DFS Folder Redirection Woes… and a Fix!

Published on
3,133 Points
Last Modified:
Joseph Hornsey
I built my first network in 1994 using PowerLAN.  From there I messed around with NetWare and then moved to Windows NT and Cisco.
I’m a fan of folder redirection, however, it does have a couple of “Gotchas!” you have to look out for.  For example, if you redirect a user’s AppData folder to a DFS namespace, shortcuts on the taskbar are no longer trusted.  Here’s how to fix that.

If I encounter a network with multiple sites, especially if one of those sites is our datacenter, I generally implement DFS and replicate data between the sites.  I’ve been a big supporter of using DFS since way back in the Windows NT 4.0 Option Pack days.

However, DFS does create some unique challenges from time to time and I recently ran into one of those when I enabled Folder Redirection on our internal network and pointed the redirected folders to a DFS path.

When one redirects the AppData folder, the Taskbar shortcuts are relocated as part of that.  Once that happens, the following error occurs:

Error - can't verify.png

The shortcut still works; it’s just that since it’s on the network (which isn’t, by default, trusted), one must confirm the shortcut is safe by clicking on “Open”.


Searching around the Interwebs, I learned this setting is controlled via Internet Explorer’s security zones.  Kind of stupid, but whatever.

The common solution to this problem is:

On the Security tab in Internet Explorer options, disable Protected Mode and then select the Local Intranet Zone:

Int Opt - Local Int - PM Off - with markup.png

Click “Sites” and make sure all of the checkboxes are selected:

Local Intranet Advanced.png

This is where things started to get a little frustrating.  This seems to be all one has to do in order for servers on the network to be trusted, but it only works if the UNC path is a traditional \\server\share format.  It doesn’t work if you point to a DFS root because no server name is indicated in the UNC path.

As it turns out, if one is using DFS for Folder Redirection, those settings may not have to be enabled once the Local Intranet zone is sufficiently tweaked.

In the current window, select “Advanced” and add the UNC for the DFS root with a wildcard (*) as the server name:

The wildcard indicates that any host which is part of the domain will be trusted.  This includes not indicating a host at all, which is why DFS made this whole process so wonky.  This is also why the checkboxes in the previous window probably don’t matter… by including the wildcard, all servers in the domain are trusted.  If, however, there are servers on the local network that aren’t part of the domain, I’ll still need to worry about those checkboxes… along with the normal authentication issues that need to be addressed.

Make sure the server verification setting is NOT selected and click “Add”:

Local Intranet Advance - Site Added.png

You’ll see the UNC path added to the list of trusted Websites (which, apparently, means “Websites and everything else”.

Keep in mind, we’re dealing with a web browser here, so everything is done from that perspective.  If you don’t indicate this is a UNC path by including the double backslashes, IE will assume it’s a website:

No slashes.png

Because of this, the only way data on the local network would be trusted is if one accessed it via a web browser.  By adding the DFS root as a UNC path, access to the data is available across the network via shortcuts (and other methods of access).

To see this, hit “Close” after the DFS Root UNC path was added and then click “Advanced” again:

Local Intranet Advance - Site Added - auto changed.png

The UNC path has been changed into a standard URL with the “file” scheme.  If you have websites on your intranet which are accessed via web browsers, go ahead and add the path again without the backslashes for good measure.  I don’t know if that’s necessary – if you find yourself in that situation, please test it out and let me know.

Submit all of the changes and get out of Internet Explorer.  Test the shortcuts, and they should work fine.

I hope this helps out.  As always, your feedback is greatly appreciated!

If you found this helpful, please give a Thumbs Up!


Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Join & Write a Comment

This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month