best practice folder redirection and regular folders


  • Guys,

    Am looking for a best practice for setting up folder redirection for profile and homefolder. Anyone who can direct me to the right place? Am finding a lot of blogs that are telling different stories.

    Second, is there a best practice available for sharing folders through the network with groups?


    venerdì 18 maggio 2018 06:29


Tutte le risposte

  • hold on, found this:

    curious if i can use that in my dfs environment

    venerdì 18 maggio 2018 06:35
  • Hi!

    I just wanted to share how I do things :-)

    Share Permissions

    I usually go with the default, in short (Everyone, Authenticated Users or Domain Users having Full Control or Change permissions), and then rely upon NTFS for the "real" permissions control. 

    NTFS Permissions

    I always assign permissions to security groups, rather than to specific individual users, I think this should be a best practice if it's not written somewhere. 

    Therefore, make sure you review, modify and create security groups as necessary to reflect how permissions within the file system are to be assigned (for example, IT , Sales Business, HR... etc.), and assign permissions to the appropriate group(s).

    I always create a top-level folder that will serve as a "root storage folder" for all user-created data (for example, D:\Data.)  After that I create sub-folders within this folder to segregate and organize data according to job roles and security requirements.  (If you are using using Windows Server, you might consider using DFS (Distributed File System) to enable abstraction between the physical storage of the data, and the logical hierarchical view presented to end-users.
    With DFS, files can be stored on any number of different servers, but presented to users as a single cohesive namespace.)

    Assign permissions as generally as possible at the upper-level folders, and then refine the permissions more narrowly at lower-level folders. 

    Consider assigning Authenticated Users the List Files permission at the very topmost data folder (for example, at D:\Data), this will allow everyone to see folder and file names and also traverse the entire folder structure, but they will not be able to do modifications or open any items.

    At the lower-level folders, create and assign additional permissions to the appropriate department groups (for example, assign the Modify permission to the HR security group to the D:\Data\HR folder.)

    Try to avoid changing inheritance or permissions on lower-level folders.

    Sometimes there's of course cases in which changing lower-level permissions may be the best course of action.

    If the group that has permissions to higher-level folders shouldn't be able to access what's in a lower-level folder, that might be an indication that that data might be better located elsewhere within the folder structure.

    Kind regards,

    Blog:  LinkedIn:   

    venerdì 18 maggio 2018 07:00
  • Hi enlil,

    Based on my knowledge, you could use dfs combine with folder redirection and roaming profile.

    But since dfs replication can cause some potential inconsistent issue. You may need to consider it before you deploy.

    Here is an example.

    For now, I haven't find the official documents to describe  best practice for setting up folder redirection for profile and homefolder  from Microsoft. You could follow the guides to design your environment.

    Best Regards,


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact

    venerdì 18 maggio 2018 09:08
  • Hi,

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

    Best Regards,


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact

    lunedì 21 maggio 2018 07:17
  • Hi,
    Could the above reply be of help? If yes, you may mark it as answer, if not, feel free to feed back
    Best Regards,

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact

    martedì 22 maggio 2018 07:52
  • thanks for the help and the info.
    giovedì 7 giugno 2018 07:53
  • ok, noticed already something that went wrong.
    When reading this tutorial:

    i need to do this:

    Required permissions for the file share hosting roaming user profiles

    But at the share level, i cannot chose 'applies to this folder only' or List folder / read data1

    Create folders / append data1

    Any help would be apreciated.


    i cannot enable the roaming profile through a policy for all the users? I noticed i can only enable the folder redirection

    • Modificato enlil giovedì 7 giugno 2018 08:47
    giovedì 7 giugno 2018 08:07
  • Are you logged in as an Administrator? What options do you have?

    Blog:  LinkedIn:   

    giovedì 7 giugno 2018 08:30
  • am logged in as admin. Have the permissions|share|auditing|effective access and in the share i can chose add, select a principal, type and permissions(full control, change, read,special permissions). But i cannot chose the special permissions. 
    giovedì 7 giugno 2018 10:53
  • You don't have special permissions in the Share tab, the special permissions are located in the Security tab.

    By default "Everyone" has Full Control share permissions.

    Blog:  LinkedIn:   

    giovedì 7 giugno 2018 21:15
  • correct , but that means the tutorialis wrong because it is telling me this:

    Required permissions for the file share hosting roaming user profiles

    Also, sharing with everyone FC, is that wise?

    venerdì 8 giugno 2018 08:05
  • Remember that it's the NTFS permissions which determine who has access to files and folders.

    For shares you should do the following
    1) Everyone - Read  (optional not really needed but a nice just in case)
    2) Authenticated Users - Change
    3) Local Administators - Full Control
    4) File Strucutre Administrators - Full Control

    For Shares note the following:
    Alway limit Authenticated Users to Change at the Share to pervent non-admin users from accidently being given Full Control to the file structure.
    You should always configure Local Adminsitrators Full Control at the Share so they can administrate it remotely
    You should always create and use a Files Strucutre Adminsitrators groups and assign them full control to every share.  This allows them to remotely administrater shares without being local administartors.

    For your high level directories NTFS Permsisions where no files reside and only read access to folders is needed to get to the data in lower directories.
    1) Authenticated Users - Read
    2) Local Administators - Full Control
    3) File Strucutre Administrators - Full Control
    4) SYSTEM - Full Control

    Blog:  LinkedIn:   

    venerdì 8 giugno 2018 08:24