|Creating the Secure Managed Desktop
By Jeremy Moskowitz
The following are excerpts from chapter three of Jeremy Moskowitz's book, "Creating the Secure Managed Desktop." Learn more about Group Policy and Jeremy's Group Policy hand-on workshops at www.GPanswers.com/workshop.
Basic Redirected Folders works best in two situations:
- Smaller environments -- such as a doctor's office or storefront -- where all employees sit under one roof
- In an organization's OU structure that was designed such that similar people are not only in the same OU but are also in the same physical location
The reason these simple scenarios make a good fit with the basic option is that such situations let you redirect the users affected by the policy setting to a server that's close to them. That way, if they do roam within their location, the wait time is minimal to download and upload the data back and forth to the server and their workstation.
In the following example, I've created an OU called LikeUsers who are all using the same local server, DC01. Setting up a basic Redirected Folders for My Documents is a snap. It's a three-step process:
- Create a shared folder to store the data.
- Set the security on the shared folder.
- Create a new GPO and edit it to contain a policy setting to redirect the Documents/MyDocuments folder.
- Log onto DC01 as Administrator.
- From the Desktop, double-click My Computer to open the My Computer folder.
- Find a place to create a users folder. In this example, we'll use D:DATA. Once you're inside the D: drive, right-click D: and select the Folder command from the New menu, then type in Data for the name.
- Right-click the newly created Data folder, and choose "Share…" which opens the Properties of the folder, focused on the Sharing tab. Pull down the drop-down menu and select Everyone, and then click Add. Note that Windows Server 2003 and 2008 will default such that the share is Everyone:Read. Click "Share" and ensure that the share is set so that Everyone has Coowner permissions, as seen in Figure 3.3. Keep the rest of the defaults, and click OK. (Note that Co-owner rights are almost the same as the "Full Control" rights of yore.)
You can substitute any name for Data. Some use DOCS, MYDOCS, or REDIRDOCS. Some administrators like to use hidden shares, such as Data$, MYDOCS$, or MYDOCUMENTS$. This works well, too.
Be sure that the NTFS permissions allow write access for the users you want, as well. In other words, both the Share level and NTFS permissions must allow the user to write.
Read other excerpts from Jeremy Moskowitz's book, Creating the Secure Managed Desktop.