|Creating the Secure Managed Desktop
By Jeremy Moskowitz
The following are excerpts from chapter three of Jeremy Moskowitz's book, "Creating the Secure Managed Desktop." Learn more about Group Policy and Jeremy's Group Policy hand-on workshops at www.GPanswers.com/workshop.
Redirected Folders allow the administrator to provide a centralized repository for certain noteworthy folders from client systems and to have the data contained in them actually reside on shared folders on servers. It's a beautiful thing. The administrator gets centralized control; users get the same experience they always did. It's the best of both worlds.
Available Folders to Redirect
Windows XP and Windows Vista have different folders that are available for redirection. In Windows XP you can set Redirected Folders for the following:
- My Documents
- My Pictures
- Start Menu
- Application Data
In Windows Vista, you can Redirect the following folders:
- Contacts (not previously available in Windows XP)
- Start Menu (like Windows XP, but see the note following this list)
- Desktop (like Windows XP)
- Documents (was called My Documents in Windows XP)
- Downloads (not previously available in Windows XP)
- Favorites (not previously "redirectable" in Windows XP, but available in the Roaming Profile)
- Music (was called My Music in Windows XP)
- Videos (was called My Videos in Windows XP)
- Pictures (was called My Pictures in Windows XP)
- Searches (not previously available in Windows XP)
- Links (not previously available in Windows XP)
- AppData (Roaming) (was called simply Application Data in XP)
- And (Lord help us), Saved Games (not previously available in Windows XP)
|Note: The Start Menu redirection support in Windows Vista is actually better than XP, because in XP you didn't have the ability to redirect each user's Start Menu folder to a different location. You could only do it to a shared location. It wasn't as flexible as My Documents.|
For each of these settings, there is a Basic and an Advanced configuration.
The idea is to set up a GPO that contains a policy setting to redirect one or more of these folders for clients and "stick them" on a server. Usually the GPO is set at the OU level, and all users inside the OU are affected; however, there might occasionally be a reason to link the GPO with the policy setting to the domain or site level.
In the Basic configuration, every user who is affected by the policy setting is redirected to the same shared folder. Then, inside the shared folder, the system can automatically create individual, secure folders for each user to store their stuff.
In the Advanced configuration, Active Directory security group membership determines which users' folders get redirected to which shared folder. For instance, you could say, "All members of the Graphic_Artists Global security group will get their desktops redirected to the ga_Desktops shared folder on Server6" or, "All members of the Sales Universal security group will get their Application Data redirected to the AppData share on Server Pineapple."
Note that any folders that lived under the My Documents folder (pre-Vista) now have an additional option as seen in Figure 3.2. That is, you can choose to let these documents just "Follow the Documents folder" which will maintain the legacy folder hierarchy of My Documents if need be. Again, this option is only for folders within Documents (Music, Videos, and Pictures.)
Read other excerpts from Jeremy Moskowitz's book, Creating the Secure Managed Desktop.