You can use Group Policies to copy specific files and folders to user computers in the Active Directory domain. You can place files on the Desktop, in a particular user profile directory, or in any other folder on a local drive. With GPO, you can automatically copy and update various configuration files, INI files, app executables (EXEs), DLLs, or scripts from a shared repository.
Copying Files Using Group Policy Preferences
For example, I want to copy two files (app.exe
and settings.xml
) to the Desktops of some Active Directory domain users.
Create a shared folder to store the source files you want to copy to users’ computers. It may be a shared SMB folder on a file server or the SYSVOL directory on a domain controller (this folder is automatically replicated between all DCs in the domain using DFS, it is convenient to use it since it helps to reduce the load on the WAN links). I have placed the files in the Sysvol folder \\woshub.com\SYSVOL\woshub.com\scripts\CorpApp
. Make sure that the Authenticated Users group has read permissions on this folder.
- Create a new Active Directory security group (CorpAPPUsers) using the Active Directory Users and Computers snap-in (
dsa.msc
). You can create a group using this PowerShell cmdlet:New-ADGroup CorpAPPUsers -path 'OU=Groups,OU=DE,dc=woshub,DC=com' -GroupScope Global -PassThru –Verbose
Add users to the group to whose desktop you want to automatically copy files through the GPO:Add-AdGroupMember -Identity CorpAPPUsers -Members asmith, bmuller, tweber
- Open the Group Policy Management console (
gpmc.msc
); - Create a new GPO object (CopyCorpApp) and link it to the OU that contains users’ computers;
- Edit the GPO settings;
- Expand the following Group Policy Preferences section: User Configuration –> Preferences -> Windows Settings -> Files;If you need to copy files to computers regardless of logged-in users, it is better to use a similar policy in the Computer Configuration section of GPO.
- Select New –> File;
- Specify the source file in the shared folder and the target path on the computer you want to copy the file to. If the specified path does not exist, it will be automatically created. Be sure to specify the full name of the target file (if you just specify a target directory, you will receive an “access denied” error when copying the file).You can select the specific file name here or copy all files from the source directory at once by specifying a wildcard character
*
. - 4 actions are available for copying files using GPO:
Create – file is copied to a target directory only if it doesn’t exist there;
Replace – the target file on a user’s computer is always replaced by the source file. If the source file is large, it will be copied every time the GPO is updated, which can cause a high network load. If you only want to replace the file once, enable the ‘Apply once and do not reapply’ option on the Common tab;
Update (a default policy) – if a file already exists and the source and destination files are different, it is not replaced with the source file (only attributes will be replaced). If the file does not exist, it will be copied;
Delete – delete the target file. - You can select a specific folder on a computer as a target directory or use environment variables. To copy files to the current user’s Desktop, use
%DesktopDir%
You can view the full list of the environment variables available in GPP by pressing F3. Here is a list of environment variables that can be used as destination folders when copying files using GPO:%AppDataDir%
Current user’s Application Data folder %CommonAppdataDir%
Application Data folder of all users %CommonDesktopDir%
Desktop of all users %CommonProgramsDir%
The Programs directory of all users. %CommonStartMenuDir%
Start Menu folder of all users %CommonStartUpDir%
Startup directory for all users %ComputerName%
NetBIOS computer name %DesktopDir%
Current user Desktop %DomainName%
Current domain name %LocalTime%
Local computer time %LogonDomain%
Current user’s domain %LogonServer%
The name of the domain controller on which the user is authenticated to %LogonUser%
Current user name %NetPlacesDir%
User’s My Network Places Directory %ProgramFilesDir%
Program Files directory %ProgramsDir%
User’s Programs directory %RecentDocumentsDir%
User’s Recent Documents directory %SendToDir%
User’s Send directory %StartMenuDir%
Start Menu of the current user %StartUpDir%
Current user Startup folder %SystemDir%
Windows directory %SystemDrive%
The drive on which the operating system is installed %TempDir%
User Temp folder %WindowsDir%
Windows directory - To copy files to the desktops of the specific users, open the Common tab in the policy settings, enable the Item-Level Targeting option, and click Targeting;
- In the next window, you can select more options for how to apply the GPO. In my case, I would like to restrict the policy to CorpAPPUsers group members only. To do it, click New Item -> Security Group and specify the domain user group;
- Since we’ve linked the GPO to an Organizational Unit containing computer objects (not user accounts), you need to enable the GPO loopback processing mode. Enable the option Configure user Group Policy loopback processing mode = Merge in Computer Configuration -> Policies -> Administrative Templates -> System -> Group Policy;
- Then update Group Policy settings on client computers (
gpupdate /force
or log off and log on again), and make sure the two files were automatically copied to the user’s Desktop.
In this way, you can copy scripts, application executable files, or system tools (PsTools, iperf, Portqry, etc.) to user computers. You can copy a file to Program Files and place a shortcut to it on the desktop via GPO.
If the files are not copied to users’ computers, you can use the gpresult.exe tool to figure out why the Group Policy is not being applied. In order to get detailed logs of GPO file copy operations, you can enable the log under Computer Configuration -> Policies -> Administrative Templates -> System -> Group Policy -> Logging and tracing. Enable the Configure Files preferences logging and tracing option and select the Informational, Warning, and Errors mode in the policy settings.
Now you can track all events and errors related to copying files through GPO on clients in the Event Viewer -> Application log. Enable the filter by the Group Policy Files source.
In my case, an Event ID 4098 error appeared on a user computer when copying files via GPO:
The user '%CommonDesktopDir%' preference item in the 'CopyCorpApp {GPO_GUID}' Group Policy Object did not apply because it failed with error code '0x80070005 Access is denied.' This error was suppressed.
This issue was resolved by granting NTFS read permissions to files in the source directory to the Authenticated Users group.
How to Copy Folders and Files with GPO Startup Script?
Note that Group Policy Preferences do not allow you to copy an entire directory with all child subfolders and files. If you need to copy a folder with a large number of files, or you want the contents of the target user folders to always be updated when any file in the source is updated, you can make a simple logon script and run it through the GPO.
Let’s create a GPO startup script to copy all new (and changed) files from the source directory to users’ computers:
- Create a batch file in Sysvol:
CopyCorpApp.bat
IF EXIST "C:\CorpApp" EXIT
MD "C:\CorpApp"
xcopy \\fs01\Sources\CorpApp\*.* C:\CorpApp /e /y /k /r /d /iIn some cases, it is preferable to use the more powerful robocopy command to copy files.This script will copy the entire directory structure and all files with attributes. Only new or changed files are copied. This means that every time you run the script if there are no changes in the source directory, the xcopy command will not overwrite the files. - Create a new GPO (as described above) and assign it to the OU with users’ computers;
- Expand Computer Configuration -> Policies -> Windows Settings -> Scripts (Startup/shutdown). Select Startup;
- Click the Add button and specify the UNC path to your script on SysVol;
- Restart the user’s computer and make sure that the source folder was successfully copied.
5 comments
thanks, this is can work, also you can easily use Gs Richcopy 360 or GoodSync to do this job directly
I want to copy some folders from our fileserver instead of one file, how to do that_
here you are talking about 1 specific file.
You can create multiple items in a GPO. One for each file.
If there are a lot of files in the source dir, it’s easier to make a logon script with the copy/xcopy command
Try this..
xcopy \\fs01\Sources\CorpApp C:\ /e /y /k /r /d /i
Yt will copy entire CoreApp folder in C drive
I have a question for you, I am using the GPO option, and if I user the Folder and File option, I use the %LogonUser% but I have several users Profiles showing as username.domain and this %LogonUser% then does not work. Any thoughts?