|Creating the Secure Managed Desktop|
By Jeremy Moskowitz
The following are excerpts from chapter three of Jeremy Moskowitz's book, "Creating the Secure Managed Desktop." Learn more about Group Policy and Jeremy's Group Policy hand-on workshops at www.GPanswers.com/workshop.
You get Active Directory, you get Group Policy. That's the good news. The better news is how you can put your knowledge of Group Policy to use to keep your users happy. Here's the idea: easily create a consistent environment for your users no matter where they roam.
Now, let's explore how to create a managed desktop. A managed desktop is one where you can create a predictable environment for your users to log into and enjoy. It's not put together with wacky applications and icons all over the place. You know what to expect when your users log on, and so do they.
In this chapter, author Jeremy Moskowitz will give you an overview of what a managed desktop is and is not and show you how to implement a slew of its features: Redirected Folders, Offline Files, and the Synchronization Manager.
Managing Windows folders with Redirected Folders
Redirected Folders allow the administrator to provide a centralized repository for certain noteworthy folders from client systems and to have the data contained in them actually reside on shared folders on servers. It's a beautiful thing. The administrator gets centralized control; users get the same experience they always did. It's the best of both worlds. Available Folders to Redirect Windows XP and Windows Vista have different folders that are available for redirection. In Windows XP you can set Redirected Folders for the following:
Creating the Secure Managed Desktop
Part 1: Managing Windows folders with Redirected Folders
Part 2: Managing folders inside the Windows documents folder
Part 3: Reduce data transfer time with Basic Redirected Folders
Part 4: Apply Folder Redirection in Windows with Group Policy Objects
Managing Windows folders with Redirected Folders
Redirected Folders allow the administrator to provide a centralized repository for certain noteworthy folders from client systems and to have the data contained in them actually reside on shared folders on servers. It's a beautiful thing. The administrator gets centralized control; users get the same experience they always did. It's the best of both worlds.
Available Folders to Redirect
Windows XP and Windows Vista have different folders that are available for redirection. In Windows XP you can set Redirected Folders for the following:
In Windows Vista, you can Redirect the following folders:
- Contacts (not previously available in Windows XP)
- Start Menu (like Windows XP, but see the note following this list)
- Desktop (like Windows XP)
- Documents (was called My Documents in Windows XP)
- Downloads (not previously available in Windows XP)
- Favorites (not previously "redirectable" in Windows XP, but available in the Roaming Profile)
- Music (was called My Music in Windows XP)
- Videos (was called My Videos in Windows XP)
- Pictures (was called My Pictures in Windows XP)
- Searches (not previously available in Windows XP)
- Links (not previously available in Windows XP)
- AppData (Roaming) (was called simply Application Data in XP)
- And (Lord help us), Saved Games (not previously available in Windows XP)
|Note: The Start Menu redirection support in Windows Vista is actually better than XP, because in XP you didn't have the ability to redirect each user's Start Menu folder to a different location. You could only do it to a shared location. It wasn't as flexible as My Documents.|
For each of these settings, there is a Basic and an Advanced configuration.
The idea is to set up a GPO that contains a policy setting to redirect one or more of these folders for clients and "stick them" on a server. Usually the GPO is set at the OU level, and all users inside the OU are affected; however, there might occasionally be a reason to link the GPO with the policy setting to the domain or site level.
In the Basic configuration, every user who is affected by the policy setting is redirected to the same shared folder. Then, inside the shared folder, the system can automatically create individual, secure folders for each user to store their stuff.
In the Advanced configuration, Active Directory security group membership determines which users' folders get redirected to which shared folder. For instance, you could say, "All members of the Graphic_Artists Global security group will get their desktops redirected to the ga_Desktops shared folder on Server6" or, "All members of the Sales Universal security group will get their Application Data redirected to the AppData share on Server Pineapple."
Note that any folders that lived under the My Documents folder (pre-Vista) now have an additional option as seen in Figure 3.2. That is, you can choose to let these documents just "Follow the Documents folder" which will maintain the legacy folder hierarchy of My Documents if need be. Again, this option is only for folders within Documents (Music, Videos, and Pictures.)
Managing folders inside the Windows documents folder
For our journey through Redirected Folders, we'll work primarily inside the Documents folder. All the principles that work on the special Documents folder work equally well for the other special "redirectable" folders, unless otherwise noted. At the end of this section, I'll briefly discuss why you might want to redirect some other folders as well.
In the last chapter, we explored how to leverage Roaming Profiles to maintain a consistent state for users if they hop from machine to machine. Roaming Profiles are terrific, but one significant drawback is associated with using Roaming Profiles. Recall that My Documents (for Windows XP) and Documents (for Windows Vista) are now part of the profile. On the one hand, this frees you from the bondage of drive letters and home drives. No more, "Ursula, put it in your U: drive," or "Harry, save it to the H: drive."
On the other hand, once the user data is in Documents/My Documents, your network will be swamped with all the up-and-back movement of data within Documents/My Documents when users hop from machine to machine -- 20MB of Word docs here, 30MB of Excel docs there. Multiply this by the number of users, and it'll add up fast! Not to mention that (for XP at least) that data is synchronized at logon and logoff and hence, the user may have to wait until it's all completed. As we learned in the previous chapter, the Roaming Profiles algorithm does its best to mitigate that, but it's still got to move the changed files.
But with Redirected Folders, you can have the best of both worlds. Users can save their files to the place they know and love, My Documents (for Windows XP) and Documents (for Windows Vista), and anchor the data to a fixed location, so it appears as if the data is roaming with the users. But it really isn't; it's safe and secure on a file share of your choice. And, since the data is already on the server, there's no long wait time when logging on or logging off.
There are two added bonuses to this scheme. Since all the Documents/My Documents files are being redirected to specific fixed-shared folders, you can easily back up all the user data in one fell swoop. Perhaps you can even make a separate backup job specifically for the user data that needs to be more closely monitored. Additionally, you can set up Shadow Copies for the disk volumes that house redirected Documents/My Documents files so users can restore their own files if necessary. The Shadow Copies function is explored in Chapter 9.
Reduce data transfer time with Basic Redirected Folders
Basic Redirected Folders works best in two situations:
- Smaller environments -- such as a doctor's office or storefront -- where all employees sit under one roof
- In an organization's OU structure that was designed such that similar people are not only in the same OU but are also in the same physical location
The reason these simple scenarios make a good fit with the basic option is that such situations let you redirect the users affected by the policy setting to a server that's close to them. That way, if they do roam within their location, the wait time is minimal to download and upload the data back and forth to the server and their workstation.
In the following example, I've created an OU called LikeUsers who are all using the same local server, DC01. Setting up a basic Redirected Folders for My Documents is a snap. It's a three-step process:
- Create a shared folder to store the data.
- Set the security on the shared folder.
- Create a new GPO and edit it to contain a policy setting to redirect the Documents/MyDocuments folder.
- Log onto DC01 as Administrator.
- From the Desktop, double-click My Computer to open the My Computer folder.
- Find a place to create a users folder. In this example, we'll use D:DATA. Once you're inside the D: drive, right-click D: and select the Folder command from the New menu, then type in Data for the name.
- Right-click the newly created Data folder, and choose "Share…" which opens the Properties of the folder, focused on the Sharing tab. Pull down the drop-down menu and select Everyone, and then click Add. Note that Windows Server 2003 and 2008 will default such that the share is Everyone:Read. Click "Share" and ensure that the share is set so that Everyone has Coowner permissions, as seen in Figure 3.3. Keep the rest of the defaults, and click OK. (Note that Co-owner rights are almost the same as the "Full Control" rights of yore.)
You can substitute any name for Data. Some use DOCS, MYDOCS, or REDIRDOCS. Some administrators like to use hidden shares, such as Data$, MYDOCS$, or MYDOCUMENTS$. This works well, too.
Be sure that the NTFS permissions allow write access for the users you want, as well. In other words, both the Share level and NTFS permissions must allow the user to write.
Apply Folder Redirection in Windows with Group Policy Objects
Now that the share is created, we're ready to create a new GPO to do the magic. Again, you'll want to do this on your Windows Vista management station, VISTAMANGEMENT. This machine should have Windows Vista + SP1 + the RSAT tools, which contain GPMC 2.0. For more information see the Introduction to this book for a lab setup guide.
To set up Redirected Folders for Documents/My Documents, follow these steps:
1. In the GPMC, right-click the OU on which you want to apply Folder Redirection (in my case, the LikeUsers OU), and choose "Create a GPO in this domain, and Link it here."
2. Name the GPO, say, "Documents Folder Redirection," as shown in Figure 3.4.
FIGURE 3.4 The LikeUsers OU has a GPO named "Documents Folder Redirection." After drilling down into the folder that you want to redirect, right-click and choose Properties.
3. Right-click the new GPO, and choose Edit from the shortcut menu to open the Group Policy Management Editor.
4. Drill down to Folder Redirection by choosing User Configuration _ Policies _ Windows Settings _ Folder Redirection. Right-click the Documents entry in the Group Policy Management Editor, and choose Properties to open the Documents Properties dialog box, as shown in Figure 3.5.
5. In the Setting drop-down list box, select "Basic -- Redirect everyone's folder to the same location."
Don't click OK (or Apply) yet. There's more to do. If you do click OK or Apply, you're going to get a warning.
This was first published in October 2008