Deploy Roaming User Profiles

Roaming User Profiles require an x64-based or x86-based computer; it is not supported by Windows® RT.

Roaming User Profiles has the following software requirements:

• If you are deploying Roaming User Profiles with Folder Redirection in an environment with existing user profiles, deploy Folder Redirection before Roaming User Profiles to minimize the size of roaming profiles. After the existing user folders have been successfully redirected, you can deploy Roaming User Profiles.
  
  
• To administer Roaming User Profiles, you must be signed in as a member of the Domain Administrators security group, the Enterprise Administrators security group, or the Group Policy Creator Owners security group.
  
  
• Client computers must run Windows 8, Windows 7, Windows Vista, Windows XP, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003. Windows XP and Windows Server 2003 do not support enabling Roaming User Profiles on a per-computer basis.
  
  
• Client computers must be joined to the Active Directory Domain Services (AD DS) that you are managing.
  
  
• A computer must be available with Group Policy Management and Active Directory Administration Center installed.
  
  
• A file server must be available to host roaming user profiles.
  
  
  • If the file share uses DFS Namespaces, the DFS folders (links) must have a single target to prevent users from making conflicting edits on different servers.
    
    
  • If the file share uses DFS Replication to replicate the contents with another server, users must be able to access only the source server to prevent users from making conflicting edits on different servers.
    
    

Note
To use new features in Roaming User Profiles, there are additional client computer and Active Directory schema requirements. For more information, see Folder Redirection, Offline Files, and Roaming User Profiles overview.

1. Open Server Manager on a computer with Active Directory Administration Center installed.

2. On the Tools menu, click Active Directory Administration Center. Active Directory Administration Center appears.

3. Right-click the appropriate domain or OU, click New, and then click Group.

4. In the Create Group window, in the Group section, specify the following settings:

   • In Group name, type the name of the security group, for example: Roaming User Profiles Users and Computers.
     
     
   • In Group scope, click Security, and then click Global.
     
     

5. In the Members section, click Add. The Select Users, Contacts, Computers, Service Accounts or Groups dialog box appears.

6. If you want to include computer accounts in the security group, click Object Types, select the Computers check box and then click OK.

7. Type the names of the users, groups, and/or computers to which you want to deploy Roaming User Profiles, click OK, and then click OK again.

1. In the Server Manager navigation pane, click File and Storage Services, and then click Shares to display the Shares page.

2. In the Shares tile, click Tasks, and then click New Share. The New Share Wizard appears.

3. On the Select Profile page, click SMB Share – Quick. If you have File Server Resource Manager installed and are using folder management properties, instead click SMB Share - Advanced.

4. On the Share Location page, select the server and volume on which you want to create the share.

5. On the Share Name page, type a name for the share (for example, UserProfiles$) in the Share name box.

   Tip
   When creating the share, hide the share by putting a $ after the share name. This hides the share from casual browsers.

6. On the Other Settings page, optionally select the Enable access-based enumeration and Encrypt data access checkboxes.

7. On the Permissions page, click Customize permissions…. The Advanced Security Settings dialog box appears.

8. Click Disable inheritance, and then click Convert inherited permissions into explicit permission on this object.

9. Set the permissions as described Table 1 and shown in Figure 1, removing permissions for unlisted groups and accounts, and adding special permissions to the Roaming User Profiles Users and Computers group that you created in Step 1.

   

   Figure 1   Setting the permissions for the roaming user profiles share

10. If you chose the SMB Share - Advanced profile, on the Management Properties page, select the User Files Folder Usage value.

11. If you chose the SMB Share - Advanced profile, on the Quota page, optionally select a quota to apply to users of the share.

12. On the Confirmation page, click Create.

1. Open Server Manager on a computer with Group Policy Management installed.

2. From the Tools menu click Group Policy Management. Group Policy Management appears.

3. Right-click the domain or OU in which you want to setup Roaming User Profiles and then click Create a GPO in this domain, and Link it here.

4. In the New GPO dialog box, type a name for the GPO (for example, Roaming User Profile Settings), and then click OK.

5. Right-click the newly created GPO and then clear the Link Enabled checkbox. This prevents the GPO from being applied until you finish configuring it.

6. Select the GPO. In the Security Filtering section of the Scope tab, select Authenticated Users, and then click Remove.

7. In the Security Filtering section, click Add.

8. In the Select User, Computer, or Group dialog box, type the name of the security group you created in Step 1 (for example, Roaming User Profiles Users and Computers), and then click OK.

1. In Active Directory Administration Center, navigate to the Users container (or OU) in the appropriate domain.

2. Select all users to which you want to assign a roaming user profile, right-click the users and then click Properties.

3. In the Profile section, select the Profile path: checkbox and then enter the path to the file share where you want to store the user’s roaming user profile, followed by %username% (which is automatically replaced with the user name the first time the user signs in). For example:

   \\fs1.corp.contoso.com\User Profiles$\%username%

   To specify a mandatory roaming user profile, specify the path to the NTuser.man file that you created previously, for example, \\fs1.corp.contoso.com\User Profiles$\default. For more information, see Creating a Mandatory User Profile.

4. Click OK.

1. Open Server Manager on a computer with Group Policy Management installed.

2. From the Tools menu click Group Policy Management. Group Policy Management appears.

3. In Group Policy Management, right-click the GPO you created in Step 3 (for example, Folder Redirection and Roaming User Profiles Settings), and then click Edit.

4. In the Group Policy Management Editor window, navigate to Computer Configuration, then Policies, then Administrative Templates, then System, and then User Profiles.

5. Right-click Set roaming profile path for all users logging onto this computer and then click Edit.

   Tip

   A user's home folder, if configured, is the default folder used by some programs such as Windows PowerShell. You can configure an alternative local or network location on a per-user basis by using the Home folder section of the user account properties in AD DS. To configure the home folder location for all users of a computer running Windows 8 or Windows Server 2012 in a virtual desktop environment, enable the Set user home folder policy setting, and then specify the file share and drive letter to map (or specify a local folder). Do not use environment variables or ellipses. The user’s alias is appended to the end of the path specified during user sign on.

6. In the Properties dialog box, click Enabled

7. In the Users logging onto this computer should use this roaming profile path box, enter the path to the file share where you want to store the user’s roaming user profile, followed by %username% (which is automatically replaced with the user name the first time the user signs in). For example:

   \\fs1.corp.contoso.com\User Profiles$\%username%

   To specify a mandatory roaming user profile, which is a preconfigured profile to which users cannot make permanent changes (changes are reset when the user signs out), specify the path to the NTuser.man file that you created previously, for example, \\fs1.corp.contoso.com\User Profiles$\default. For more information, see Creating a Mandatory User Profile.

8. Click OK.

1. Open Group Policy Management.

2. Right-click the GPO that you created and then click Link Enabled. A checkbox appears next to the menu item.

1. Sign in to a primary computer (if you enabled primary computer support) with a user account for which you have enabled Roaming User Profiles enabled. If you enabled Roaming User Profiles on specific computers, sign in to one of these computers.

2. If the user has previously signed in to the computer, open an elevated command prompt, and then type the following command to ensure that the latest Group Policy settings are applied to the client computer:

   Copy

   GpUpdate /Force
   

3. To confirm that the user profile is roaming, open Control Panel, click System and Security, click System, click Advanced System Settings, click Settings in the User Profiles section and then look for Roaming in the Type column.