|Creating the Secure Managed Desktop
By Jeremy Moskowitz
The following are excerpts from chapter three of Jeremy Moskowitz's book, "Creating the Secure Managed Desktop." Learn more about Group Policy and Jeremy's Group Policy hand-on workshops at www.GPanswers.com/workshop.
For our journey through Redirected Folders, we'll work primarily inside the Documents folder. All the principles that work on the special Documents folder work equally well for the other special "redirectable" folders, unless otherwise noted. At the end of this section, I'll briefly discuss why you might want to redirect some other folders as well.
In the last chapter, we explored how to leverage Roaming Profiles to maintain a consistent state for users if they hop from machine to machine. Roaming Profiles are terrific, but one significant drawback is associated with using Roaming Profiles. Recall that My Documents (for Windows XP) and Documents (for Windows Vista) are now part of the profile. On the one hand, this frees you from the bondage of drive letters and home drives. No more, "Ursula, put it in your U: drive," or "Harry, save it to the H: drive."
On the other hand, once the user data is in Documents/My Documents, your network will be swamped with all the up-and-back movement of data within Documents/My Documents when users hop from machine to machine -- 20MB of Word docs here, 30MB of Excel docs there. Multiply this by the number of users, and it'll add up fast! Not to mention that (for XP at least) that data is synchronized at logon and logoff and hence, the user may have to wait until it's all completed. As we learned in the previous chapter, the Roaming Profiles algorithm does its best to mitigate that, but it's still got to move the changed files.
But with Redirected Folders, you can have the best of both worlds. Users can save their files to the place they know and love, My Documents (for Windows XP) and Documents (for Windows Vista), and anchor the data to a fixed location, so it appears as if the data is roaming with the users. But it really isn't; it's safe and secure on a file share of your choice. And, since the data is already on the server, there's no long wait time when logging on or logging off.
There are two added bonuses to this scheme. Since all the Documents/My Documents files are being redirected to specific fixed-shared folders, you can easily back up all the user data in one fell swoop. Perhaps you can even make a separate backup job specifically for the user data that needs to be more closely monitored. Additionally, you can set up Shadow Copies for the disk volumes that house redirected Documents/My Documents files so users can restore their own files if necessary. The Shadow Copies function is explored in Chapter 9.
Read other excerpts from Jeremy Moskowitz's book, Creating the Secure Managed Desktop.