Copy Files and Folders to User Computers via GPO

Copy Files and Folders to User Computers via GPO

You can use Group Policies to copy specific files and folders to user computers in the Active Directory domain. You can place files on the Desktop, in a particular user profile directory, or in any other folder on a local drive. With GPO, you can automatically copy and update various configuration files, INI files, app executables (EXEs), DLLs, or scripts from a shared repository.


  • Copying Files Using Group Policy Preferences
  • How to Copy Folders and Files with GPO Startup Script?

Copying Files Using Group Policy Preferences

For example, I want to copy two files (app.exe and settings.xml) to the Desktops of some Active Directory domain users.

Create a shared folder to store the source files you want to copy to users’ computers. It may be a shared SMB folder on a file server or the SYSVOL directory on a domain controller (this folder is automatically replicated between all DCs in the domain using DFS, it is convenient to use it since it helps to reduce the load on the WAN links). I have placed the files in the Sysvol folder \digitalgeekery.comSYSVOLdigitalgeekery.comscriptsCorpApp. Make sure that the Authenticated Users group has read permissions on this folder.

grant read permissions on source folder for Authenticated Users

  1. Create a new Active Directory security group (CorpAPPUsers) using the Active Directory Users and Computers snap-in (dsa.msc). You can create a group using this PowerShell cmdlet: New-ADGroup CorpAPPUsers -path 'OU=Groups,OU=DE,dc=digitalgeekery,DC=com' -GroupScope Global -PassThru –Verbose Add users to the group to whose desktop you want to automatically copy files through the GPO: Add-AdGroupMember -Identity CorpAPPUsers -Members asmith, bmuller, tweber
  2. Open the Group Policy Management console (gpmc.msc);
  3. Create a new GPO object (CopyCorpApp) and link it to the OU that contains users’ computers; create new copycorpapp GPO
  4. Edit the GPO settings;
  5. Expand the following Group Policy Preferences section: User Configuration –> Preferences -> Windows Settings -> Files;If you need to copy files to computers regardless of logged-in users, it is better to use a similar policy in the Computer Configuration section of GPO.
  6. Select New –> File;
  7. Specify the source file in the shared folder and the target path on the computer you want to copy the file to. If the specified path does not exist, it will be automatically created. Be sure to specify the full name of the target file (if you just specify a target directory, you will receive an “access denied” error when copying the file).You can select the specific file name here or copy all files from the source directory at once by specifying a wildcard character *.
  8. 4 actions are available for copying files using GPO:
    Create – file is copied to a target directory only if it doesn’t exist there;
    Replace – the target file on a user’s computer is always replaced by the source file. If the source file is large, it will be copied every time the GPO is updated, which can cause a high network load. If you only want to replace the file once, enable the ‘Apply once and do not reapply’ option on the Common tab;
    Update (a default policy) – if a file already exists and the source and destination files are different, it is not replaced with the source file (only attributes will be replaced). If the file does not exist, it will be copied;
    Delete – delete the target file.GPO: Copy file from shared network to user Desktop
  9. You can select a specific folder on a computer as a target directory or use environment variables. To copy files to the current user’s Desktop, use %DesktopDir%

    You can view the full list of the environment variables available in GPP by pressing  F3. group policy preferences system defined variable F3Here is a list of environment variables that can be used as destination folders when copying files using  GPO:

    %AppDataDir% Current user’s Application Data folder
    %CommonAppdataDir% Application Data folder of all users
    %CommonDesktopDir% Desktop of all users
    %CommonProgramsDir% The Programs directory of all users.
    %CommonStartMenuDir% Start Menu folder of all users
    %CommonStartUpDir% Startup directory for all users
    %ComputerName% NetBIOS computer name
    %DesktopDir% Current user Desktop
    %DomainName% Current domain name
    %LocalTime% Local computer time
    %LogonDomain% Current user’s domain
    %LogonServer% The name of the domain controller on which the user is authenticated to
    %LogonUser% Current user name
    %NetPlacesDir% User’s My Network Places Directory
    %ProgramFilesDir% Program Files directory
    %ProgramsDir% User’s Programs directory
    %RecentDocumentsDir% User’s Recent Documents directory
    %SendToDir% User’s Send directory
    %StartMenuDir% Start Menu of the current user
    %StartUpDir% Current user Startup folder
    %SystemDir% Windows directory
    %SystemDrive% The drive on which the operating system is installed
    %TempDir% User Temp folder
    %WindowsDir% Windows directory
  10. To copy files to the desktops of the specific users, open the Common tab in the policy settings, enable the Item-Level Targeting option, and click Targeting;
  11. In the next window, you can select more options for how to apply the GPO. In my case, I would like to restrict the policy to CorpAPPUsers group members only. To do it, click New Item -> Security Group and specify the domain user group; Item-Level Targeting - apply GPO to specific group
  12. Since we’ve linked the GPO to an Organizational Unit containing computer objects (not user accounts), you need to enable the GPO loopback processing mode. Enable the option Configure user Group Policy loopback processing mode = Merge in Computer Configuration -> Policies -> Administrative Templates -> System -> Group Policy; enable the policy : Configure user Group Policy loopback processing mode
  13. Then update Group Policy settings on client computers (gpupdate /force or log off and log on again), and make sure the two files were automatically copied to the user’s Desktop.  copy files to user desktop via group policy

In this way, you can copy scripts, application executable files, or system tools (PsTools, iperf, Portqry, etc.) to user computers. You can copy a file to Program Files and place a shortcut to it on the desktop via GPO.

If you need to copy a directory to a user’s computer, you need to use the Group Policy item from Computer (User) Configuration –> Preferences -> Windows Settings -> Folders section. This option allows you to create a directory on a target computer. You can then copy the source files to this directory as described above.

If the files are not copied to users’ computers, you can use the gpresult.exe tool to figure out why the Group Policy is not being applied. In order to get detailed logs of GPO file copy operations, you can enable the log under Computer Configuration -> Policies -> Administrative Templates -> System -> Group Policy -> Logging and tracing. Enable the Configure Files preferences logging and tracing option and select the Informational, Warning, and Errors mode in the policy settings.

enable gpo file preferences logging

Now you can track all events and errors related to copying files through GPO on clients in the Event Viewer -> Application log. Enable the filter by the Group Policy Files source.

In my case, an Event ID 4098 error appeared on a user computer when copying files via GPO:

The user '%CommonDesktopDir%' preference item in the 'CopyCorpApp {GPO_GUID}' Group Policy Object did not apply because it failed with error code '0x80070005 Access is denied.' This error was suppressed.

gpo copy file error: 0x80070005 access denied event id 4098

This issue was resolved by granting NTFS read permissions to files in the source directory to the Authenticated Users group.

How to Copy Folders and Files with GPO Startup Script?

Note that Group Policy Preferences do not allow you to copy an entire directory with all child subfolders and files. If you need to copy a folder with a large number of files, or you want the contents of the target user folders to always be updated when any file in the source is updated, you can make a simple logon script and run it through the GPO.

Let’s create a GPO startup script to copy all new (and changed) files from the source directory to users’ computers:

  1. Create a batch file in Sysvol:
    IF EXIST "C:CorpApp" EXIT
    MD "C:CorpApp"
    xcopy \fs01SourcesCorpApp*.* C:CorpApp /e /y /k /r /d /i
    In some cases, it is preferable to use the more powerful robocopy command to copy files.batch script: copy new and changed files from shared folder on WindowsThis script will copy the entire directory structure and all files with attributes. Only new or changed files are copied. This means that every time you run the script if there are no changes in the source directory, the xcopy command will not overwrite the files.
  2. Create a new GPO (as described above) and assign it to the OU with users’ computers;
  3. Expand Computer Configuration -> Policies -> Windows Settings -> Scripts (Startup/shutdown). Select Startup;
  4. Click the Add button and specify the UNC path to your script on SysVol;run gpo startup batch script
  5. Restart the user’s computer and make sure that the source folder was successfully copied.copy folder with subfolders and files

Share this post

Leave a Reply

Your email address will not be published. Required fields are marked *