Windows Server Roaming Profiles
One of the most frequently asked issues regarding user management is that of Roaming Profiles. While setting it up is, in fact, quite straightforward, it can be a source of great confusion. Hopefully this simple step-by-step approach will help to guide you down the right path.
First, you’ll need to actually create the user in question. This can generally be accomplished by using the Active Directory Users and Computers link in the Administrative Tools folder on your Windows Server. Once created, you can edit the user’s properties and visit the Profile tab under their account.
Under the User profile section, we’ve identified \\server\profile$\lechnyr as our Profile Path. This assumes that the NetBIOS name of our server is “server”, our profile share name is “profile$” and that this specific account will be stored in the “lechnyr” folder. We’ll go about creating the necessary folders momentarily, however it’s worth noting that the “lechnyr” folder will be created automatically if it does not yet exist. We’ve also specified a logon script and a home folder, although as these aren’t the focus of this article we’ll be skipping over them for the time being.
To create the necessary profile folder to store all user profiles, we’ll first need to create a simple folder. In our case, we’ve created D:\Profile as our profile folder using Windows Explorer.
The real magic comes in setting up the correct permissions for this folder beforehand. This can be accomplished by using the Share and Storage Management link in the Administrative Tools folder and selecting Action > Provision Share from the toolbar.
When prompted for a Location, we’ve typed D:\Profile as our folder of choice. On the next screen, we’re asked if we want to modify the NTFS permissions, which we do using the settings outlined in Table 1:
| Windows User Account | Minimum permissions required |
|---|---|
| Creater/Owner | Full Control, Subfolders And Files Only |
| Administrator | None |
| Security group of users needing to put data on share | List Folder/Read Data, Create Folders/Append Data - This Folder Only |
| Everyone | No Permissions |
| Local System | Full Control, This Folder, Subfolders And Files |
When asked for a Share Name, we’ve opted to use profile$ which creates a hidden share (thus the dollar sign at the end of the share name). While not absolute in terms of security, every bit can help. When finally asked for SMB Share Based Permissions, we modify this folder according to the settings in Table 2:
| Windows User Account | Default Permissions | Minimum permissions required |
|---|---|---|
| Everyone | Full Control | No Permissions |
| Security group of users needing to put data on share | N/A | Full Control |
The permissions in Table 3 are, fortunately, set for you automatically when you add the profile information to each user account.
| Windows User Account | Default Permissions | Minimum permissions required |
|---|---|---|
| %Username% | Full Control, Owner Of Folder | Full Control, Owner Of Folder |
| Local System | Full Control | Full Control |
| Administrators | No Permissions | No Permissions |
| Everyone | No Permissions | No Permissions |
In a nutshell, that’s all you’ll need to do in order to enable Roaming Profiles under Windows Server.
This article was posted on Friday, July 18th, 2008.
This work is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 Unported License. This article is provided in the hopes that it may be useful, HOWEVER IT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, WHETHER EXPRESS OR IMPLIED, INCLUDING ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. THE AUTHOR EXPRESSLY DISCLAIMS ALL OTHER WARRANTIES. In no event shall the Author be liable for any loss or profit or revenue, or for any other consequential, incidental, indirect or economic damages incurred or suffered arising as a result of or related to this document, whether in contract, tort, or otherwise.
David Lechnyr, MCSE, LCSW is a Professional IT Freelancer providing website programming, design, IT business consultation, troubleshooting and remote support. He can be contacted david@lechnyr.com or (541) 968-2218.
August 12th, 2008 at 12:44 am
I found your site on technorati and read a few of your other posts. Keep up the good work. I just added your RSS feed to my Google News Reader. Looking forward to reading more from you down the road!