How to: Setting up Folder Redirection & Roaming User Profiles in a Windows 2012 R2 Domain, Step-by-Step

Angelo A Vitale
2018-12-11 12:44

How to: Setting up Folder Redirection & Roaming User Profiles in a Windows 2012 R2 Domain, Step-by-Step
Last Updated 25 days ago

How to: Setting up Folder Redirection & Roaming User Profiles in a Windows 2012 R2 Domain, Step-by-Step

My corporate client uses Windows 2012 R2 servers in an Active Directory domain that supports about 50 users and 35 workstations and laptops running Windows 10 Pro.

Problem was, we had more staff than computers, and a limited computer budget. However, many of the primary staff were often off-site working at remote field projects, so their vacated office computers could - in theory - be used by other staff working locally on-site. So Management asked - Why can’t staff just use any available office computers? Well, unfortunately, all these computers were inconveniently inaccessible at deadline times and led to unsynchronized user documents, creating a lot of re-work and frustration – and coffee drinking. Instead, we needed a more strategic and tactical process to ensure integrity and consistency of user data, Outlook emails, and calendar events across multiple shared computers.

This is a perfect opportunity to implement “Roaming User Profiles”!

Microsoft defines Roaming User Profiles as the process which:
“Redirects user profiles to a [network] file share so that users receive the same operating system and application settings on multiple [designated] computers. When a user signs in to a computer by using an account that is set up with a file share as the profile path, the user’s profile is downloaded to the local computer and merged with the local profile (if present). When the user signs out of the computer, the local copy of their profile, including any changes, is merged with the server copy of the profile.” (Microsoft Corp., 2016)

We solved the problem by implementing Folder Redirection, along with Roaming User Profiles. Here’s my step-by-step procedure for doing it.


34 Steps total

Step 1: Creating our Test Network Environment


Expand
To help illustrate and clarify some of the concepts involved in implementing Folder Redirection with Roaming Users, we set up a simple domain = HOST.ORG as a testing environment, with its active directory domain controller TESTBOX.HOST.ORG. Note: Be sure that the Windows 2012 R2 has the latest updates.

In this domain, we will select two computers to be shared by two roaming users, as shown in Figure 1. These computers should have the same Windows 10 Version (e.g., 1607 = Windows Anniversary Update, or 1703 = Creators Update).


Step 2: Identify the Roaming Users


Expand
If the roaming users haven’t already been added to the domain, then we need to do that first via Active Directory Users and Computers. They would be set up as regular users, with usernames and passwords. In our test domain, we will designate two users – Andy Alpha and Bill Beta – to become our Roaming Users. See Figure 2. So when the original computer user goes off into the field to work on a mission, then his/her computer becomes available for a Roaming User to log on and do productive work. When the original users return, they log on as they usually do – there is no impact from sharing their computers with Roaming Users.


Step 3: Create a Folder Redirection Security Group


Expand
To start this procedure, we first need to create a Security Group to control access permissions for roaming users and their profiles. We will call this group “FRDsecurity”.

1. Open SERVER MANAGER, and under TOOLS, click on ACTIVE DIRECTORY ADMINISTRATION CENTER. On the left menu, under OVERVIEW, select the domain for this new Security Group = HOST.ORG.

2. Right-Click on HOST.ORG, select NEW, then select GROUP. The “Create Group” panel opens up.

3. Enter the Group name = FRDsecurity, and select Type=Security and Scope=Global. See Figure 3.


Step 4: Add our users to the Security Group


Expand
Scroll down the panel of our Security Group, and on the left menu, select MEMBERS and add the two roaming users and the two Primary Computers – See Figure 4: 
a. User = aalpha = Andy Alpha 
b. User = bbeta = Bill Beta 
c. Computer = AAAA 
d. Computer = BBBB

NOTE: When you try to add the computers as Members, the default Object Types will include ‘Users’ but not ‘Computers’. So click the OBJECT TYPES button and check the Computers box, then OK, and proceed to add the AAAA computer. Repeat this process again to add the BBBB computer.

Then Click OK to close the new Security Group panel.


Step 5: Verify Users are Members of the new Security Group


Expand
To verify, open ACTIVE DIRECTORY USERS AND COMPUTERS, click on the PROPERTIES of both users Andy Alpha and Bill Beta, and check their MEMBERS OF tab now listing the FRDsecurity group. See Figure 5.


Step 6: Associate the roaming users with the computers they will be sharing


Expand
The computers they will be sharing are called “Primary Computers”. So when roaming user Andy logs on to a designated Primary Computer, all his files and folders will be available; after Andy signs off, then Bill can log on to the same computer, and all of Bill files will be available.

By the way, if this particular Primary Computer also happens to be the main working computer of another user, nothing will change for that original user. When the original user logs on, he/she will have their same old Desktop, Documents, Favorites, etc., and they can just go about their business as usual.

• Open the ACTIVE DIRECTORY ADMINISTRATIVE CENTER, and select COMPUTERS, and right-click on each computer that is to be a Primary Computer, and select PROPERTIES – See Figure 6.


Step 7: Find the Distinguished Name of the Primary Computer


Expand
In the left-hand menu, click on EXTENSIONS, open the ATTRIBUTE EDITOR, and scroll down to the Attribute = distinguishedName. See Figure 7.


Step 8: Copy the Distinguished Name of the Primary Computer


Expand
1. Click to highlight the distinguishedName attribute, then click the VIEW button, with result shown in Figure 8.

2. Copy the VALUE and save in a text file for use later. Click CANCEL to close the String Attribute Editor, then CANCEL again to close the computer PROPERTIES panel. The Value for this computer looks like:

CN=AAAA,CN=Computers,DC=host,DC=org

3. In our example, we will be using two Primary Computers, so the saved text file should look like:

CN=AAAA,CN=Computers,DC=host,DC=org 
CN=BBBB,CN=Computers,DC=host,DC=org

4. Now, in the same ACTIVE DIRECTORY ADMINISTRATIVE CENTER, select USERS, and for each user Andy Alpha and Bill Beta, select PROPERTIES.


Step 9: Find the Roaming User’s Attribute for Primary Computer


Expand
In the PROPERTIES panel, select EXTENSIONS, go to the ATTRIBUTE EDITOR tab, and scroll down the list to the attribute =msDS-PrimaryComputer, which currently has the value = 


Step 10: Add Primary Computers to Roaming User List


Expand
1. Click the EDIT button, then paste and ADD all the computers that this user is designated to use as a shared Primary Computer. See Figure 10. 

2. Click OK to close the Editor, and OK again to close the user PROPERTIES panel. 

3. Repeat this process for all designated Roaming Users. 


Step 11: Create a Network Folder for the Roaming Users Profiles & Data


Expand
1. On the Server - in our case, TESTBOX.HOST.ORG - open File Explorer and create a new partition big enough to hold the profiles for all the roaming users. We labelled the partition as “ROAMERS” and used 200 GB. In our Server, it was identified as the Volume J:

a. NOTE: Depending on the business activities of the users, the size of this partition could be estimated at 25 GB per user, including Outlook files. For users involved in media or large files, maybe 75 GB per user would suffice.

2. Next, open SERVER MANAGER and in the left menu, select FILE AND STORAGE SERVICES. The server = TESTBOX should be highlighted, so then click on SHARES in the left menu.

3. In the upper right corner of the SHARES box, click on TASKS pull-down menu, and select NEW SHARE – see Figure 11. 

4. Select SMB SHARE – QUICK, then click NEXT

5. Under SHARE LOCATION, scroll down and select the J: volume, then click NEXT

6. Under SHARE NAME, type the name of the folder which will contain all the users’ profiles. We used the filename “FRDfileshares$” – the “$” sign hides the folder for privacy and security. 


Step 12: Define Path to Network File Share


Expand
1. In the same panel, under LOCAL PATH TO SHARE, you should see the new path “J:\Shares\FRDfileshares$”. Also, under REMOTE PATH TO SHARE, you should see \\TESTBOX\FRDfileshares$. So far, so good. Click NEXT – see Figure 12. 

2. Under OTHER SETTINGS, click to enable the two boxes for: 
a. Enable access-based enumeration, and 
b. Allow caching of share

3. That’s all. Click NEXT 


Step 13: Customize Access Permissions for the File Share


Expand
1. Under PERMISSIONS, click the button CUSTOMIZE PERMISSIONS 

2. Now we should see the panel ADVANCED SECURITY SETTING FOR FRDfileshares$, displaying the name “J:\Shares\FRDfileshares$”

3. At the bottom, click the button DISABLE INHERITANCE, and in the popup, select CONVERT INHERITED PERMISSIONS INTO EXPLICIT PERMISSIONS ON THIS OBJECT

4. Then, at bottom left, click the ADD button to modify permissions of our Security Group

5. In the popup window, click on the top item “SELECT A PRINCIPAL” 


Step 14: Assign these permissions to our Security Group


Expand
1. In the popup box, under ENTER THE OBJECT NAME TO SELECT, type the name of our security group “FRDsecurity”, then click OK 

2. Now, in the new panel PERMISSION ENTRY FOR FRDfileshares$, note the PRINCIPAL displays our security group “FRDsecurity”. Make sure TYPE = Allow, and APPLIES TO = This Folder Only.

3. Next, click on SHOW ADVANCED PERMISSIONS on the right of the panel.

4. In the ADVANCED PERMISSIONS box, check only these three options: 
a. Read Attributes 
b. Read Extended Attributes 
c. Read Permissions

5. Click OK 


Step 15: Edit permissions for our Security Group


Expand
1. Now our FRDsecurity group should show up in the list of Permission Entries. Click APPLY, then OK, then NEXT – see Figure 15. 

2. On the CONFIRMATION page, click the CREATE button on the bottom right

3. The RESULTS page should indicate the new share was successfully created. Click on the CLOSE button. 


Step 16: Verify our New File Share is Official


Expand
To verify, in the SERVER MANAGER panel, we should see our new share “FRDfileshares$”, as shown in Figure 16

Note that the name we gave our partition – ROAMERS – is not significant at all in this process.


Step 17: Create Group Policy Object (GPO) for Folder Redirection


Expand
So now we need to create a Group Policy Object to force specific folders to be redirected to the appropriate user file shares.

1. Open SERVER MANAGER and click on GROUP POLICY MANAGEMENT. Open the Forest, and under Domains, right-click on our domain (in this case, HOST.ORG), and in the drop-down menu, select CREATE A GPO IN THIS DOMAIN AND LINK IT HERE.

2. The NEW GPO panel pops up, so enter the name of the new GPO. In our case, our new GPO will be named “GPOfolderredirection”. The SOURCE STARTER GPO remains as “(none)”. Click OK – see Figure 17.


Step 18: Clear GPO Link-Enabled status


Expand
Right-click on the new GPOfolderredirection, and *un-check* the LINK-ENABLED item. Reason is, we’re not ready yet to actually use this new GPO. We will re-enable the link later. Make sure “Link Enabled” is not checked – see Figure 18.


Step 19: Remove Authenticated Users


Expand
1. Click on our new GPOfolderredirection – ignore the little popup “Group Policy Management Console” warning. The GPO settings will show up on the right side with a bunch of tabs: SCOPE, DETAILS, SETTINGS, and DELEGATION. Click on SCOPE if it is not already selected.

2. In the SECURITY FILTERING section, the user group listed is AUTHENTICATED USERS. Select this name, and REMOVE it.


Step 20: Replace Authenticated Users with our Security Group


Expand
Now click on ADD, and in the popup box, enter our GPO name “FRDsecurity” as the security group we want this GPO to apply to. Hit OK. See Figure 20


Step 21: Delegate Authenticated Users as READ-ONLY


Expand
Now go to the DELEGATION tab. At the bottom, click on the ADD tab, and in the popup, type AUTHENTICATED USERS. Click OK, and accept the default READ permission for Authenticated Users. Click OK and close the panel – see Figure 21


Step 22: Select User Folders to be Redirected


Expand
Now we identify which folder(s) of the roaming users will be shared – these are the standard folders like: APPDATA, DESKTOP, DOCUMENTS, DOWNLOADS, MUSIC, etc. We can select whichever folders are required by the client. For example, in some companies, the folders MUSIC, PICTURES and VIDEOS are not allowed because they are not relevant to the business and considered frivolous.

Also be aware that the more folders selected, the longer it will take to load the user’s profile when he/she logs on to and signs off from a Primary Computer.

1. Under GROUP POLICY MANAGEMENT, select our GPOfolderredirection object and right-click on EDIT to open the GROUP POLICY EDITOR. You should see two sections: USER CONFIGURATION and COMPUTER CONFIGURATION.

2. Click on USER CONFIGURATION, go to POLICIES, then go to WINDOWS SETTINGS, then FOLDER REDIRECTION. You will see a list of all possible user folders for a standard installation. Initially, none of these folders is set up for Roaming. One-by-one, we need to pick each folder we want, and set it up to be redirected to the FRDfileshares we previously set up – see Figure 22


Step 23: Set Target Path for Redirected Folder


Expand
So, let’s start with APPDATA, which contains the most recent settings of each user:

Right-click on APPDATA to open its PROPERTIES panel.

1. In the TARGET tab, select “Basic: Redirect everyone’s folder to the same location”

2. Further down, type in the UNC path to FRDfileshares folder: this looks like \\testbox.host.org\Shares\FRDfileshares$

3. NOTE: you must use the UNC syntax! See Figure 23.


Step 24: Edit Settings for Redirected Folder


Expand
1. Select the SETTINGS tab and verify the redirection settings are checked for these two items: 
• Grant the user exclusive rights to AppData (Roaming) 
• Move the contents of AppData (Roaming) to the new location 

2. Then, at the bottom POLICY REMOVAL box, the only button to be checked is the one that says: 
• Redirect the folder back to the localuser profile location when policy is removed

3. Hit APPLY and OK

4. Repeat step 3 for each folder the user needs. In our case, we repeated this tedious procedure for the following folders: 
a. AppData 
b. Desktop 
c. Start Menu 
d. Documents 
e. Downloads 
f. Favorites 
g. Music 
h. Pictures 
i. Videos


Step 25: Warning Popup


Expand
For each folder, you may get a warning about incompatibility with older operating systems. As long as you have Windows 10 systems, just ignore this warning and hit the YES button to continue. See Figure 25


Step 26: Redirect Folders on Primary Computers Only


Expand
Okay, now it’s time to modify the policy rules to achieve what we want.

1. Go to GROUP POLICY MANAGEMENT, click on our GPOfolderredirection policy, right-click and select EDIT. Make sure you see both the COMPUTER CONFIGURATION and USER CONFIGURATION items.

2. Go to COMPUTER CONFIGURATION, then to POLICIES, then to ADMINISTRATIVE TEMPLATES, then to SYSTEM, and then to FOLDER REDIRECTION. 

a. On the right panel, select the policy REDIRECT FOLDERS ON PRIMARY COMPUTERS ONLY, click on EDIT, and click on the button ENABLED. Hite APPLY and then OK. Make sure the state = ENABLED before leaving this panel. See Figure 26 


Step 27: Download Roaming Profiles on Primary Computers Only


Expand
Stay in COMPUTER CONFIGURATION, then to POLICIES, then to ADMINISTRATIVE TEMPLATES, then to SYSTEM, then scroll down to USER PROFILES, then click EDIT.

• On the right panel, select the policy DOWNLOAD ROAMING PROFILES ON PRIMARY COMPUTERS ONLY, and ENABLE it. Make sure the state = ENABLED before leaving this panel. See Figure 27.


Step 28: Redirect Roaming User Folders on Primary Computers Only


Expand
Go to USER CONFIGURATION, then to POLICIES, then to ADMINISTRATIVE TEMPLATES, then to SYSTEM, and then to FOLDER REDIRECTION. 

• On the right panel, select the policy REDIRECT FOLDERS ON PRIMARY COMPUTERS ONLY, click on EDIT, and ENABLE it. Make sure the state = ENABLED before leaving this panel. See Figure 28.


Step 29: Enable our GPO


Expand
Finally, go back to GROUP POLICY MANAGEMENT, right-click on our “GPOfolderredirection” policy, and click on LINK ENABLED to actually enable this policy


Step 30: Ensure each Roaming User’s Profile points to the Redirected File Shares


Expand
To be sure the roaming user is using the profile stored in the network file shares and not on any local computer, we need to do one more thing for each roaming user.

1. Open ACTIVE DIRECTORY USERS AND COMPUTERS, and select the roaming user. Right-click and click PROPERTIES.

2. Click on the MEMBERS OF tab to verify this user is a member of the FRDsecurity group

3. Click on the PROFILE tab, and in the USER PROFILE section, in the PROFILE PATH box, type in the path to the file shares. See Figure 30. In our case, this is the UNC path: 

\\TESTBOX.HOST.ORG\FRDfileshares$\aalpha

4. Click APPLY and OK.


Step 31: Repeat this process for all the Roaming Users


Expand
Be sure that all roaming users have their profile path defined.

At this point, you can (as an option) Reboot the Server…. I just do it as a habit after making important Windows edits.


Step 32: Test the process


Expand
1. Sit down at any one of the designated Primary Computers, let’s try computer=AAAA, and log in as a Roaming User – in our case, it would be either user “aalpha” or “bbeta”.

a. If the Roaming User has never logged into this PC before, then he/she will be greeted with the usual new user setup: “Hi – We’re setting things up for you – This won’t take long – etc.” Be patient!

2. If the computer has not yet been rebooted, it doesn’t know about the policies we just created, so we may have to force a policy update on that computer. 

a. To do this, open a Command prompt as Administrator, and type: 

gpupdate /force 

b. This will force a Group Policy Update on this particular computer; other Primary Computers may also need this boost. The computer will reboot, and you will need to log in again as the roaming user.

3. Verify that the roaming user is actually “roaming”. Open the Primary Computer’s Control Panel, go to SYSTEM AND SECURITY, then to SYSTEM, and in the left menu, click on ADVANCED SYSTEM SETTINGS. (You will need to log in as the Administrator). In the ADVANCED tab, under USER PROFILES, click the SETTINGS button. In the USER PROFILES box, you should see the roaming user (in this case “aalpha” = Andy Alpha) listed with Type=Roaming and Status=Roaming.

4. Create a few temporary test files in one or more directories, then SIGN OUT of that computer. 
a. Note: It is very important for each Roaming User to SIGN OUT, otherwise changes will not be saved on the network file share

5. Now go to another computer designated as a Primary Computer, say computer=BBBB, and log in as the same Roaming User. 
a. If we followed all these instructions, then all the user’s Desktop, Documents, etc. should appear, including all the temporary test files just created.


Step 33: Verify Status of Roaming User




Again, verify that the roaming user is actually “roaming” for this computer BBBB. Open the Primary Computer’s Control Panel, go to SYSTEM AND SECURITY, then to SYSTEM, and in the left menu, click on ADVANCED SYSTEM SETTINGS. (You will need to log in as the Administrator). In the ADVANCED tab, under USER PROFILES, click the SETTINGS button. In the USER PROFILES box, you should see the roaming user (in this case “aalpha”) listed with Type=Roaming and Status=Roaming. See Figure 33.

Once the basic profile has been set up, it can “roam” to any other Primary Computer without going through the Windows profile default setup again.


Step 34: Verify Network File Sharing




At this point, we can observe that the Redirected Folders have been updated and contain the profiles of our two roaming users. On our test server – TESTBOX.HOST.ORG – use File Explorer to open the J:\ROAMERS partition that we created for the network file shares, and now see the profiles for each roaming user – the path is: J:\Shares\FRDfileshares$ - see Figure 34.

IMPORTANT: If you view your network file shares listing and see profiles for user.v5 and user.v6, that v5 is used by the older Windows 10 Anniversary Edition, and the v6 is used by the newer Windows 10 Creators Edition. They are not compatible, and Roaming Users won't work. So, make sure your Primary Computers all have the same version of Windows 10.


I’ve used this sequence in many different environments, and it always works perfectly. So I hope it also works for you.

The sequence can tolerate minor adjustments, such as defining Roaming Users and Primary Computers early in the process, but the steps I’ve presented have been successfully implemented many times.

Another approach would be to use Virtual Machines, but that requires larger image files because the entire operating system and application program suite would be moved around. By using Microsoft’s Folder Redirection/Roaming Users approach, only the roaming user profile data (e.g., Desktop, Documents, Pictures, etc.) would be moved.

Tags: Folder Redirection, Roaming Profile
Average rating: 0 (0 Votes)

You cannot comment on this entry