How to Set Up Work Folder Sync with AD Integration on Windows Server 2022

Work Folders Overview and AD Integration Architecture

Work Folders is a Windows Server sync role service that provides a corporate Dropbox-style file sync experience — but integrated with Active Directory, enforced by Group Policy, and hosted entirely on infrastructure you control. Unlike consumer sync services, Work Folders uses the user’s AD UPN as the identity for sync, maps each AD user to a per-user sync share on the server, and supports GPO-based automatic configuration on domain-joined Windows clients.

The key architectural components in an AD-integrated Work Folders deployment are:

Work Folders Server — A Windows Server 2022 file server running the Work Folders role service. Each user gets a dedicated sync share folder under the sync share root (e.g., C:WorkFolders%username%). The server authenticates users via IIS with Windows Authentication and Negotiate (Kerberos/NTLM).

Web Application Proxy (WAP) or Azure AD Application Proxy — For users on unmanaged or non-domain-joined devices, Work Folders must be accessible over HTTPS from the internet. WAP pre-authenticates requests against AD FS before forwarding them to the internal Work Folders server.

DNS Auto-Discovery — Windows clients can automatically discover the Work Folders URL using a DNS SRV or CNAME record. When a user enters their AD email (UPN), Windows queries DNS for a well-known record and receives the sync server URL, eliminating manual configuration.

Group Policy — GPO can automatically configure Work Folders on all domain-joined Windows 8.1+ and Windows 10/11 clients, including setting the sync URL and optionally forcing device encryption.

Installing the Work Folders Role Service

Work Folders is a role service under the File and Storage Services role. Install it on your file server:

Install-WindowsFeature -Name FS-SyncShareService -IncludeManagementTools

# Verify installation
Get-WindowsFeature -Name FS-SyncShareService

Import the SyncShare module for PowerShell management:

Import-Module SyncShare
Get-Command -Module SyncShare

Create the root directory that will hold per-user Work Folders data:

New-Item -Path "D:WorkFolders" -ItemType Directory

# Set NTFS permissions — only SYSTEM and Admins should have root access
# Per-user folders are created automatically with user-specific ACLs
icacls "D:WorkFolders" /inheritance:r /grant "SYSTEM:(OI)(CI)F" /grant "BUILTINAdministrators:(OI)(CI)F"

Creating Sync Shares with AD UPN Binding

A Sync Share defines the root path, which AD users or groups can sync, and how user folders are named. Using %username% as the user folder template creates a folder named after the AD sAMAccountName. Using the UPN prefix (%username%@domain pattern) is also supported for clarity in multi-domain environments.

# Create a sync share for all domain users
New-SyncShare -Name "UserDocs" `
    -Path "D:WorkFolders" `
    -UserFolderName "%username%" `
    -User "corpDomain Users" `
    -Description "Corporate Work Folders sync share"

Verify the sync share was created:

Get-SyncShare | Format-List *

You can create multiple sync shares — for example, one per department — each pointing to different storage locations with different quota policies:

# Engineering department sync share on faster SSD storage
New-SyncShare -Name "Engineering" `
    -Path "E:WorkFolders-Eng" `
    -UserFolderName "%username%" `
    -User "corpGRP-Engineering" `
    -Description "Engineering team Work Folders"

# Finance on encrypted/compliant storage
New-SyncShare -Name "Finance" `
    -Path "F:WorkFolders-Finance" `
    -UserFolderName "%username%" `
    -User "corpGRP-Finance" `
    -RequireEncryption $true `
    -Description "Finance team Work Folders with encryption required"

SSL Certificate Requirements and IIS Binding

Work Folders uses HTTPS for all sync traffic. The SSL certificate must be trusted by all client devices (domain-joined clients can use an internal CA certificate; non-domain-joined devices require a publicly trusted certificate from a commercial CA or Let’s Encrypt).

The certificate Subject Alternative Names must include the DNS name that clients will use to connect. For auto-discovery to work, the Work Folders URL must match the DNS record you create.

# Request certificate from internal CA using certreq or Get-Certificate
$certParams = @{
    Subject           = "CN=workfolders.corp.example.com"
    DnsName           = @("workfolders.corp.example.com", "enterpriseregistration.corp.example.com")
    CertStoreLocation = "Cert:LocalMachineMy"
    KeyLength         = 2048
    HashAlgorithm     = "SHA256"
    KeyUsage          = @("DigitalSignature", "KeyEncipherment")
    TextExtension     = @("2.5.29.37={text}1.3.6.1.5.5.7.3.1")
}
$cert = Get-Certificate @certParams -CertificateAuthority "CORPCA01Corp-CA" -Credential (Get-Credential)

Bind the certificate to the Work Folders IIS site. Work Folders creates its own IIS site during installation. Configure the HTTPS binding:

Import-Module WebAdministration

# Find the Work Folders site (usually named "Work Folders")
$site = Get-WebSite | Where-Object { $_.Name -eq "Work Folders" }

# Bind the certificate to port 443 on the Work Folders site
$certThumbprint = (Get-ChildItem Cert:LocalMachineMy | 
    Where-Object { $_.Subject -match "workfolders.corp.example.com" }).Thumbprint

New-WebBinding -Name "Work Folders" -Protocol https -Port 443 -HostHeader "workfolders.corp.example.com"
$binding = Get-WebBinding -Name "Work Folders" -Protocol https
$binding.AddSslCertificate($certThumbprint, "My")

Configuring Automatic URL Discovery via DNS

Windows clients use two DNS records for Work Folders auto-discovery. When a user enters their corporate email address during Work Folders setup, Windows queries DNS in order:

First, it tries a SRV record: _workfolders._tcp.corp.example.com. Second, it tries a CNAME record: workfolders.corp.example.com.

Create both DNS records in your AD-integrated DNS zone. The CNAME should point to the Work Folders server’s FQDN (or the WAP server for external users):

# Create the SRV record for auto-discovery
$zone = "corp.example.com"
$wfServer = "wfserver01.corp.example.com"

Add-DnsServerResourceRecord -ZoneName $zone `
    -Srv `
    -Name "_workfolders._tcp" `
    -DomainName $wfServer `
    -Priority 10 `
    -Weight 10 `
    -Port 443

# Create the CNAME record
Add-DnsServerResourceRecordCName -ZoneName $zone `
    -Name "workfolders" `
    -HostNameAlias $wfServer

For external auto-discovery (non-domain-joined devices), the same records should exist in your public-facing DNS zone, with the external IP or hostname of your WAP server:

# In your public DNS zone (example.com) — points to WAP external address
# This must be done through your public DNS registrar or provider
# _workfolders._tcp.example.com  SRV  10 10 443  wap.example.com
# workfolders.example.com        CNAME wap.example.com

Test auto-discovery from a client workstation:

Resolve-DnsName -Name "_workfolders._tcp.corp.example.com" -Type SRV
Resolve-DnsName -Name "workfolders.corp.example.com" -Type CNAME

Automating Work Folders Configuration via Group Policy

Group Policy can automatically configure Work Folders on all domain-joined Windows clients, so users do not need to set anything up manually. The GPO settings are under Computer Configuration > Policies > Administrative Templates > Windows Components > Work Folders.

Configure via PowerShell using the GroupPolicy module:

Import-Module GroupPolicy

# Create a new GPO for Work Folders
New-GPO -Name "WorkFolders-AutoSetup" -Comment "Automatically configure Work Folders on domain-joined PCs"

# Link it to the domain or a specific OU
New-GPLink -Name "WorkFolders-AutoSetup" -Target "OU=Workstations,DC=corp,DC=example,DC=com"

# Set the Work Folders URL policy (auto-discover URL from UPN)
Set-GPRegistryValue -Name "WorkFolders-AutoSetup" `
    -Key "HKLMSOFTWAREPoliciesMicrosoftWindowsWorkFolders" `
    -ValueName "AutoProvision" `
    -Type DWord `
    -Value 1

Set-GPRegistryValue -Name "WorkFolders-AutoSetup" `
    -Key "HKLMSOFTWAREPoliciesMicrosoftWindowsWorkFolders" `
    -ValueName "SyncUrl" `
    -Type String `
    -Value "https://workfolders.corp.example.com"

To require device encryption for synced data (preventing sync on unencrypted devices):

Set-GPRegistryValue -Name "WorkFolders-AutoSetup" `
    -Key "HKLMSOFTWAREPoliciesMicrosoftWindowsWorkFolders" `
    -ValueName "EncryptionRequired" `
    -Type DWord `
    -Value 1

After GPO applies on client workstations (gpupdate /force or next policy refresh), Work Folders will automatically configure to sync with the specified URL using the logged-on user’s AD credentials.

Per-User Storage Quotas with FSRM Integration

Work Folders does not natively enforce per-user storage quotas, but you can use File Server Resource Manager (FSRM) quota templates applied to the Work Folders root directory to limit each user’s storage consumption. FSRM auto-applies quotas to newly created subfolders, making it compatible with the automatic per-user folder creation by Work Folders.

# Install FSRM
Install-WindowsFeature -Name FS-Resource-Manager -IncludeManagementTools
Import-Module FileServerResourceManager

# Create a quota template: 5GB soft limit, 6GB hard limit
New-FsrmQuotaTemplate -Name "WorkFolders-5GB" `
    -Size 5GB `
    -SoftLimit $false `
    -Threshold @(
        (New-FsrmQuotaThreshold -Percentage 85 -Action @(New-FsrmAction -Type Email -MailTo "[Source Io Owner Email]" -Subject "Work Folders: 85% quota used" -Body "You are using 85% of your 5GB Work Folders quota. Please clean up files.")),
        (New-FsrmQuotaThreshold -Percentage 100 -Action @(New-FsrmAction -Type Email -MailTo "[Admin Email]" -Subject "Work Folders quota full: [Source Io Owner]" -Body "User [Source Io Owner] has reached their Work Folders quota limit."))
    )

# Apply auto-quota to the Work Folders root (auto-applies to all user subfolders)
New-FsrmAutoQuota -Path "D:WorkFolders" -Template "WorkFolders-5GB" -Enabled $true

Check quota usage for a specific user:

Get-FsrmQuota -Path "D:WorkFoldersjdoe" | Select-Object Path, Size, Usage, SoftLimit

Monitoring Sync Health with Get-SyncShare and Get-SyncUserStatus

Use the SyncShare PowerShell module to monitor the sync health of your Work Folders deployment in real time.

# Get all sync shares and their status
Get-SyncShare | Select-Object Name, Path, User, RequestCount, ActiveSessionCount

# Get sync status for all users (shows last sync time, file counts, errors)
Get-SyncUserStatus | Select-Object UserName, SyncShareName, UploadCount, DownloadCount, ErrorCount, LastSyncTime | Format-Table -AutoSize

# Filter for users with sync errors
Get-SyncUserStatus | Where-Object { $_.ErrorCount -gt 0 } | 
    Select-Object UserName, ErrorCount, LastSyncTime, LastErrorDescription

For continuous monitoring, schedule this query and send alerts if any user has persistent errors:

$errors = Get-SyncUserStatus | Where-Object {
    $_.ErrorCount -gt 0 -and $_.LastSyncTime -lt (Get-Date).AddHours(-4)
}

if ($errors) {
    $errorSummary = $errors | Select-Object UserName, ErrorCount, LastSyncTime, LastErrorDescription |
        ConvertTo-Html | Out-String
    
    Send-MailMessage -To "[email protected]" `
        -From "[email protected]" `
        -Subject "Work Folders Sync Errors Detected" `
        -Body $errorSummary `
        -BodyAsHtml `
        -SmtpServer "smtp.corp.example.com"
}

Managing Conflicts in Work Folders

When a file is modified on two devices before either device syncs, Work Folders creates a conflict. The most recently modified version wins and the older version is renamed with a conflict suffix (e.g., Document-jdoe-PC1.docx). Unlike SharePoint co-authoring, Work Folders does not merge changes — it preserves both versions and the user must manually reconcile.

Find all conflict files across the Work Folders share:

# Find conflict files (named with the sync conflict suffix pattern)
Get-ChildItem -Path "D:WorkFolders" -Recurse -File |
    Where-Object { $_.Name -match "-[A-Za-z0-9]+-[A-Za-z0-9]+." -and $_.Name -ne $_.BaseName } |
    Select-Object FullName, Length, LastWriteTime |
    Sort-Object LastWriteTime -Descending

Reduce conflicts by educating users to ensure devices sync before opening files on a second device. In environments where frequent conflicts are a problem, consider deploying Work Folders in a read-only or archive mode for specific content types, combined with SharePoint Online for collaborative documents.

Summary

Work Folders on Windows Server 2022 with full AD integration provides a secure, controlled alternative to consumer cloud sync services. By binding sync shares to AD UPN identity, automating configuration through Group Policy, enforcing device encryption policies, applying FSRM quotas for storage governance, and monitoring sync health with the SyncShare PowerShell module, you create a sync infrastructure that is IT-managed, auditable, and compliant with corporate data policies — while remaining transparent to end users who get a seamless sync experience across all their devices.