Since this howto is for using folder redirection on a Samba 4 AD DC, it is worth mentioning that this GPO method should also apply on a Windows Server 2008/2012 installation. The use of 'home folders' is somewhat legacy (Win XP and earlier) and now it is easier to simply use a GPO to make folder redirection work. For users that are running Windows 7/8, special folders such as 'My Documents' or 'Documents' can be redirected to a server share and offline files settings will be setup automatically. The trick is to have the correct permissions on the 'root' NTFS server share so that the GPO will work and the user folder will be created automatically with the proper permissions once the user logs onto the domain.
I must give credit where credit is due. I found this excellent article which details configuring the NTFS share and creating the group policy object for Windows Server 2008:
This article assumes you have the following:
This example is using the Samba 4 domain controller itself to host the network shares. If this is unacceptable to you or you wish to use another file server for your network shares, simply make the changes necessary where needed. If you are using a Samba 4 domain member that is not a DC, you will still need to set the NTFS permissions as outlined below.
To create the network share on the Samba 4 AD DC (or another samba 4 domain member), simply follow these steps:
1. As root user on your Samba 4 DC, use 'vi' or your favourite text editor and append your 'smb.conf' to contain this:
[Users] path = /data/Users comment = user folders for redirection read only = No
Save the file and exit 'vi'.
2. Create the directory 'Users' in the path you specified above:
# mkdir -p /data/Users
3. Restart samba or reboot the server.
NOTE: Now for folder redirection to work properly, YOU MUST configure the NTFS as follows on the Samba4 server.
4. Log on to a Windows 7/8 client computer as a domain administrator that has been bound to the domain.
5. Using Windows Explorer, use a fully qualified UNC path like this:
Substitute for your servername and domain above.
6. You should see the following folders:
netlogon sysvol Users
Do not delete 'netlogon' or 'sysvol' as they are required for your domain controller!
7. Right-click on 'Users' and choose 'Properties', then click on the 'Security' tab. Configure exactly as follows:
8. Right-click on the 'Users' folder and enable 'Always available offline'. This will allow offline files to work and then sync any files once the client logs back onto the domain (good for laptop users). Do not enable this if it violates your company's security policy.
9. As a precaution, restart Samba or reboot the server to make sure settings will stick. Once the Samba4 server has rebooted, double check all the permissions again and make sure 'Always available offline' is still enabled.
If everything appears to be okay, you can now create the GPO for folder redirection.
For the following to work it is assumed that you have configured your Samba 4 AD DC and have created some Organizational Units for your domain. You should also have a test user created and RSAT installed on your Windows client.
1. Log on to a Windows 7/8 client computer as a domain administrator that has been bound to the domain.
2. Launch the 'Group Policy Management' console:
Start -> All Programs -> Administrative Tools -> Group Policy Management
3. Either select an already existing GPO that is applied to an OU or create a new one. Right-click the GPO and choose 'Edit'. Then go to:
User Configuration -> Policies -> Windows Settings -> Folder Redirection
4. Right-click on 'Documents' and select 'Properties'. On the 'Target' tab configure as follows:
Setting: Basic - Redirect everyone's folder to the same location Target folder location: Create a folder for each user under the root path Root Path: \\samba.mydomain.com\Users
NOTE: You should notice a preview at the bottom showing 'For user Clair, this folder will be redirected to: \\samba.mydomain.com\Users\Clair\Documents'
5. At the top select the 'Settings' tab and uncheck the 'Grant the User Exclusive Rights to Documents' check box. Leave the remaining check boxes unchanged.
6. Click OK to complete the folder redirection configuration. A pop-up opens that states that this policy will not display the Folder Redirection node if an administrator or user attempts to configure or view this group policy using policy management tools from Windows 2000, Windows XP, or Windows Server 2003. Click Yes to accept this warning and configure the folder redirection.
7. Back in the 'Group Policy Management Editor' window, close the GPO.
8. Make sure that the GPO has 'Authenticated Users' (or another security group you're using) listed in 'Security Filtering'.
9. Link the new GPO policy (if not done already) to an OU with a user account that can be used to test this policy. This user must log on to a Windows Vista/7/8 computer to allow proper processing of this policy.
10. Log on to a Windows Vista/7/8 system with the test user account. After the profile completes loading, click the Start button, and locate and right-click the Documents folder and then select Properties. Select the Location tab and verify the path. For example, for a user named Tom, the path should be \\samba.mydomain.com\Users\Tom\Documents.
Your folder redirection should now work. If you continue to have your 'Documents' folder path showing C:\Users\xxx and not the server share, it is most likely due to permissions on the root 'Users' folder. The NTFS permissions must be set correctly on the server share or folder redirection will fail.
Having the correct permissions set on the server share also protects users from accessing another user's files. If you set the permissions correctly as outlined in this howto you should be able to test this successfully.
You may have to run 'gpupdate' as an admin from the command line on the windows 7 client. However, a reboot should force the GPO to update on the Windows host.
I noticed I had to reboot the Win 7 client twice in a row after logging in as the test user. Once I did this twice then my redirections worked.
You may need to reboot the Samba 4 AD DC for permissions to stick on the 'Users\username' folders. This may not be necessary but worth an attempt if you experience problems.