Beruflich Dokumente
Kultur Dokumente
Applies To: Windows 10, Windows 7, Windows 8, Windows 8.1, Windows Server 2008 R2, Windows Server 2012, Windows
Server 2012 R2, Windows Vista
This topic describes how to use Windows Server to deploy Roaming User Profiles to Windows client computers. Roaming User
Profiles redirects user profiles to a file share so that users receive the same operating system and application settings on
multiple computers.
For a list of recent changes to this topic, see the Change History section of this topic.
Important
Due to the security changes made in MS16-072, we updated Step 4: Optionally create a GPO for Roaming User Profiles of
this topic so that Windows can properly apply the Roaming User Profiles policy (and not revert to local policies on affected
PCs).
Prerequisites
Hardware requirements
Roaming User Profiles requires an x64-based or x86-based computer; it isn't supported by Windows RT.
Software requirements
Roaming User Profiles has the following software requirements:
If you are deploying Roaming User Profiles with Folder Redirection in an environment with existing local user profiles,
deploy Folder Redirection before Roaming User Profiles to minimize the size of roaming profiles. After the existing user
folders have been successfully redirected, you can deploy Roaming User Profiles.
To administer Roaming User Profiles, you must be signed in as a member of the Domain Administrators security group,
the Enterprise Administrators security group, or the Group Policy Creator Owners security group.
Client computers must run Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Vista, Windows Server 2012
R2, Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008.
Client computers must be joined to the Active Directory Domain Services (AD DS) that you are managing.
A computer must be available with Group Policy Management and Active Directory Administration Center installed.
If the file share uses DFS Namespaces, the DFS folders (links) must have a single target to prevent users from
making conflicting edits on different servers.
https://technet.microsoft.com/en-us/library/jj649079(d=printer,v=ws.11).aspx 1/14
7/19/2017 Deploy Roaming User Pro les
If the file share uses DFS Replication to replicate the contents with another server, users must be able to access
only the source server to prevent users from making conflicting edits on different servers.
If the file share is clustered, disable continuous availability on the file share to avoid performance issues.
To use primary computer support in Roaming User Profiles, there are additional client computer and Active Directory
schema requirements. For more information, see Deploy Primary Computers for Folder Redirection and Roaming User
Profiles.
The layout of a user's Start menu won't roam on Windows 10 or Windows Server 2016 if they're using more than one PC,
Remote Desktop Session Host, or Virtualized Desktop Infrastructure (VDI) server. As a workaround, you can specify a
Start layout as described in this topic. Or you can make use of user profile disks, which properly roam Start menu
settings when used with Remote Desktop Session Host servers or VDI servers. For more info, see Easier User Data
Management with User Profile Disks in Windows Server 2012.
Configure Windows to maintain separate profile versions for each operating system version. This helps prevent
undesirable and unpredictable issues such as profile corruption.
Use Folder Redirection to store user files such as documents and pictures outside of user profiles. This enables the
same files to be available to users across operating system versions. It also keeps profiles small and sign-ins quick.
Allocate sufficient storage for Roaming User Profiles. If you support two operating system versions, profiles will double in
number (and thus total space consumed) because a separate profile is maintained for each operating system version.
Don't use Roaming User Profiles across computers running Windows Vista/Windows Server 2008 and Windows
7/Windows Server 2008 R2. Roaming between these operating system versions isn't supported due to incompatibilities in
their profile versions.
Inform your users that changes made on one operating system version wont roam to another operating system version.
When moving your environment to a version of Windows that uses a different profile version (such as from Windows 10 to
Windows 10, version 1607 - see Appendix B: Profile version reference information for a list), users receive a new, empty
roaming user profile. You can minimize the impact of getting a new profile by using Folder Redirection to redirect
common folders. There isn't a supported method of migrating roaming user profiles from one profile version to another.
1. Download and install the appropriate software update on all computers on which youre going to use roaming, mandatory,
super-mandatory, or domain default profiles:
https://technet.microsoft.com/en-us/library/jj649079(d=printer,v=ws.11).aspx 2/14
7/19/2017 Deploy Roaming User Pro les
Windows 8.1, or Windows Server 2012 R2: install the software update described in article 2887595 in the
Microsoft Knowledge Base (when released).
Windows 8 or Windows Server 2012: install the software update described in article 2887239 in the Microsoft
Knowledge Base.
2. On all computers running Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 on which you will
use Roaming User Profiles, use Registry Editor or Group Policy to create the following registry key DWORD Value and
set it to 1. For information about creating registry keys by using Group Policy, see Configure a Registry Item.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ProfSvc\Parameters\UseProfilePathExt
Caution
Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should
back up any valued data on the computer.
Administrators of general-purpose roaming user profiles deployments typically create a security group for users.
Administrators of Remote Desktop Services or virtualized desktop deployments typically use a security group for users
and the shared computers.
1. Open Server Manager on a computer with Active Directory Administration Center installed.
2. On the Tools menu, click Active Directory Administration Center. Active Directory Administration Center appears.
3. Right-click the appropriate domain or OU, click New, and then click Group.
4. In the Create Group window, in the Group section, specify the following settings:
In Group name, type the name of the security group, for example: Roaming User Profiles Users and
Computers.
https://technet.microsoft.com/en-us/library/jj649079(d=printer,v=ws.11).aspx 3/14
7/19/2017 Deploy Roaming User Pro les
5. In the Members section, click Add. The Select Users, Contacts, Computers, Service Accounts or Groups dialog box
appears.
6. If you want to include computer accounts in the security group, click Object Types, select the Computers check box
and then click OK.
7. Type the names of the users, groups, and/or computers to which you want to deploy Roaming User Profiles, click OK,
and then click OK again.
Note
Some functionality might differ or be unavailable if you create the file share on a server running another version of Windows
Server.
1. In the Server Manager navigation pane, click File and Storage Services, and then click Shares to display the Shares
page.
2. In the Shares tile, click Tasks, and then click New Share. The New Share Wizard appears.
3. On the Select Profile page, click SMB Share Quick. If you have File Server Resource Manager installed and are
using folder management properties, instead click SMB Share - Advanced.
4. On the Share Location page, select the server and volume on which you want to create the share.
5. On the Share Name page, type a name for the share (for example, User Profiles$) in the Share name box.
Tip
When creating the share, hide the share by putting a $ after the share name. This hides the share from casual
browsers.
6. On the Other Settings page, clear the Enable continuous availability checkbox, if present, and optionally select the
Enable access-based enumeration and Encrypt data access checkboxes.
7. On the Permissions page, click Customize permissions. The Advanced Security Settings dialog box appears.
8. Click Disable inheritance, and then click Convert inherited permissions into explicit permission on this object.
9. Set the permissions as described Table 1 and shown in Figure 1, removing permissions for unlisted groups and accounts,
and adding special permissions to the Roaming User Profiles Users and Computers group that you created in Step 1.
https://technet.microsoft.com/en-us/library/jj649079(d=printer,v=ws.11).aspx 4/14
7/19/2017 Deploy Roaming User Pro les
Figure 1 Setting the permissions for the roaming user profiles share
10. If you chose the SMB Share - Advanced profile, on the Management Properties page, select the User Files Folder
Usage value.
11. If you chose the SMB Share - Advanced profile, on the Quota page, optionally select a quota to apply to users of the
share.
Table 1 Required permissions for the file share hosting roaming user profiles
https://technet.microsoft.com/en-us/library/jj649079(d=printer,v=ws.11).aspx 5/14
7/19/2017 Deploy Roaming User Pro les
Security group of users needing to put data on share (Roaming User List folder / read This folder only
Profiles Users and Computers) data1
Create folders /
append data1
1 Advanced permissions
2. From the Tools menu click Group Policy Management. Group Policy Management appears.
3. Right-click the domain or OU in which you want to setup Roaming User Profiles and then click Create a GPO in this
domain, and Link it here.
4. In the New GPO dialog box, type a name for the GPO (for example, Roaming User Profile Settings), and then click
OK.
5. Right-click the newly created GPO and then clear the Link Enabled checkbox. This prevents the GPO from being
applied until you finish configuring it.
6. Select the GPO. In the Security Filtering section of the Scope tab, select Authenticated Users, and then click
Remove to prevent the GPO from being applied to everyone.
8. In the Select User, Computer, or Group dialog box, type the name of the security group you created in Step 1 (for
example, Roaming User Profiles Users and Computers), and then click OK.
9. Click the Delegation tab, click Add, type Authenticated Users, click OK, and then click OK again to accept the
default Read permissions.
Important
Due to the security changes made in MS16-072, you now must give the Authenticated Users group delegated Read
permissions to the GPO - otherwise the GPO won't get applied to users, or if it's already applied, the GPO is removed,
redirecting user profiles back to the local PC. For more info, see Deploying Group Policy Security Update MS16-072 .
https://technet.microsoft.com/en-us/library/jj649079(d=printer,v=ws.11).aspx 6/14
7/19/2017 Deploy Roaming User Pro les
Note
If you set up Roaming User Profiles on user accounts by using Active Directory and on computers by using Group Policy,
the computer-based policy setting takes precedence.
1. In Active Directory Administration Center, navigate to the Users container (or OU) in the appropriate domain.
2. Select all users to which you want to assign a roaming user profile, right-click the users and then click Properties.
3. In the Profile section, select the Profile path: checkbox and then enter the path to the file share where you want to
store the users roaming user profile, followed by %username% (which is automatically replaced with the user name the
first time the user signs in). For example:
\\fs1.corp.contoso.com\User Profiles$\%username%
To specify a mandatory roaming user profile, specify the path to the NTuser.man file that you created previously, for
example, fs1.corp.contoso.comUser Profiles$default. For more information, see Create mandatory user
profiles.
4. Click OK.
Note
By default, deployment of all Windows Runtime-based (Windows Store) apps is allowed when using Roaming User Profiles.
However, when using a special profile, apps are not deployed by default. Special profiles are user profiles where changes are
discarded after the user signs out:
Roaming user profiles to which the Delete cached copies of roaming profiles Group Policy setting
applies (located in Computer Configuration\Policies\Administrative Templates\System\User Profiles)
Mandatory user profiles and super-mandatory profiles, created by an administrator
Temporary user profiles, created when an error prevents the correct profile from loading
User profiles for the Guest account and members of the Guests group
To remove restrictions on app deployment for special profiles, enable the Allow deployment operations in
special profiles policy setting (located in Computer Configuration\Policies\Administrative Templates\Windows
Components\App Package Deployment). However, deployed apps in this scenario will leave some data stored on the
computer, which could accumulate, for example, if there are hundreds of users of a single computer. To cleanup apps, locate
https://technet.microsoft.com/en-us/library/jj649079(d=printer,v=ws.11).aspx 7/14
7/19/2017 Deploy Roaming User Pro les
or develop a tool that uses the CleanupPackageForUserAsync API to cleanup app packages for users who no longer have a
profile on the computer.
For additional background information about Windows Store apps, see Manage Client Access to the Windows Store.
You can use Group Policy to apply Roaming User Profiles to computers running Windows 8.1, Windows 8, Windows 7,
Windows Vista, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008.
Note
If you set up Roaming User Profiles on computers by using Group Policy and on user accounts by using Active Directory,
the computer-based policy setting takes precedence.
2. From the Tools menu click Group Policy Management. Group Policy Management appears.
3. In Group Policy Management, right-click the GPO you created in Step 3 (for example, Roaming User Profiles
Settings), and then click Edit.
4. In the Group Policy Management Editor window, navigate to Computer Configuration, then Policies, then
Administrative Templates, then System, and then User Profiles.
5. Right-click Set roaming profile path for all users logging onto this computer and then click Edit.
Tip
A user's home folder, if configured, is the default folder used by some programs such as Windows PowerShell. You
can configure an alternative local or network location on a per-user basis by using the Home folder section of the
user account properties in AD DS. To configure the home folder location for all users of a computer running Windows
8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 in a virtual desktop environment, enable the Set
user home folder policy setting, and then specify the file share and drive letter to map (or specify a local folder). Do
not use environment variables or ellipses. The users alias is appended to the end of the path specified during user
sign on.
7. In the Users logging onto this computer should use this roaming profile path box, enter the path to the file share
where you want to store the users roaming user profile, followed by %username% (which is automatically replaced with
the user name the first time the user signs in). For example:
https://technet.microsoft.com/en-us/library/jj649079(d=printer,v=ws.11).aspx 8/14
7/19/2017 Deploy Roaming User Pro les
\\fs1.corp.contoso.com\User Profiles$\%username%
To specify a mandatory roaming user profile, which is a preconfigured profile to which users cannot make permanent
changes (changes are reset when the user signs out), specify the path to the NTuser.man file that you created previously,
for example, \\fs1.corp.contoso.com\User Profiles$\default. For more information, see Creating a
Mandatory User Profile.
8. Click OK.
1. Update your Windows 10 PCs to Windows 10 version 1607 (also known as the Anniversary Update) or newer, and install
the March 14th, 2017 cumulative update (KB4013429) or newer.
2. Create a full or partial Start menu layout XML file. To do so, see Customize and export Start layout.
If you specify a full Start layout, a user can't customize any part of the Start menu. If you specify a partial Start layout,
users can customize everything but the locked groups of tiles you specify. However, with a partial Start layout, user
customizations to the Start menu won't roam to other PCs.
3. Use Group Policy to apply the customized Start layout to the GPO you created for Roaming User Profiles. To do so, see
Use Group Policy to apply a customized Start layout in a domain.
4. Use Group Policy to set the following registry value on your Windows 10 PCs. To do so, see Configure a Registry Item.
Action Update
Hive HKEY_LOCAL_MACHINE
Base Decimal
5. (Optional) Enable first-time logon optimizations to make signing in faster for users. To do so, see Apply policies to
improve sign-in time.
https://technet.microsoft.com/en-us/library/jj649079(d=printer,v=ws.11).aspx 9/14
7/19/2017 Deploy Roaming User Pro les
6. (Optional) Further decrease sign-in times by removing unneccesary apps from the Windows 10 base image you use to
deploy client PCs. Windows Server 2016 doesn't have any pre-provisioned apps, so you can skip this step on server
images.
To remove apps, use the Remove-AppxProvisionedPackage cmdlet in Windows PowerShell to uninstall the following
applications. If your PCs are already deployed you can script the removal of these apps using the Remove-AppxPackage.
Microsoft.windowscommunicationsapps_8wekyb3d8bbwe
Microsoft.BingWeather_8wekyb3d8bbwe
Microsoft.DesktopAppInstaller_8wekyb3d8bbwe
Microsoft.Getstarted_8wekyb3d8bbwe
Microsoft.Windows.Photos_8wekyb3d8bbwe
Microsoft.WindowsCamera_8wekyb3d8bbwe
Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe
Microsoft.WindowsStore_8wekyb3d8bbwe
Microsoft.XboxApp_8wekyb3d8bbwe
Microsoft.XboxIdentityProvider_8wekyb3d8bbwe
Microsoft.ZuneMusic_8wekyb3d8bbwe
Note
Uninstalling these apps decreases sign-in times, but you can leave them installed if your deployment needs any of
them.
Tip
If you plan to implement primary computer support, do so now, before you enable the GPO. This prevents user data from
being copied to non-primary computers before primary computer support is enabled. For the specific policy settings, see
Deploy Primary Computers for Folder Redirection and Roaming User Profiles.
2. Right-click the GPO that you created and then click Link Enabled. A checkbox appears next to the menu item.
https://technet.microsoft.com/en-us/library/jj649079(d=printer,v=ws.11).aspx 10/14
7/19/2017 Deploy Roaming User Pro les
1. Sign in to a primary computer (if you enabled primary computer support) with a user account for which you have enabled
Roaming User Profiles enabled. If you enabled Roaming User Profiles on specific computers, sign in to one of these
computers.
2. If the user has previously signed in to the computer, open an elevated command prompt, and then type the following
command to ensure that the latest Group Policy settings are applied to the client computer:
GpUpdate /Force
3. To confirm that the user profile is roaming, open Control Panel, click System and Security, click System, click
Advanced System Settings, click Settings in the User Profiles section and then look for Roaming in the Type
column.
- Group name:
- Members:
- GPO name:
https://technet.microsoft.com/en-us/library/jj649079(d=printer,v=ws.11).aspx 11/14
7/19/2017 Deploy Roaming User Pro les
- Computer-based or User-based?
The following table lists the location of Roaming User Profiles on various versions of Windows.
Windows 8 and Windows Server \\<servername>\<fileshare>\<username>.V3 (after the software update and registry
2012 key are applied)
https://technet.microsoft.com/en-us/library/jj649079(d=printer,v=ws.11).aspx 12/14
7/19/2017 Deploy Roaming User Pro les
Windows 8.1 and Windows Server \\<servername>\<fileshare>\<username>.V4 (after the software update and registry
2012 R2 key are applied)
Windows 10 \\<servername>\<fileshare>\<username>.V5
Change history
The following table summarizes some of the most important changes to this topic.
April 13th, Added profile information for Windows 10, version 1703, and Customer feedback.
2017 clarified how roaming profile versions work when upgrading
operating systems - see Considerations when using Roaming
User Profiles on multiple versions of Windows.
March 14th, Added optional step for specifying a mandatory Start layout for Feature changes in latest Windows
2017 Windows 10 PCs. update.
January 23rd, Added a step to Step 4: Optionally create a GPO for Roaming Security changes to Group Policy
2017 User Profiles to delegate Read permissions to Authenticated processing.
Users, which is now required because of a Group Policy security
update.
December Added a link in Step 7: Enable the Roaming User Profiles GPO Customer feedback.
29th, 2016 to make it easier to get info on how to set Group Policy for
primary computers. Also fixed a couple references to steps 5
and 6 that had the numbers wrong.
December Added info explaining a Start menu settings roaming issue. Customer feedback.
5th, 2016
July 6th, Added Windows 10 profile version suffixes in Appendix B: Profile Updates for the new versions of
2016 version reference information. Also removed Windows XP and Windows, and removed info about
Windows Server 2003 from the list of supported operating versions of Windows that are no longer
systems. supported.
July 7th, Added requirement and step to disable continuous availability Clustered file shares have better
2015 when using a clustered file server. performance for small writes (which are
typical with roaming user profiles) when
continuous availability is disabled.
https://technet.microsoft.com/en-us/library/jj649079(d=printer,v=ws.11).aspx 13/14
7/19/2017 Deploy Roaming User Pro les
March 19th, Capitalized profile version suffixes (.V2, .V3, .V4) in Appendix B: Although Windows is case insensitive, if
2014 Profile version reference information. you use NFS with the file share, its
important to have the correct
(uppercase) capitalization for the profile
suffix
October 9th, Revised for Windows Server 2012 R2 and Windows 8.1, clarified Updates for new version; customer
2013 a few things, and added the Considerations when using Roaming feedback
User Profiles on multiple versions of Windows and Appendix B:
Profile version reference information sections.
See Also
Deploy Folder Redirection, Offline Files, and Roaming User Profiles
Deploy Primary Computers for Folder Redirection and Roaming User Profiles
Implementing User State Management
Microsofts Support Statement Around Replicated User Profile Data
How to Add and Remove Apps
Troubleshooting packaging, deployment, and query of Windows Runtime-based apps
2017 Microsoft
https://technet.microsoft.com/en-us/library/jj649079(d=printer,v=ws.11).aspx 14/14