How to Setup Active Directory Roaming Profiles with Folder Redirection with Administrative access to files and folders and without user access to other people's profiles.
First a warning. Do not forward the App Data folder. From our practical application, we found many programs require your App Data Local and App Data Roaming folder to be editable on the local computer and may respond incorrectly to different installations and configurations. This includes most networked programs particularly requiring network connectivity like SQL based applications. Also, MS Outlook can act erratically by not being able to read the folder on your local machine to find the profiles etc.
Setting up a server with Roaming Profiles can be a great benefit to your organization. It allows users to login to any computer and have their user settings and files follow them. There are drawbacks to the default Roaming Profiles setup. Windows Server, if you just use the profile settings which Microsoft defaults to in the Active Directory Users and Computers app, then you will end up with user profiles in a folder where you as an administrator cannot access. Also, some backup software will have issues backing up the software because of the user permissions assigned.
In this tutorial, we'll show you how to setup a Roaming Profile and setup proper Folder Redirection where the user cannot see the other users files, but the administrator can administer the files and assign other users like backup operators to be able to access and backup the files as well. Some steps in this user guide will assume you have a basic knowledge of Windows Server software, File Permissions, and Active Directory.
Step One - Create two folders
Create two folders on your storage drive, this may be a separate drive or on your C:\ drive. We will call this "Profiles" and "Users". You can name them what you want. We recommend you do this on a separate storage drive or partition for backup and working purposes. The reason why we have two is one will hold our User Profile, and the other will hold our home directories, like Documents, Desktop, Downloads, Etc.
Step Two - Permissions of the Profiles Folder.
Right-click on the Profiles folder and click "Share With" and then "Specific People" Make sure the Administrator has Read/Write access. Then click the Security Tab. Change the Group or user names permissions by clicking Edit. Click Add and type "Users". Hit enter and your box should look like below.
Step 3 - Permissions of the Users Folder
Right-click on the Profiles folder and click "Share With" and then "Specific People" Make sure the Administrator has Read/Write access. Then click the Security Tab. Make sure the "Users" is not on this folder as we do not want other users to be able to look at other people's files.
Step 4 - Create Folder Redirection Policy in Group Policy
This setup is not scary!
Go back to your Administrator Tools and select Group Policy Management. Open it to Forest/Domains/*your domain*. It should look like below.
Now, right click on your "Default Domain Policy" and select Edit
Navigate to User Configurations / Policies / Windows Settings / Folder Redirections
In here you can see the folders which can be redirected. Right click on each one, Select Basic - Redirect everyone's folder to the same location
Then select the Root Path "\\yourservername\users" **Make sure this is a UNC path and not a local C:\whatever
Then select the Settings tab. Make sure the "Grant the user exclusive rights to *whatever* is UNCHECKED.
Do the same procedure for all of the folders you want re-directed. Accept prompts.
Step 5 - Create new user in Active Directory
Open the Windows Administrator Tools Window from the Control Panel
Open Active Directory Users and Computers
Click on Users and right click. Select New / User
Name your user whatever. Here we named our user Test6
Click Next, Select Password, click ok
Step 6 - Profile paths in the User Profile section
Find the new user and right click on the user then select Properties
Click the Profile tab
In the Profile tab, enter the UNC path to our first "Profile" folder *in my test it was \\pfd-server\profiles\test6 -the pfd-server is your username and the test6 is the profile folder you want to create for this user. We keep them the same.
Under the "Home Folder, select "Connect", then select the U drive *or any drive letter* then type the UNC path to your users folder you created earlier. *In my test, it is \\pfd-server\user\test6
Press Apply, and OK
Step 7 - Login as the User
When you log in as the user, you should now see a regular login screen but you should also see "Applying Folder Re-Direction Policy" which means it is copying the home folders to the "Users" folder you selected. It may take a minute or two to copy.
Now you should see in your file explorer under your "This PC" a U drive with the username listed. If you click on it, you should see all of your home folders there for the user.
Now if you log into the server, you should be able to go to your storage drive and go to users. You can see below, I am logged in as the administrator but I am able to fully access the files and work with them.
Good luck out there! Hope this helps you :).