Remove Document Redirection Policies over VPN
In today’s world of COVID with so many people working from home, more and more organizations are moving to cloud services for file storage. It used to be quite a common practice, at least in my experience to enable folder redirection for users on-prem. Trying to dismantle folder redirection, especially when our users are working remotely can prove to be a challenge. If you have ever attempted to remove a folder redirection GPO, you have undoubtedly discovered folder redirection policies only apply (and remove) at startup/user logon. This can throw a wrench in the works if our users are working remotely. In comes a little PowerShell to the rescue.
First, go into your group policy management editor. Open up the folder redirection policy. Edit the properties for every folder that is being redirected by right clicking on the folder and selecting “Properties”. Make sure under “Policy Removal”, “Leave the folder in the new location when policy is removed” is checked. This way, we have full control over when the folders are redirected back to the user.
Go ahead and remove your users from the folder redirection policy.
Next, its time for a little PowerShell magic. We can simply delete the folder redirection registry keys to remove the redirection policy.
$ErrorActionPreference = 'Stop'
$UserSID = (New-Object -ComObject Microsoft.DiskQuota).TranslateLogonNameToSID((Get-CimInstance -Class Win32_ComputerSystem).Username)
$profilepath = Get-itemproperty registry::"HKU\$usersid\Volatile Environment\" -Name Userprofile | Select-Object -ExpandProperty userprofile
$RedPolicy = test-path -Path registry::"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\$usersid\fdeploy"
if ($RedPolicy)
{
Write-Host "Redirection Policy detected, attempting to remove policy"
Start-Sleep 2
try {
Remove-item registry::"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\$usersid\fdeploy" -Recurse
Write-Host "Redirection Policy was successfully removed."
if (!(test-path ($profilepath + '\Documents')))
{New-Item -ItemType Directory ($profilepath + '\Documents')}
}
Catch{
Write-Host $error -ForegroundColor Red
$error | Select-Object * | out-file c:\windows\temp\redscript.log
Notepad c:\windows\temp\redscript.log
}
}
Now that the policy is removed you have a couple options to move the folders back locally.
Remote into the users computer. In file explorer right click on each redirected folder and select "Properties". Under the location tab, select "Move". Select the local folder and click ok. The files will be moved from the redirected location to the local location. Depending on the size this can take sometime over VPN.
If the folder is quite large, or the user has not connected to VPN for sometime to sync their offline files, we can simply move the local cache. You can do this manually or with a little PowerShell
#Get User Path
$UserSID = (New-Object -ComObject Microsoft.DiskQuota).TranslateLogonNameToSID((Get-CimInstance -ClassName Win32_ComputerSystem).Username)
$ProfilePath = Get-Itemproperty registry::"HKU\$UserSID\Volatile Environment" | select-object -ExpandProperty "USERPROFILE"
$Username = Get-ItemProperty registry::"HKU\$UserSID\Volatile Environment" | select-object -ExpandProperty "USERNAME"
#Set Permissions on the Client Side Caching folder
takeown /a /r /d Y /f "c:\windows\csc"
$useracl = get-acl $ProfilePath\desktop
Get-Item "c:\windows\csc" | Set-Acl -AclObject $userAcl
#Move the contents of the redirected folders.
$cscdocuments = (GCI "C:\Windows\CSC" -Directory -Recurse | where name -like "*Documents*")
Move-Item "$($cscdocuments).fullname\*" -Destination "C:\users\$Username\Documents\" -Exclude "$Recycle.bin" -Force
Here we take ownership of the client side caching folder then take the ACL of the users Desktop and apply that to the CSC folder so they will have full access. Then we move the contents of the cached My Documents folder to C:\Users\Username\Documents excluding the recycle bin.
Do this process for each redirected folder. Be careful and make sure the cached folders are up to date and the user knows you are moving these folders.
And that’s it! Tame folder redirection with a little PS.