How to Configure Folder Redirection and Roaming Profiles on Windows Server 2025

How to Configure Folder Redirection and Roaming Profiles on Windows Server 2025

Folder Redirection and Roaming User Profiles are two complementary technologies that enable users to access their data and desktop environment from any domain-joined computer in the organization. Folder Redirection moves the physical location of special shell folders—Desktop, Documents, AppData, and others—from the local workstation to a network file server, while the folder still appears local to the user. Roaming User Profiles replicate the entire user profile (registry hive, application data, and settings) to a network location so users have a consistent environment regardless of which machine they log into. Windows Server 2025 supports both technologies through Group Policy and also accommodates User Experience Virtualization (UE-V) as a modern alternative. This tutorial covers the complete setup from file server share configuration through GPO deployment and profile size management.

Prerequisites

• Windows Server 2025 with Active Directory Domain Services
• A dedicated file server with sufficient storage (SSD-backed storage recommended for profile data)
• Group Policy Management Console (gpmc.msc)
• Domain Admin credentials
• Target workstations running Windows 10 22H2 or Windows 11 23H2 or later
• DFS Namespace (optional but recommended for location-independent UNC paths)

Step 1: Create and Configure the File Server Share

Roaming profiles and redirected folders require a shared folder on a file server with specific NTFS and share permissions. The share permission must allow all users to connect, while NTFS permissions control what each user can see within the share. The standard configuration uses the Access-Based Enumeration (ABE) feature to hide other users’ folders from each other.

# Create top-level directories on the file server
New-Item -Path "D:UserDataFolderRedirection" -ItemType Directory -Force
New-Item -Path "D:UserDataRoamingProfiles" -ItemType Directory -Force

# Create the SMB shares
New-SmbShare `
    -Name "FolderRedirection$" `
    -Path "D:UserDataFolderRedirection" `
    -Description "Folder Redirection target share" `
    -FullAccess "Domain Admins" `
    -ChangeAccess "Authenticated Users" `
    -FolderEnumerationMode AccessBased

New-SmbShare `
    -Name "Profiles$" `
    -Path "D:UserDataRoamingProfiles" `
    -Description "Roaming User Profiles share" `
    -FullAccess "Domain Admins" `
    -ChangeAccess "Authenticated Users" `
    -FolderEnumerationMode AccessBased

# The trailing $ hides the share from network browse lists (administrative share convention)

# Set NTFS permissions on the FolderRedirection directory
# Users need Modify rights so Windows can create their per-user subfolder
$aclFR = Get-Acl "D:UserDataFolderRedirection"

# Remove inheritance and apply clean permissions
$aclFR.SetAccessRuleProtection($true, $false)

# Domain Admins - Full Control
$aclFR.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule(
    "Domain Admins","FullControl","ContainerInherit,ObjectInherit","None","Allow")))

# CREATOR OWNER - Full Control on subfolders and files only (not this folder)
$aclFR.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule(
    "CREATOR OWNER","FullControl","ContainerInherit,ObjectInherit","InheritOnly","Allow")))

# Authenticated Users - Create Folders/Append Data on this folder only
$aclFR.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule(
    "Authenticated Users","AppendData","None","None","Allow")))

Set-Acl -Path "D:UserDataFolderRedirection" -AclObject $aclFR

# Set NTFS permissions on the Profiles directory (same pattern)
$aclRP = Get-Acl "D:UserDataRoamingProfiles"
$aclRP.SetAccessRuleProtection($true, $false)
$aclRP.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule(
    "Domain Admins","FullControl","ContainerInherit,ObjectInherit","None","Allow")))
$aclRP.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule(
    "CREATOR OWNER","FullControl","ContainerInherit,ObjectInherit","InheritOnly","Allow")))
$aclRP.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule(
    "Authenticated Users","AppendData","None","None","Allow")))
Set-Acl -Path "D:UserDataRoamingProfiles" -AclObject $aclRP

# Verify share access
Get-SmbShareAccess -Name "FolderRedirection$"
Get-SmbShareAccess -Name "Profiles$"

Step 2: Configure Folder Redirection via Group Policy

Folder Redirection is configured under User Configuration in Group Policy. Windows Server 2025 supports redirecting the following special folders: Desktop, Start Menu, Documents, Pictures, Music, Videos, Favorites, Contacts, Downloads, Links, Searches, Saved Games, and AppData (Roaming).

# Create a dedicated GPO for Folder Redirection
Import-Module GroupPolicy
New-GPO -Name "FolderRedirection-AllUsers" `
    -Comment "Redirects key shell folders to \FILESERVER01FolderRedirection$"

# Link to the OU containing target user accounts
New-GPLink `
    -Name "FolderRedirection-AllUsers" `
    -Target "OU=Staff,DC=contoso,DC=com" `
    -LinkEnabled Yes

# Folder Redirection is configured via the GUI in GPMC:
# User Configuration > Policies > Windows Settings > Folder Redirection
# Right-click "Documents" > Properties
#   Setting: Basic - Redirect everyone's folder to the same location
#   Target folder location: Create a folder for each user under the root path
#   Root Path: \FILESERVER01FolderRedirection$
#   Options:
#     [x] Grant the user exclusive rights to Documents
#     [x] Move the contents of Documents to the new location
#     [x] Also apply redirection policy to Windows 2000, Windows 2000 Server, etc.

# Key folders to redirect:
# - Documents: \FILESERVER01FolderRedirection$
# - Desktop: \FILESERVER01FolderRedirection$
# - AppData (Roaming): \FILESERVER01FolderRedirection$ (reduces profile size)
# - Downloads: Consider leaving local to avoid network saturation

# After configuring, verify the GPO settings
Get-GPO -Name "FolderRedirection-AllUsers" | Format-List DisplayName, Id, GpoStatus

# Force Group Policy update on a test user's workstation
Invoke-GPUpdate -Computer "WORKSTATION01" -Target User -Force

Step 3: Understanding Basic vs Advanced Folder Redirection

Folder Redirection offers two configuration modes. Basic redirects all users’ folders to the same root path, with Windows automatically creating per-user subfolders (\servershare%username%Documents). Advanced allows different paths for different security groups—useful when different departments should have their data on different servers or shares for performance, compliance, or quota reasons.

# Advanced targeting example — in GPMC, under the folder's Properties:
# Setting: Advanced - Specify locations for various user groups
# Add security group entries with their respective paths:
#   "Finance-Staff" --> \FINSERVERFolderRedirection$
#   "Engineering"   --> \ENGSERVERFolderRedirection$
#   "Everyone"      --> \FILESERVER01FolderRedirection$

# Create the security groups for advanced targeting
New-ADGroup -Name "GPO-FolderRedir-Finance" `
    -GroupScope Global `
    -GroupCategory Security `
    -Path "OU=Groups,DC=contoso,DC=com"

New-ADGroup -Name "GPO-FolderRedir-Engineering" `
    -GroupScope Global `
    -GroupCategory Security `
    -Path "OU=Groups,DC=contoso,DC=com"

# Add users to groups
Add-ADGroupMember -Identity "GPO-FolderRedir-Finance" `
    -Members (Get-ADUser -SearchBase "OU=Finance,DC=contoso,DC=com" -Filter *).SamAccountName

# Verify group membership
Get-ADGroupMember -Identity "GPO-FolderRedir-Finance" | Select-Object Name, SamAccountName

Step 4: Configure Roaming User Profiles via Group Policy

Roaming User Profiles can be configured organization-wide via Group Policy or on a per-user basis through the AD user object’s Profile tab. The GPO approach is recommended for consistent management. The profile path uses %username% as a variable, and Windows automatically appends the OS version suffix (.V6 for Windows 11/Server 2025) to prevent profile version conflicts between different OS generations.

# Create a GPO for Roaming Profiles
New-GPO -Name "RoamingProfiles-AllStaff" `
    -Comment "Sets roaming profile path for all staff users"

New-GPLink `
    -Name "RoamingProfiles-AllStaff" `
    -Target "OU=Staff,DC=contoso,DC=com" `
    -LinkEnabled Yes

# Configure the profile path via GPO:
# Computer Configuration > Policies > Administrative Templates >
#   System > User Profiles
# "Set roaming profile path for all users logging onto this computer"
#   Value: \FILESERVER01Profiles$%USERNAME%

# Alternatively, set profile path directly on the AD user object
$users = Get-ADUser -SearchBase "OU=Staff,DC=contoso,DC=com" -Filter *
foreach ($user in $users) {
    Set-ADUser -Identity $user.SamAccountName `
        -ProfilePath "\FILESERVER01Profiles$$($user.SamAccountName)"
}

# Verify the profile path was set
Get-ADUser -Identity "jsmith" -Properties ProfilePath | 
    Select-Object SamAccountName, ProfilePath

# Windows automatically creates the per-user profile directory
# on first logon and appends the version suffix:
# \FILESERVER01Profiles$jsmith.V6  (Windows 10/11, Server 2025)
# \FILESERVER01Profiles$jsmith.V2  (Windows Vista/7)

Step 5: Profile Size Management and Disk Quotas

Roaming profiles can grow very large over time, especially if AppData is not redirected. Large profiles cause slow logon and logoff times. Implement NTFS disk quotas and configure GPO settings to exclude unnecessary folders from roaming.

# Enable NTFS disk quotas on the profiles volume
$quotaManager = New-Object -ComObject Microsoft.DiskQuota.1
$quotaManager.Initialize([System.Runtime.InteropServices.Marshal]::StringToHGlobalAnsi("D:"), $true)

# Alternatively, use fsutil for simpler quota management
fsutil quota modify D: 524288000 629145600 "Authenticated Users"
# 500 MB warning, 600 MB limit

# Use File Server Resource Manager (FSRM) for richer quota management
Install-WindowsFeature FS-Resource-Manager -IncludeManagementTools

# Create a quota template for profile directories
New-FsrmQuotaTemplate `
    -Name "Roaming Profile Quota" `
    -Size 524288000 `
    -SoftLimit `
    -Description "500MB soft limit for roaming profiles"

# Apply quota to the profiles share path
New-FsrmQuota `
    -Path "D:UserDataRoamingProfiles" `
    -Template "Roaming Profile Quota"

# Configure GPO to exclude folders from roaming (reduces profile size dramatically)
# Computer Configuration > Policies > Administrative Templates > System > User Profiles
# "Exclude directories in roaming profile" — add:
# AppDataLocal;AppDataLocalLow;$Recycle.Bin;OneDrive;Downloads;Temp

# Check profile sizes to identify bloated profiles
Get-ChildItem "D:UserDataRoamingProfiles" | ForEach-Object {
    $size = (Get-ChildItem $_.FullName -Recurse -ErrorAction SilentlyContinue | 
             Measure-Object -Property Length -Sum).Sum
    [PSCustomObject]@{
        Profile = $_.Name
        SizeMB  = [math]::Round($size / 1MB, 2)
    }
} | Sort-Object SizeMB -Descending | Format-Table -AutoSize

Step 6: Configuring Mandatory Profiles

A mandatory profile is a read-only roaming profile. Changes users make during their session are discarded at logoff—every logon starts from the same baseline. Mandatory profiles are ideal for kiosk computers, shared workstations, or environments where standardized configuration must be enforced.

# To create a mandatory profile:
# 1. Log on as a local admin, configure the local profile exactly as desired
# 2. Copy the local profile to the network share using System Properties > Advanced
#    or use robocopy to copy an existing profile:
Robocopy "C:UsersTemplateUser" "D:UserDataMandatoryProfilesKioskProfile.V6" /E /XJ /COPYALL

# 3. Rename NTUSER.DAT to NTUSER.MAN (makes it mandatory)
Rename-Item -Path "D:UserDataMandatoryProfilesKioskProfile.V6NTUSER.DAT" `
            -NewName "NTUSER.MAN"

# 4. Set the profile path on target user accounts (without .V6 suffix — Windows adds it)
Set-ADUser -Identity "kioskuser01" `
    -ProfilePath "\FILESERVER01MandatoryProfiles$KioskProfile"

# 5. Verify the rename
Get-ChildItem "D:UserDataMandatoryProfilesKioskProfile.V6" -Filter "NTUSER.*"

Step 7: UE-V as a Modern Alternative

User Experience Virtualization (UE-V) is Microsoft’s modern replacement for traditional roaming profiles. Instead of copying the entire profile, UE-V selectively synchronizes application and OS settings using lightweight XML templates. UE-V is included with Windows 10/11 Enterprise and integrates with Windows Server 2025. It avoids profile corruption, supports settings sync for applications that store settings outside AppDataRoaming, and works well alongside Folder Redirection.

# Enable UE-V on Windows 11 clients (built-in, no separate install needed)
Enable-UEV

# Configure the settings storage location (on the file server)
Set-UevConfiguration -SettingsStoragePath "\FILESERVER01UEVSettings$%username%"

# Verify UE-V status
Get-UevStatus

# List available UE-V templates (Microsoft Office, Windows, and more)
Get-UevTemplate | Select-Object TemplateId, TemplateName, Author | Format-Table -AutoSize

# Register a template
Register-UevTemplate -Path "C:ProgramDataMicrosoftUEVTemplatesMicrosoftOffice2016Win64.xml"

# Configure UE-V via GPO (recommended for domain-wide deployment)
# Computer Configuration > Administrative Templates > Windows Components > 
#   Microsoft User Experience Virtualization
# "Use User Experience Virtualization (UE-V)": Enabled
# "Settings storage location": \FILESERVER01UEVSettings$%username%

# Check sync status for a user
Get-UevAppxPackage | Select-Object PackageFamilyName, Enabled | Format-Table -AutoSize

Step 8: Troubleshooting and Best Practices

# Check User Profile Service events on client
Get-WinEvent -LogName "Microsoft-Windows-User Profile Service/Operational" -MaxEvents 50 |
    Where-Object { $_.LevelDisplayName -ne "Information" } |
    Format-Table TimeCreated, Id, LevelDisplayName, Message -AutoSize -Wrap

# Verify redirected folder paths on a logged-in user's session
[Environment]::GetFolderPath("MyDocuments")
[Environment]::GetFolderPath("Desktop")
$env:APPDATA

# Check that the UNC path is accessible
Test-Path "\FILESERVER01FolderRedirection$"
Test-Path "\FILESERVER01Profiles$"

# Confirm DFS is routing correctly if DFS namespaces are in use
dfsutil /root:\contoso.comUserData /view

# Run Group Policy Results wizard on a test user/computer
Get-GPResultantSetOfPolicy -ReportType Html -Path "C:Logsgprsop.html" `
    -Computer "WORKSTATION01" -User "contosojsmith"

# Clean up orphaned profile directories (users who no longer exist in AD)
$profileDirs = Get-ChildItem "D:UserDataRoamingProfiles" -Directory
foreach ($dir in $profileDirs) {
    $username = $dir.Name -replace ".Vd+$", ""  # Strip .V6 suffix
    $user = Get-ADUser -Filter { SamAccountName -eq $username } -ErrorAction SilentlyContinue
    if (-not $user) {
        Write-Output "Orphaned profile: $($dir.FullName) — user '$username' not found in AD"
        # Remove-Item $dir.FullName -Recurse -Force  # Uncomment after review
    }
}

Conclusion

Folder Redirection and Roaming User Profiles remain essential tools for delivering a consistent, data-safe user experience across domain-joined Windows machines in Windows Server 2025 environments. By properly configuring the file server share with correct NTFS permissions (Creator Owner, Authenticated Users with AppendData, and Domain Admins with Full Control), deploying Folder Redirection via Group Policy to move Documents, Desktop, and AppData off the local disk, and configuring Roaming Profiles with disk quotas and exclusion lists to keep profile sizes manageable, you give users seamless access to their data from any workstation. For organizations ready to modernize, UE-V provides a lightweight, corruption-resistant alternative that selectively synchronizes settings rather than copying entire profile blobs—making it the preferred approach for new deployments, particularly in hybrid and cloud-connected environments.