4 Protocol Examples

In the following example, consider two user profile folders, Documents and My Pictures, that an operating system makes available for redirection. Suppose that, due to security and backup concerns, the network administrator wants to enforce a policy that no users store documents and pictures on their local machines. Therefore, the network administrator expects that for users to whom a certain GPO applies, computers to which they log on will relocate the users' Documents and My Pictures folders to a network UNC path that the administrator has defined.

The administrator invokes the Folder Redirection Administrative-Side Plug-in by way of its user interface, and establishes a folder redirection Group Policy that redirects the Documents and My Pictures folders for all users on that specific GPO from those folders' current locations to a centralized network storage location. The administrator also specifies that all current contents of these folders be moved to the new location. Suppose that each user in the network belongs to exactly one of two security groups: S-1-1-0 and S-1-2-3. The administrator declares that:

  • For every user in either security group S-1-1-0 or security group S-1-2-3, the user's Documents folder is redirected to:

    • \\fileserver1\%USERNAME%\My Documents, or

    • \\fileserver2\%USERNAME%\My Documents, respectively.

  • For every user in security group S-1-1-0, the user's My Pictures folder is redirected to:

    • \\fileserver1\%USERNAME%\My Pictures.

Based on the administrator's selections, the Folder Redirection Administrative-Side Plug-in creates both a Version Zero and a Version One configuration file for that GPO at the GPO path provided by the Group Policy Protocol, as specified in [MS-GPOL]. Examples of each version of the Folder Redirection configuration data file appear in sections 4.1 and 4.2.

When each user logs on to a machine in the network, the Folder Redirection Client-Side Plug-in will be initiated by the Group Policy Protocol, as specified in [MS-GPOL], during the user logon process. If the user belongs to the GPO, the client-side plug-in will read this configuration data from the remote storage location. Based on the configuration, the plug-in configures the folder redirection subsystem to redirect the user's current Documents and My Pictures folder paths from their current locations to the locations declared by the administrator. During this process, the subsystem will also copy all the current contents of these folders to the new locations.

Folder redirection allows users to access their data from any authenticated machine participating in the domain. It also enables the IT department to back up all the user's data from a centralized location.