Redirection no more?

Back to Blog
22Sep2016

Redirection no more?

I had recently published an article about setting up NTFS security for roaming profiles and redirected folders, when a co-worker and I got into an interesting discussion.  So I had to share some of these thoughts while they were still bouncing around in my brain. The question is this: does it still pay to use redirected folders and/or roaming profiles at all?

Here’s the thing. It seems like we’ve had this capability since forever. I see it implemented in the vast majority of my client base in the SMB space. Small Business Server and Windows Server Essentials can automatically deploy GPO’s for enabling this functionality with just a couple of clicks, and I know it is widely used in the Enterprise space as well. So for years I’ve just assumed that it was a “normal” feature of most Windows environments. But with so many cloud-based solutions like DropBox and OneDrive available, do we really care about maintaining these (dare I say legacy?) structures anymore?

Here are the benefits of redirecting Documents, Desktop, Application Data and so forth:

  • When users sit down at different PC’s, settings and profiles can follow them around;
  • Each PC doesn’t have to be migrated individually during a refresh;
  • All of your data and settings will also be backed up on the server.

In short, redirected folders and roaming profiles makes workstations a little more “disposable” or interchangeable. Of course, there is always some other work to do during a refresh or computer replacement–even if it is handled administratively in the background–refresh-related desktop work is unavoidable–but at least this part of it can be handled by a Windows Server, without third party tools or too much administrator intervention.

To be fair: yes, you could argue that having this functionality is very useful in solving a particular kind of problem. Especially if users roam between different devices frequently on the same domain. So it is a good solution, for example, in computer labs, places with shared PC’s, rotating shifts, or any personnel who aren’t in a 1-1 user-to-device situation. In these cases, roaming profiles and so forth can make life a lot easier for us. In more traditional environments, these tools are still of some benefit during hardware refreshes.

But on the other hand, redirection comes with it’s own can of worms, and can be a pain (at times) to manage. If you’re doing it well, then sure–it works great. Set the permission structures right, and take care when migrating file shares to a new server, so that you can make the changeover as transparent as possible. Do this wrong, and users will be waiting for a long time while the policy picks up on the location change and moves the data for you (slow process when there are a lot of items present, especially over slow links at a branch office, etc.). If you plan to use redirection over Direct Access or another VPN connection, then be sure you have your offline files/sync settings just right, or you will have other issues on your hands. And so on.

Okay, so you figure out how to manage the stuff and life is good again, so what’s the big deal? Well what if you wanted to avoid the whole mess to begin with? Is there another way to solve the same problems without involving Windows Server and IT administrative prowess?

For a few years now, I’ve been recommending OneDrive, Box or similar to replace the “My Documents” directory from days of old. This is a way better user experience, in my opinion, than storing your documents in a redirected folder, as you can sign into the service on any device anywhere in the world and have instant access to your document libraries (with file history, too).

Now with Windows 10 and Azure Active Directory Premium, we also have the ability to enable Enterprise State Roaming to backup certain Windows settings and data into the cloud, giving you a pretty good “roaming” experience, without using a Windows Server & GPO. Pretty cool stuff!

account-sync-settings

I am sure it will be a few years before this sort of approach becomes the new norm, but it solves a lot of the same problems, and removes some administrative overhead (lightens the load) for your on-premises Windows Servers. The dream is this: devices become completely, 100% disposable. Sign into any device you like, and have access to all corporate apps, settings and data. Bam. Just like magic. Some Enterprises have made this a reality already in the context of their corporately owned assets (but it relies on a fair amount of well-thought-out and well-maintained infrastructure–usually involving Windows Server).

I wouldn’t say that we are quite to that level with the Microsoft cloud just yet, but it’s getting closer all the time. If you take the more heavily cloud-based approach as of today, some things will remain as an “Out of the box experience” when you move to a new device–e.g. the first time you launch Outlook on a new computer or tablet, you’ll have to setup a new Outlook Profile, or you might need to accept an EULA for certain apps, and so forth.

There are other ways around some of this–you could publish over RemoteApp, for example, or employ group policy extensions to customize the experience for domain-joined machines. So we aren’t all the way done with Windows Server just yet. But you can see where it’s going…the days of Windows Server in the SMB space might be numbered.

What do you think? Any value in keeping redirected folders? Roaming profiles? Any issues with moving away from these technologies in favor of cloud-based alternatives? Drop me a line or leave a comment, and thanks for the dialogue in advance!

Opinion, Technical , , , 0 Comments
Share:

Leave a Reply

Back to Blog

Related Posts

01Jul

The Azure AD Best Practices Checklist

Update: Downloadable/printable copies of the Microsoft 365 Best practices checklists and guides are now available. Thanks for your support! Disclaimer: This checklist is NOT a comprehensive overview of every consideration when implementing Azure AD. For instance, the list was built with a typical SMB/SME in mind.... read more
27Oct

Step-by-Step: How to upgrade a Legacy Hybrid Exchange Server to 2016

One of the most common frustrations I hear from readers and clients alike is the requirement for keeping a hybrid Exchange server around, even well after all of your mailboxes have been moved to the cloud. Microsoft's official stance regarding hybrid is this: If you remove... read more
09May

Three ways to disable basic authentication and legacy protocols in Exchange Online

One of the most common (and often successful) attacks we see in the wild is a simple brute force / password spray against weak accounts. Especially against shared mailboxes. From that foothold, the most common next step attackers will take is to send out spam/phishing... read more
20Aug

How to configure Advanced Threat Protection (ATP) part 1: anti-phishing

In a previous post, I covered some of the basic anti-spam/anti-malware protections included with Office 365/Exchange Online. Today I want to explore an add-on subscription called Advanced Threat Protection (ATP), which leverages some fancy pants machine learning and other advanced AI-like tech to detect zero-day... read more
08May

How to deal with departed user data in Microsoft Office 365

Going from one organization to the next, I am always amazed at how different people implement their own take on new user setups or decommissioning departed users. Some have no real organized methodology and it's a hassle every time, while others have a well-developed practice... read more
16Mar

Why You Should Avoid Single Label Domains

What is a Single Label Domain (SLD)?  This is a term that Microsoft uses to describe domains which have only a single name, and no suffix such as ".local" or ".com."  For example, your Active Directory domain might have a name like "company.local," but if it... read more
30May

Automate the deployment of a standalone Hyper-V host server using PowerShell

In this article, I wanted to document a standard, standalone Hyper-V server deployment for a small business using nothing but PowerShell. The best practices for Hyper-V state that the role should be enabled on a server without the GUI (e.g. Core or Nano--although I rarely see this done in a small... read more
27Apr

Differences between Shared Mailboxes, Distribution Lists and Office 365 Groups

Before we begin our article today, I just want to say this: if you guys and gals aren't aware of the CIAOPS community yet, then you should definitely check it out. It's a great place to hang out, with lots of smart people both asking... read more
07Jan

How-to Verify Your Domain with Office 365

So this is a very common task when provisioning new Office 365 accounts.  You can obtain a free trial here. I recommend the E3 trial, even if you only plan to buy the Exchange Online plan ultimately.  The licensing can be changed out seamlessly, and in... read more
24Sep

Azure AD Device States, revisited

I have an older article on Azure AD Device States already, but I wanted to quickly return to this topic. I have a few in the audience who are still confused about this. Notice the "Join type" column corresponding to the device state Azure AD Registered... read more

Helping IT Consultants Succeed in the Microsoft Cloud

Have a Question? Contact me today.

Contact Me