GPO DFS Based Profiles & Home Directories - SomethingGeneric/sparkle.local GitHub Wiki

Configure DFS Share Settings

  • For this task, I decided to make use of Windows Roaming User Profiles which can enable users to keep their user profiles and home directories stored on a central server rather than creating a new local user profile every time they log into a new system on our domain.
  • In order to allow users logging into either W01 and W02 to store Roaming User Profiles on the DFS share (sparkle-share), we must first create the necessary share folder locations and configure the DFS share settings to allow access to said Domain Users.

This task involves:

  • Navigating to Server Manager > File and Storage Services > Shares > and Configuring the Properties of our new sparkle-share.
  • Customizing the User Permissions to allow Full Control for Domain Admins and Modify access for Domain Users.
  • Modifying the DFS Share Permissions to allow Full Control for the Domain Users Group.

image
image

Modifying sharing permissions for our User Profile and Home Directory folders

  • In order to allow our Roaming Users access to their User Profiles and Home Directories, I next navigated to the DFS File Share Location (\\sparkle.local\sparkle-share) and created two new folder locations User-Profiles and Home-Directories respectively.

image

For each folder, I modified the Advanced Security Properties to Disable Inheritance, allow Full Control for Domain Admins, and apply Special permissions for Domain Users (applies select permissions for Domain Users as shown below).

image
image

Configuring Roaming User Profiles and Home Directories via GPO

Next I configured a new GPO to configure users logging into either W01 or W02 use Roaming User Profiles and to store their User Profiles and Home Directories onto the DFS share. To do this, I opened Group Policy Management and created a new GPO “DFS User Profiles and Shares” under the “Sparkle GPO” > “Computers” OU in Group Policy Management. After creating the new OU, I then specified the Security Filtering such that the GPO would only apply to “W1” and “W2”.

image

^^ Screenshot showing me creating a new GPO and applying the GPO to Domain Users and both W01 and W02

From here, I then edited the new "DFS User Profiles and Home Directories" GPO so that the Workstations would use Roaming Profiles for users who log onto the system. These settings can be found under Computer Configuration > Administrative Templates > System > User Profiles.

image

  • To ensure that Roaming Profiles can be loaded onto each workstation, I disabled the Only allow local user profiles setting.

image

  • To set the location of the Roaming User Profiles, I enabled the setting for Set roaming profile path for all users logging onto this computer and specified the Roaming Profiles to be stored at \\sparkle.local\sparkle-share\User-Profiles\%USERNAME% ("%USERNAME%" is used to indicate any user who logs into W01 or W02).

image

  • To set the location of the User Home Folder, I enabled the setting for Set user home folder and specified its location to be \\sparkle.local\sparkle-share\Home-Directories (mounted to the S: Drive).

image

Applying and Testing the New DFS User Profile GPO

After applying the new DFS User Profile GPO, I then ran a gpupdate /force command on both W01 and W02 to apply the new Group Policy and then restarted each system to ensure that the GPO is also applied to each system.

  • To verify that we are now using Roaming User profiles, I opened Control Panel on either Workstation machine and navigated to System and Security > System > Advanced System Settings > Advanced > Selected Settings under User Profiles > and verified that new users are now using Roaming User Profiles.

image

  • To verify that the new User Home Folder has been moved/configured, I opened File Explorer on a Workstation machine, selected This PC and verified that the current user is able to access to their home folder (which should be a mounted network share mounted as the S:\ Drive)

image