Active Directory GPO — Roaming Profiles

Set up roaming user profiles in the Uplevel domain so users keep a consistent desktop, settings, and documents across any joined workstation.

Configuration Updated August 21, 2025

Microsoft’s own documentation is the canonical reference for roaming profiles: Deploy Roaming User Profiles. This article walks through the same idea against the Uplevel Directory Service.

What roaming profiles are

A roaming user profile is a Windows file-synchronization feature. When a user signs in to any domain-joined computer, their documents and personalised desktop settings — application preferences, toolbar positions, wallpaper — follow them onto that machine. The profile is cached locally, so day-to-day work does not require a constant fast connection back to the file server.

Install Microsoft RSAT on the management workstation

You’ll manage the domain from a Windows workstation with the Remote Server Administration Tools (RSAT) installed.

  1. Sign in to Windows with an administrator account.
  2. Open Settings (Win+I).
  3. Click Apps.
  4. Click Manage optional features.
  5. Click + Add a feature.
  6. Scroll the list to find RSAT entries. Each tool installs independently — select the ones you want and click Install.

For domain management we recommend installing at minimum the RSAT: Active Directory Domain Services and Lightweight Directory Services Tools and RSAT: Group Policy Management Tools.

Recommended RSAT tools for domain management

Create a share for the profiles

The roaming profiles need somewhere to live. In the Uplevel Portal:

  1. Open Storage.
  2. Click + to create a new file share.

The new share is automatically mapped to the domain with Authenticated Users permissions — i.e. accessible to any domain-joined account.

Heads up. Domain object names must be unique. If you name this share Roaming_Profiles, no other domain object can re-use that name.

Create the GPO

  1. Open the Group Policy Management Console as a Domain Administrator.
  2. Right-click your AD domain and choose Create a GPO in this domain, and Link it here….
  3. Name the policy — for example Roaming Windows User Profiles.
  4. Right-click the new GPO and choose Edit to open the Group Policy Management Editor.
  5. Navigate to Computer Configuration › Policies › Administrative Templates › System › User Profiles.
  6. Double-click Set roaming profile path for all users logging onto this computer.
  7. Enable the policy and set the profile path to \\server\profiles\%USERNAME%. Windows substitutes the user’s logon name for %USERNAME% at sign-in. Don’t end the path with a trailing backslash.

Scoping to a subset of users

By default, the GPO applies to every authenticated user on every computer in scope. To limit roaming profiles to a subset:

  1. In the Uplevel Portal, go to Directory › User Groups and create a group — for example roaming. Add the users who should receive roaming profiles.
  2. Back in Group Policy Management Editor, on the GPO’s Scope tab, remove Authenticated Users from the security filtering and add the roaming group instead.
  3. Add the relevant computers to the same group via Active Directory Users and Computers:
    • Right-click the roaming group and choose Properties.
    • Click Object Types and tick Computers so computers can be added.
    • Click OK, then Advanced, then Find Now to pick the workstations.
  4. Close both consoles when you’re done. GPOs are saved automatically to the domain controller’s Sysvol share.

Forcing a policy refresh

Windows refreshes Group Policy every 90 minutes by default, with a random ±30-minute offset. After a change, expect up to two hours before clients pick it up — and some settings take effect only after a reboot.

To apply changes immediately on a client, run:

gpupdate /force

The command compares the client’s cached policy to the version on the domain controller. If nothing changed, the update is skipped; otherwise you’ll see output like:

Policy Revision...
The update to the User Policy has been completed successfully.
The computer policy update was successful.

A note on profile-folder naming

Windows creates a version-suffixed profile folder per OS family so the same user’s profile doesn’t get corrupted by version-specific schema changes. The suffix matters when you’re inspecting the share or migrating between OS generations:

Windows client Windows server Suffix Folder name
Windows NT 4.0 – Windows Vista Windows NT Server 4.0 – Server 2008 none user
Windows 7 Server 2008 R2 V2 user.V2
Windows 8.0 – 8.1 Server 2012 – 2012 R2 V3 user.V3
Windows 8.1 Server 2012 R2 V4 user.V4
Windows 10 (1507 to 1511) Server 2016 V5 user.V5
Windows 10 (1607 and later) V6 user.V6

Related articles