To mitigate human error and ensure that important files are saved to the shared drive, I will use Group Policy to redirect users’ Desktop and Documents folders to the shared drive. This means that when a user saves a file to their desktop or documents folder, it will actually be saved to the shared drive, not their local computer. The share drive will then be regularly backed up so that no important data is lost.
Open the Group Policy Management Console (GPMC):
Right-click on the Sales OU and select Create a GPO in this domain, and Link it here:
Give the policy a name and click OK:
NOTE: I later renamed this to Redirect_Sales_Folder.Right-click on the Policy and choose edit:
Drill down to User Configuration > Policies > Windows Settings > Folder Redirection. Right-click on Desktop and select properties:
In the properties window under setting, make sure to select Basic. Then enter the root path for the folder – \\win-server\Sales:
Next, click the Settings Tab and select redirect the folder back. This means that if the policy is disabled, the machines will be set back to defaults:
Click OK. I’ll do the same for the Documents folder as well. I could do more, but these two are generally the most used folders.
This is the part where I got quite stuck. I updated the group policies but the Windows Client did not get updated. For some reason, the group policy was not being sent to the client so it was still set to save the files locally. It took me quite a bit of Googling and tinkering to find the solution.
In the GPMC, select the Group Policy (Note: I am showing screenshots from after I fixed the issue):
Under Security Filtering, click Add:
Click Object Types and check Computers:
Click OK and then add the SALES computer:
Security filtering determines which users or computers a GPO will apply to. By adding the specific computers, you explicitly include them in the scope of the policy application. What I should have done here is create a group for all the Sales computers and put this machine in that group. I should have then added the group instead of the individual machine to make future expansion quicker.
Now, click the Delegation tab:
Click on Advanced:
Under Authenticated Users check the box for Allow Read and leave the rest blank. Select Sales:
Check the boxes for Allow Read and Allow Apply Group Policy. Apply the changes and click OK. Right-click on the Sales OU again and select Group Policy Update:
Wait for the update to complete. Once it’s done, it will still take a few minutes to propagate. I will switch to my Sales user and wait for Powershell to pop up automatically:
Enter ‘Y’ and it will log out. Log back in. Open File Explorer and right-click on Documents and select properties:
The location has been changed to the share folder. To verify everything is working, I’ll create a folder called ‘Test’ inside the Documents folder:
Inside that folder I’ll create a text file:
Now, in File Explorer access \\win-server:
Open the Sales folder:
Open Documents and then the Test folder:
Perfect. The Documents are being stored in the correct place! Finally, I’ll return to the \\win-server folder and try to access a file I shouldn’t be able to:
Excellent! As desired, I am being blocked from opening a folder that isn’t from my department.
