How to Set Up Work Folder Sync with AD Integration on Windows Server 2016

Introduction

Work Folders is a Windows Server 2016 role service that allows users to synchronise work files from corporate servers to their personal devices — PCs, laptops, and mobile devices — without requiring a VPN connection. Unlike folder redirection, Work Folders keeps a local copy of data on each device and syncs changes automatically when connectivity is available. When integrated with Active Directory, Work Folders enforces access control through AD user accounts and security groups, and can apply device security policies through Group Policy. This guide covers deploying and integrating Work Folders with Active Directory on Windows Server 2016.

Installing the Work Folders Role

# Install Work Folders role service
Install-WindowsFeature FS-SyncShareService -IncludeManagementTools

# Verify installation
Get-WindowsFeature FS-SyncShareService | Select-Object Name,InstallState

# Import the Work Folders management module
Import-Module SyncShare

Preparing the File System

# Create the Work Folders root directory
New-Item -Path 'D:WorkFolders' -ItemType Directory

# Create user data subdirectories (Work Folders creates per-user dirs automatically)
# Set NTFS permissions on the root
$acl = Get-Acl 'D:WorkFolders'
$acl.SetAccessRuleProtection($true, $false)

# Add SYSTEM and Administrators full control
$systemRule = New-Object System.Security.AccessControl.FileSystemAccessRule(
    'SYSTEM','FullControl','ContainerInherit,ObjectInherit','None','Allow')
$adminRule  = New-Object System.Security.AccessControl.FileSystemAccessRule(
    'Administrators','FullControl','ContainerInherit,ObjectInherit','None','Allow')
$acl.AddAccessRule($systemRule)
$acl.AddAccessRule($adminRule)
Set-Acl -Path 'D:WorkFolders' -AclObject $acl

# Enable NTFS quotas for the Work Folders volume
$quota = New-FsrmQuotaTemplate -Name 'WorkFolders-5GB' `
    -Size 5GB `
    -SoftLimit:$false
New-FsrmQuota -Path 'D:WorkFolders' -Template 'WorkFolders-5GB'

Creating and Configuring Sync Shares

# Create a sync share for all domain users
New-SyncShare -Name 'UserData' `
    -Path 'D:WorkFolders' `
    -User @('Domain Users') `
    -ConflictResolutionPolicy 'WinnerTakesAll' `
    -InheritedFolderPermissionEnabled $true `
    -FolderName '%Username%'

# Create a separate sync share for a specific department
New-ADGroup -Name 'WF-Marketing' -GroupScope Global -GroupCategory Security
New-SyncShare -Name 'MarketingData' `
    -Path 'D:WorkFoldersMarketing' `
    -User @('WF-Marketing') `
    -ConflictResolutionPolicy 'WinnerTakesAll' `
    -FolderName '%Username%'

# Verify sync shares
Get-SyncShare | Select-Object Name,Path,User,SyncShareStatus

Configuring SSL for Work Folders

Work Folders requires HTTPS for both internal and external access. Configure an SSL certificate on the IIS binding used by Work Folders:

# Request a certificate for workfolders.contoso.com from your internal CA
$cert = Get-Certificate -Template 'WebServer' `
    -SubjectName 'CN=workfolders.contoso.com' `
    -CertStoreLocation Cert:LocalMachineMy `
    -DnsName 'workfolders.contoso.com','workfolders'

# Bind the certificate to Work Folders (port 443)
Import-Module WebAdministration
$binding = Get-WebBinding -Name 'Work Folders' -Protocol https
$binding.AddSslCertificate($cert.Certificate.Thumbprint, 'My')

# Verify the binding
Get-WebBinding -Name 'Work Folders' | Select-Object protocol,bindingInformation

Configuring AD Group Policy for Work Folders

Deploy Work Folders settings to domain clients via Group Policy so devices automatically discover and connect to the Work Folders server:

# Create a GPO for Work Folders deployment
$gpo = New-GPO -Name 'WorkFolders-AutoSetup'
New-GPLink -Name 'WorkFolders-AutoSetup' -Target 'DC=contoso,DC=com'

# Configure the Work Folders URL in the GPO:
# User Configuration > Policies > Administrative Templates >
#   Windows Components > Work Folders
# "Specify Work Folders settings" = Enabled
# Work Folders URL: https://workfolders.contoso.com
# Force automatic setup = Enabled

# Apply the GPO
gpupdate /force

# Verify Work Folders URL GPO is being applied
Get-GPResultantSetOfPolicy -User '[email protected]' -Computer 'WORKSTATION01' -ReportType Xml |
    Select-String 'WorkFolders'

Enforcing Device Security Policies

# Require encryption on devices that sync Work Folders
Set-SyncShare -Name 'UserData' `
    -RequireEncryption $true `
    -RequirePasswordAutoLock $true

# View current sync share security settings
Get-SyncShare -Name 'UserData' | Select-Object Name,RequireEncryption,RequirePasswordAutoLock

# Check user sync health
Get-SyncUser -SyncShareName 'UserData' | Select-Object UserName,LastSyncTime,SyncErrorCount |
    Sort-Object SyncErrorCount -Descending

Monitoring Work Folders Activity

# Check overall sync share health
Get-SyncShare | ForEach-Object {
    $users = Get-SyncUser -SyncShareName $_.Name
    [PSCustomObject]@{
        ShareName  = $_.Name
        TotalUsers = $users.Count
        ActiveToday = ($users | Where-Object {$_.LastSyncTime -gt (Get-Date).AddDays(-1)}).Count
        Errors     = ($users | Where-Object {$_.SyncErrorCount -gt 0}).Count
    }
}

# Review Work Folders event logs
Get-EventLog -LogName Application -Source 'SyncShareSvc' -Newest 30 |
    Where-Object {$_.EntryType -in 'Error','Warning'} |
    Select-Object TimeGenerated,EntryType,Message | Format-List

Summary

Work Folders on Windows Server 2016 with Active Directory integration delivers a managed, policy-enforced file synchronisation solution that keeps corporate data secure on any device. By combining AD-based access control, SSL-secured sync, automatic client configuration via Group Policy, and device encryption enforcement, Work Folders provides an enterprise-grade alternative to consumer cloud storage services — keeping sensitive data within your organisation’s control while giving users the mobile access they need.