Automate Workstation Backups and Replace Re-directed Folders with Microsoft’s OneDrive

Each Office 365 user license includes one-terabyte of space in Microsoft’s cloud storage service, OneDrive. File sharing, versioning, offline synchronization, and mobile device apps are just some of the available features. Recent versions of the OneDrive software also includes the ability to backup key desktop folders automatically.

One of the biggest headaches suffered by IT staff is caused by worrying about the countless files stored on laptops and desktops. As with all IT conundrums, there are multiple solutions. One of the most common is to use a GPO to redirect user’s files to shared folders and back those up.

Folder redirection is a successful technique that has saved an untold number of office workers from certain doom, myself included. The files stored on the server are made available to every machine you log on to. If you lose a file, your IT people can restore it for you.

There are a few problems with redirection that present themselves over time. Without careful pruning and a lot of thought around policies, the shares will balloon quickly. If quotas weren’t enforced from the start, convincing management after the fact can be challenging. Getting your user population to clean up after themselves almost never works.

Then there are the dreaded permissions issues. If you’ve ever administrated an environment with folder redirection you probably just shook your head in sympathy. Where do they come from? Who knows? Suddenly random users will be unable to access their files. After it happens once, you can bet it will again.

For most environments, replacing folder redirection with OneDrive’s Backup is a Win Win. It can reduce storage costs and backup times while adding modern features your users will appreciate. Of course no solution is one-size-fits-all, so evaluate your options carefully before proceeding.

A limitation of OneDrive Backup is that the files must be located on the profile’s Desktop, Documents, or Pictures libraries. Therefore, if you are using re-directed folders, the first step is to disable them. Generally, excluding the user from the redirection GPO and updating their policies will cause the files to be copied back to the original folders. If you run into issues, a robocopy script configured to move the files might help.

To configure OneDrive via group policy objects, you will need to copy the OneDrive administrative templates to your GPO Central Store. The templates can be found on any system that has the OneDrive client installed and are located at %LocalAppData%\Microsoft\OneDrive\ look for a folder named for the OneDrive build number, then a sub-folder named adm. The files you need are: OneDrive.adml and OneDrive.admx.

Typically the GPO Central Store is located in the SYSVOL directory of a domain controller. The location can be customized, this Microsoft support document should help you locate or create the folder. Place copies of the template files into the Central Store and wait a few minutes for replication to occur, or force one.

Before we can edit the GPO, you will need your Office 365 Tenant ID. It can be found in the Azure AD admin portal on the properties page and is labeled Directory ID.

These policies will be machine based. To selectively apply them create separate Active Directory Organizational Units for the systems that will and will not, use OneDrive Backup. Link the GPO accordingly.

There are a lot of options to configure in the OneDrive GPO template, but only two of them are required to automate the backup process and replace re-directed folders. “Silently sign in users to the OneDrive sync client with their Window’s credentials” will use the Office 365 tenant ID. “Silently move Windows known folders to OneDrive, is the aspirin that will cure your workstation files headache.

With these two options configured and enabled, your user’s files will follow them between systems, be backed up, and gain all the advanced features OneDrive offers. These are by no means the only options you should enable, each admin’s situation will be different. I could write a book describing the rest of the policy configurations. Thankfully Microsoft has documented this entire process and all the options for us;

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s