Configuring Windows Roaming User Profiles in Active Directory

Roaming user profiles allow a user to log on to any Windows computer in an organization and get their familiar environment, settings, and personal files/folders. In this case, the user profile files are stored in a shared network folder on a file server and are downloaded over the network when the user logs on to the computer. All changed settings and files are synchronized with the server when the user logs out.

In this article, we’ll look at how to configure Windows roaming user profiles in an Active Directory domain.

Roaming profile benefits:

  • Users can access their environment’s personal files and settings from any computer in the domain;
  • User files are stored on the server, making them easier to back up centrally;
  • On a file server, you can apply size quotas to user profiles and specify prohibited file types using FSRM;
  • If the user’s computer fails, their data is not lost.

The downside of a roaming profile is that it takes time for the computer to download the profile files from the server when the user logs in. This raises network usage and extends the time it takes for users to log in and log out.

Create a shared network folder to store user files on Windows Server.:

  1. Open the Server Manager > File and Storage Services > Shares;
  2. Select Tasks > New Share > SMB Share – Quick; roaming profile active directory
  3. Select the local drive where the roaming user profiles will be stored. It is not recommended to store them on the C: drive. Preferably, they should be on a separate drive;
  4. Set share name (Profiles);
    create roaming profile in active directory
  5. To hide other users’ profiles, select Enable access-based enumeration;
    roaming user profiles active directory
  6. Disable inheriting folder permissions; roaming profile ad
  7. Set the NTFS folder permissions according to the table:
Principal Access Applies to
Domain Users Traverse folder / execute file
List folder / read data
Create folder / append data
This folder only
CREATOR OWNER Full control Subfolders and files only
Administrators Full control This folder, subfolders and files
SYSTEM Full control This folder, subfolders and files

roaming profiles ad

Now you need to configure the Profile Path parameter in the user properties.

  1. Open the Active Directory Users and Computers (ADUC) mmc snap-in;
  2. Find the user and open his properties;
  3. Go to the Profile tab;
  4. In the Profile path attribute, specify the UNC path to the network folder you created. For example, \\fs01\profiles\%username%;
    azure active directory roaming profiles
  5. Use this user account to log on to a domain Windows computer. Check that a directory containing the user profile has been created in the shared folder on the server.
    roaming profile azure ad

Don’t worry about the .V6 ending the user profile folder name. This is the reference information for the profile version. In this case, it means that the version of the profile that is used is for Windows 10 1607+.

You can use the SetADUser cmdlet in the AD PowerShell Module. To set the path to the user profile directory:

Set-ADUser j.brion -ProfilePath \\fs01\profiles\%username%

Note. In Windows Server RDS farms, the use of user profile discs (UPD) or FSlogix profile technology is preferable to roaming user profiles.

You can configure all computers in a particular domain OU to use roaming profiles by using Group Policy.

 
  1. Open the Group Policy Management console (gpmc.msc) and create a new GPO for the OU containing the computer objects;
  2. Edit the GPO and navigate to Computer Configuration > Policies > Administrative Templates > System > User Profile;
  3. Enable the Set roaming profile path for all users logging onto this computer policy and specify the path to the shared folder (\\fs01\profiles\%username%). Windows replaces the %USERNAME% environment variable with the user name when the user logs on to the computer; Set roaming profile path
  4. After the policy is applied, all users will use roaming profiles when they log on to computers in this OU.