Windows Server Roaming Profiles

One of the most frequently asked issues regarding user management is that of Roaming Profiles. While setting it up is, in fact, quite straightforward, it can be a source of great confusion. Hopefully this simple step-by-step approach will help to guide you down the right path.

First, you’ll need to actually create the user in question. This can generally be accomplished by using the Active Directory Users and Computers link in the Administrative Tools folder on your Windows Server. Once created, you can edit the user’s properties and visit the Profile tab under their account.

Windows User Profile Properties

Under the User profile section, we’ve identified \\server\profile$\yourname as our Profile Path. This assumes that the NetBIOS name of our server is “server”, our profile share name is “profile$” and that this specific account will be stored in the “yourname” folder. We’ll go about creating the necessary folders momentarily, however it’s worth noting that the “yourname” folder will be created automatically if it does not yet exist. We’ve also specified a logon script and a home folder, although as these aren’t the focus of this article we’ll be skipping over them for the time being.

To create the necessary profile folder to store all user profiles, we’ll first need to create a simple folder. In our case, we’ve created D:\Profile as our profile folder using Windows Explorer.

The real magic comes in setting up the correct permissions for this folder beforehand. This can be accomplished by using the Share and Storage Management link in the Administrative Tools folder and selecting Action > Provision Share from the toolbar.

Windows Share and Storage Management

When prompted for a Location, we’ve typed D:\Profile as our folder of choice. On the next screen, we’re asked if we want to modify the NTFS permissions, which we do using the settings outlined in Table 1:

Table 1: NTFS Permissions for Roaming Profile Parent Folder
Windows User Account Minimum permissions required
Creater/Owner Full Control, Subfolders And Files Only
Administrator None
Security group of users needing to put data on share List Folder/Read Data, Create Folders/Append Data - This Folder Only
Everyone No Permissions
Local System Full Control, This Folder, Subfolders And Files

When asked for a Share Name, we’ve opted to use profile$ which creates a hidden share (thus the dollar sign at the end of the share name). While not absolute in terms of security, every bit can help. When finally asked for SMB Share Based Permissions, we modify this folder according to the settings in Table 2:

Table 2: Share Level (SMB) Permissions for Roaming Profile Share
Windows User Account Default Permissions Minimum permissions required
Everyone Full Control No Permissions
Security group of users needing to put data on share N/A Full Control

The permissions in Table 3 are, fortunately, set for you automatically when you add the profile information to each user account.

Table 3: NTFS Permissions for Each Users Roaming Profile Folder
Windows User Account Default Permissions Minimum permissions required
%Username% Full Control, Owner Of Folder Full Control, Owner Of Folder
Local System Full Control Full Control
Administrators No Permissions No Permissions
Everyone No Permissions No Permissions

In a nutshell, that’s all you’ll need to do in order to enable Roaming Profiles under Windows Server.