PTR, etc.) as needed^[6].

·        Reconfigure Applications: Update application configurations, scripts, and services that reference the old domain name (e.g., Backup Exec, Splunk, NPS, DHCP, CA)^[6][3].

·        Recreate Trusts: Recreate or adjust any external trusts^[6].

·        Verify Replication: Use repadmin /replsummary to ensure AD replication is healthy^[6].

·        Monitor Logs: Check logs for errors in dependent services^[6].

·        Client Devices: Be prepared to restart client devices, and in some cases, rejoin them to the domain^[2][3].

Risks and Warnings

·        Potential for Service Disruption: If not executed properly, domain rename can lead to data loss or critical service failures^[3].

·        Unsupported Scenarios: Many Microsoft and third-party applications do not support domain rename. Exchange (except 2003), some certificate authorities, and Azure AD Connect are notable examples^[2][5][4].

·        Complexity: The process is intricate, and unforeseen issues can arise. Always have a rollback plan and consider professional assistance if you lack experience with AD domain renames^[3].

Summary Table: Key Steps

Step	Command/Action	Notes
Backup & Health Check	Manual	Ensure all backups and AD health
Create DNS Zone	DNS Manager (dnsmgmt.msc)	For new domain name
Generate Domain List	rendom /list	Creates Domainlist.xml
Edit Domain List	Edit Domainlist.xml	Change old to new domain name
Upload Changes	rendom /upload	Upload to Domain Naming Master
Prepare Rename	rendom /prepare	Checks readiness
Execute Rename	rendom /execute	Applies new domain name
Reboot DCs	Manual	Required for changes to take effect
Fix GPOs	gpfixup /olddns: /newdns: and /oldnb: /newnb:	Updates GPO and NetBIOS references
Update DNS/Apps/Trusts	Manual	Update all references to old domain
Verify Replication	repadmin /replsummary	Ensure AD replication is healthy

 

References

·        [Microsoft Q&A: Active Directory rename]^[6]

·        [Windows OS Hub: How to Rename an Active Directory Domain]^[1]

·        [TheITBros: How to Rename an Active Directory Domain]^[4]

·        [YouTube: How to Rename an Active Directory Domain Name]^[7]

·        [Reddit: Renaming Active Directory Domain on Windows Server]^[2]

In summary: Renaming an Active Directory domain is possible but risky and complex. Ensure you have full backups, test the process, and follow the steps meticulously. If your environment is large or contains unsupported applications (like Exchange), consider migrating to a new domain instead^[1][2][3][4].

⁂

1.      https://woshub.com/rename-active-directory-domain/        

2.     https://www.reddit.com/r/sysadmin/comments/16ag0do/renaming_active_directory_domain_on_windows/     

3.      https://learn.microsoft.com/en-us/answers/questions/1339731/rename-domain         

4.     https://theitbros.com/how-to-rename-active-directory-domain/         

5.      https://www.urtech.ca/2021/12/solved-video-how-to-rename-an-active-directory-domain/amp/       

6.     https://learn.microsoft.com/en-us/answers/questions/2186008/active-directory-rename           

7.      https://www.youtube.com/watch?v=YEy887PUxGU