You are here

Folder Redirection using Group Policy - Samba 4 AD DC

Since this howto is for using folder redirection on a Samba 4 AD DC, it is worth mentioning that this GPO method should also apply on a  Windows Server 2008/2012 installation. The use of 'home folders' is somewhat legacy (Win XP and earlier) and now it is easier to simply use a GPO to make folder redirection work. For users that are running Windows 7/8, special folders such as 'My Documents' or 'Documents' can be redirected to a server share and offline files settings will be setup automatically. The trick is to have the correct permissions on the 'root' NTFS server share so that the GPO will work and the user folder will be created automatically with the proper permissions once the user logs onto the domain.

I must give credit where credit is due. I found this excellent article which details configuring the NTFS share and creating the group policy object for Windows Server 2008:

Configuring Folder Redirection in Windows Server 2008

 

What You Must Have

This article assumes you have the following:

 

Basic Rules to Remember

  1. Do not create user folders manually within the server share (i.e. \\server\users\username). You need to allow the system to create these folders automatically so the correct NTFS permissions will be applied.
  2. Enable client-side caching to utilize offline file synchronization. This has been tested and works fine on a Samba 4 domain controller when using Windows clients. Depending on your organization's security policies, you may want to disable this feature.
  3. You must use fully qualified UNC paths even when accessing your network share via a file manager such as Windows Explorer.
  4. Depending on your version of Samba 4, your installation path may vary. This howto is using a samba 4 installation via git and therefore the installation path is /usr/local/samba. Edit your 'smb.conf' file where appropriate.

 

Create the 'root' Network Share

This example is using the Samba 4 domain controller itself to host the network shares. If this is unacceptable to you or you wish to use another file server for your network shares, simply make the changes necessary where needed. If you are using a Samba 4 domain member that is not a DC, you will still need to set the NTFS permissions as outlined below.

To create the network share on the Samba 4 AD DC (or another samba 4 domain member), simply follow these steps:

1. As root user on your Samba 4 DC, use 'vi' or your favourite text editor and append your 'smb.conf'  to contain this:

[Users]
    path = /data/Users
    comment = user folders for redirection
    read only = No

Save the file and exit 'vi'.

2. Create the directory 'Users' in the path you specified above:

# mkdir -p /data/Users

3. Restart samba or reboot the server.

NOTE: Now for folder redirection to work properly, YOU MUST configure the NTFS as follows on the Samba4 server.

4. Log on to a Windows 7/8 client computer as a domain administrator that has been bound to the domain.

5. Using Windows Explorer, use a fully qualified UNC path like this:

\\samba.mydomain.com\

Substitute for your servername and domain above.

6. You should see the following folders:

netlogon
sysvol
Users

Do not delete 'netlogon' or 'sysvol' as they are required for your domain controller!

7. Right-click on 'Users' and choose 'Properties', then click on the 'Security' tab. Configure exactly as follows:

  • Configure the folder to not inherit permissions and remove all existing permissions. This means removing ALL groups or usernames. You may need to use the 'Advanced' button.
  • Add the file server’s local Administrators group with Full Control of This Folder, Subfolders, and Files. You will need to click the 'Advanced' button 'For special permissions or advanced settings' and then 'Change Permissions'.
  • Add the Domain Admins domain security group with Full Control of This Folder, Subfolders, and Files.
  • Add the SYSTEM account with Full Control of This Folder, Subfolders, and Files.
  • Add the Creator/Owner with Full Control of Subfolders and Files only.
  • Add the Authenticated Users group with both List Folder/Read Data and Create Folders/Append Data – This Folder Only rights. The Authenticated Users group can be replaced with the desired group, but do not choose the Everyone group as a best practice. NOTE: Since I am using Samba4 I also needed to add, 'Traverse folder / execute file', 'Create files / write data', and 'Change permissions'. This is important or else folder redirection will not work!
  • Now make sure you 'Apply' all changes and click 'OK'. Double, triple check these permissions as this is the main cause of the folder redirection failure!

8. Right-click on the 'Users' folder and enable 'Always available offline'. This will allow offline files to work and then sync any files once the client logs back onto the domain (good for laptop users). Do not enable this if it violates your company's security policy.

9. As a precaution, restart Samba or reboot the server to make sure settings will stick. Once the Samba4 server has rebooted, double check all the permissions again and make sure 'Always available offline' is still enabled.

If everything appears to be okay, you can now create the GPO for folder redirection.

 

Create the Folder Redirection GPO

For the following to work it is assumed that you have configured your Samba 4 AD DC and have created some Organizational Units for your domain. You should also have a test user created and RSAT installed on your Windows client.

1. Log on to a Windows 7/8 client computer as a domain administrator that has been bound to the domain.

2. Launch the 'Group Policy Management' console:

Start -> All Programs -> Administrative Tools -> Group Policy Management

3. Either select an already existing GPO that is applied to an OU or create a new one. Right-click the GPO and choose 'Edit'. Then go to:

User Configuration -> Policies -> Windows Settings -> Folder Redirection

4. Right-click on 'Documents' and select 'Properties'. On the 'Target' tab configure as follows:

Setting: Basic - Redirect everyone's folder to the same location

Target folder location: Create a folder for each user under the root path
Root Path: \\samba.mydomain.com\Users

NOTE: You should notice a preview at the bottom showing 'For user Clair, this folder will be redirected to: \\samba.mydomain.com\Users\Clair\Documents'

5. At the top select the 'Settings' tab and uncheck the 'Grant the User Exclusive Rights to Documents' check box. Leave the remaining check boxes unchanged.

6. Click OK to complete the folder redirection configuration. A pop-up opens that states that this policy will not display the Folder Redirection node if an administrator or user attempts to configure or view this group policy using policy management tools from Windows 2000, Windows XP, or Windows Server 2003. Click Yes to accept this warning and configure the folder redirection.

7. Back in the 'Group Policy Management Editor' window, close the GPO.

8. Make sure that the GPO has 'Authenticated Users' (or another security group you're using) listed in 'Security Filtering'.

9. Link the new GPO policy (if not done already) to an OU with a user account that can be used to test this policy. This user must log on to a Windows Vista/7/8 computer to allow proper processing of this policy.

10. Log on to a Windows Vista/7/8 system with the test user account. After the profile completes loading, click the Start button, and locate and right-click the Documents folder and then select Properties. Select the Location tab and verify the path. For example, for a user named Tom, the path should be \\samba.mydomain.com\Users\Tom\Documents.

Your folder redirection should now work. If you continue to have your 'Documents' folder path showing C:\Users\xxx and not the server share, it is most likely due to permissions on the root 'Users' folder. The NTFS permissions must be set correctly on the server share or folder redirection will fail.

Having the correct permissions set on the server share also protects users from accessing another user's files. If you set the permissions correctly as outlined in this howto you should be able to test this successfully.

 

Troubleshooting

You may have to run 'gpupdate' as an admin from the command line on the windows 7 client. However, a reboot should force the GPO to update on the Windows host.

I noticed I had to reboot the Win 7 client twice in a row after logging in as the test user. Once I did this twice then my redirections worked.

You may need to reboot the Samba 4 AD DC for permissions to stick on the 'Users\username' folders. This may not be necessary but worth an attempt if you experience problems.

 

Please feel free to post a comment on your experience with this Howto or find me on Google+ or LinkedIn

 

Comments

<p>Hi, in step 7 I have to open the security tab of the users folder, but this tab is not visible to me. Does it need some special configuration in the smbd.conf?</p>

Sorry for the late response.
No, you shouldn't need any special configuration in the 'smb.conf' file. I don't know how you have your's configured but even with a default install of samba 4 you should be able to see the security tab and configure if you are a domain admin.

Hi ,
I have configure  Samba 4 as Active directory Domain Controller. Now i am creating a folder on other Linux ( Red Hat 5.5 ) server and Shared and authenticate through Samba 4 active directory domain controller. What are the steps need for authentication.
 

I believe this is the article that you will need to attach your other Linux server to function as a domain member.
https://wiki.samba.org/index.php/Samba4/Domain_Member
 
Good luck.

First of all, thanks for the clear information in this document. 
As I never had anything do with with Windows servers, it helped setting things up for me.
However I do have one remark with regards to the "Authenticated Users" being used as a group with the permissions as you describe. This means that a user that is authenticated to the system has permissions in the folders of other users. Replacing "Authenticated Users" with the "Users" group with the same set of permissions but using "This folder only"  solves it. Well it did for me. 
So thanks for the information.

Hi, thank for this great job. When i use win 7 sp1 on Users directory i am not able to see security tab, but when i use my win xp sp3 si work great. Very thank.

<p>Something I've searched for and haven't found an answer to:</p>
<p>When you log in on a roaming profile and the local computer downloads the profile from the server, will it include the redirected folder? To put it another way, will I have a copy of all the items in the redirected folder now on my local computer or will the folder redirection act as a link to the folder on the server?</p>
<p>Thanks for the help.</p>

Roaming profiles is different than using folder redirection. You need to set both up properly for it to work so in theory you should have the capability to use them together. If you were to login onto a different workstation then yes both the redirected folder and profile should be cached onto the second workstation.

If for example you had 'Documents' setup as a folder redirect, files within this directory would be in your 'Offline Files' (C:\Windows\CSC\) on your Windows 7 workstation. That way if your workstation was detached from the LAN you could still add or edit files within your 'Documents' folder. Then when you reattached to the domain, Sync Center should kick in and update the files you changed onto the server. Also, if you then logged in on the 2nd workstation (attached to the domain) your folder redirection files (Documents)  would be downloaded to the 2nd workstation using the same system path (C:\Windows\CSC). Basically, the CSC directory contains a propriatary MS database for ALL offline files for ALL the users that use that workstation. You cannot snoop on these files easily as you would on a normal NTFS file system.

Hope this somewhat explains it for you.

Cheers.

Hello
I am trying to setup a samba share so I can store roaming profiles (windows server 2008) and I found your website. By the way thank you for the knowledge sharing.
The problem I have is that I can not authenticate the samba shares against the windows server.
Is there a good documentation about this? Do I have to set samba 4 as a DC in order to achieve this?
Can I just not keep samba as a simple fileserver where I can use it to store roaming profiles?
Many thanks for your time.

This answer was provided 5 comments above your post:

Comment 129

You will need winbind and the necessary krb5 packages installed.

Very good tutorial, every thing worked fine, but when I try to define the GPO the GPO admin tool is unable to connect to the samba server. With dsa.msc the connection to the AD works.

Hi Maic,
This is the first time I've heard of this happening. My only recommendation is to double check your firewall on the Samba 4 DC and your Windows client. Does your AD Users and Computers snap in work?

Dude you're a genius!
It works really really well :)
Just one remark though: I was following your instructions, and as stated on paragraph 7, I removed ALL users present in the security tab. Then I clicked "OK".
Oupsss. Wrong way, I should have added the other accounts BEFORE clicking OK ...
Well anyway, the "setfacl" utility works very well under Linux to put some permissions back to the fiolder :)
 
Have a nice day.
Nicolas

Add new comment

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Image CAPTCHA
Enter the characters shown in the image.