The Storage Team Blog about file services and storage features in Windows and Windows Server.
User folders are associated with a sync share, and there are times you will need to move a user to different sync shares. For example, maybe the user changed jobs from HR to Finance, which has its own sync share. The process is pretty straightforward, by changing the user’s security memberships.
This blog post goes into the detail on how this works, as well as how to assign security groups to sync shares.
Access to sync shares is managed by the assignment of users to a specific sync share. Typically, you assign one or more security groups to a sync share. As a result, the users that belong to the assigned security groups are allowed to sync to that particular share.
To assign security groups to a sync share, use the following cmdlet:
Set-SyncShare –name <sharename> -user <domain\SecurityGroupName>
You can also do so in the Work Folders page in Server Manager, by right-clicking the sync share, and then clicking Properties:
When you select a sync share in Server Manager, the Users tile shows all the users who belong to the assigned security group for that sync share. This provides an easy way to see all the users syncing to the share. You can right-click a user and then click Properties to find detailed information about a particular user.
Note We don’t recommend using built-in groups, such as “Domain Users”, for assigning users to sync shares due to the complexity it can create later if you want to move users to other sync shares. Additionally, the Server Manager Users tile won’t show users from built-in groups. You can do the assignment through Windows PowerShell, though once again, we don’t recommend it.
When you need to move a user from one sync share to another (on the same server or on different servers), you can simply move the user to a different security group.
For example, let’s say that there are two sync shares on the server: Finance Share and HR Share. Each share is associated with a security group: Finance Users, and HR Users. A user (Amy) changes jobs from HR to Finance. You then update the group membership for Amy, moving her from HR Users to Finance Users.
Amy has already Work Folders configured on her devices. Without her doing anything, the next time any of her device syncs, the old sync share (HR Share) will reject the sync request because she’s no longer a member of the allowed security group. After the sync request is rejected, the client will go through the discovery process to find the new sync share – which is what we talk about next…
There are two main phases in discovery: Active Directory (AD) discovery, and local discovery.
AD discovery refers to the process of a sync server querying Active Directory to discover the sync server for a given user. The user attribute that stores the sync server for a user is called ms-ds-syncServerUrl. This blog post discusses the user attribute in details. If AD discovery fails, the local discovery will be performed on the server that handled the sync request. If AD discovery is successful, the local discovery will be performed on the server that is listed for the user in the ms-ds-syncServerUrl attribute.
Local discovery is about finding the correct sync share for a given user by checking to see on which sync share they have sync permissions. Here are the possible results:
Ideally, discovery happens as soon as group membership changes. In reality, there are some cases when discovery doesn’t happen immediately:
AD discovery is useful when you have multiple sync servers - it makes it easy to move users to different sync shares on different sync servers without requiring them to do anything. The move occurs when the user’s device connects to the sync server. In Amy’s case, her device finds the new sync share seamlessly through discovery, letting her continue to sync her files without any hassles.
Moving users to different Sync Shares