One of the most frequently asked issues regarding user management is that of Roaming Profiles. While setting it up is, in fact, quite straightforward, it can be a source of great confusion. Hopefully this simple step-by-step approach will help to guide you down the right path.
First, you’ll need to actually create the user in question. This can generally be accomplished by using the Active Directory Users and Computers link in the Administrative Tools folder on your Windows Server. Once created, you can edit the user’s properties and visit the Profile tab under their account.
Under the User profile section, we’ve identified \\server\profile$\yourname as our Profile Path. This assumes that the NetBIOS name of our server is “server”, our profile share name is “profile$” and that this specific account will be stored in the “yourname” folder. We’ll go about creating the necessary folders momentarily, however it’s worth noting that the “yourname” folder will be created automatically if it does not yet exist. We’ve also specified a logon script and a home folder, although as these aren’t the focus of this article we’ll be skipping over them for the time being.
To create the necessary profile folder to store all user profiles, we’ll first need to create a simple folder. In our case, we’ve created D:\Profile as our profile folder using Windows Explorer.
The real magic comes in setting up the correct permissions for this folder beforehand. This can be accomplished by using the Share and Storage Management link in the Administrative Tools folder and selecting Action > Provision Share from the toolbar.
When prompted for a Location, we’ve typed D:\Profile as our folder of choice. On the next screen, we’re asked if we want to modify the NTFS permissions, which we do using the settings outlined in Table 1:
| Windows User Account | Minimum permissions required |
|---|---|
| Creater/Owner | Full Control, Subfolders And Files Only |
| Administrator | None |
| Security group of users needing to put data on share | List Folder/Read Data, Create Folders/Append Data - This Folder Only |
| Everyone | No Permissions |
| Local System | Full Control, This Folder, Subfolders And Files |
When asked for a Share Name, we’ve opted to use profile$ which creates a hidden share (thus the dollar sign at the end of the share name). While not absolute in terms of security, every bit can help. When finally asked for SMB Share Based Permissions, we modify this folder according to the settings in Table 2:
| Windows User Account | Default Permissions | Minimum permissions required |
|---|---|---|
| Everyone | Full Control | No Permissions |
| Security group of users needing to put data on share | N/A | Full Control |
The permissions in Table 3 are, fortunately, set for you automatically when you add the profile information to each user account.
| Windows User Account | Default Permissions | Minimum permissions required |
|---|---|---|
| %Username% | Full Control, Owner Of Folder | Full Control, Owner Of Folder |
| Local System | Full Control | Full Control |
| Administrators | No Permissions | No Permissions |
| Everyone | No Permissions | No Permissions |
In a nutshell, that’s all you’ll need to do in order to enable Roaming Profiles under Windows Server.