How to Set Up Attack Surface Reduction Rules on Windows Server 2022

Introduction to Folder Redirection and Roaming Profiles

In a domain environment, users may log on from different computers. Without profile management, their Desktop files, Documents, and application settings exist only on the computer they last used. Folder Redirection and Roaming Profiles are two complementary Group Policy technologies that solve this problem by storing user data and settings on a network location that follows the user to any domain computer.

Folder Redirection transparently redirects Windows shell folders (Desktop, Documents, AppData, etc.) to a UNC path on a file server. The user sees their folders in the same locations as always, but the data actually lives on the server. Roaming Profiles copy the entire user profile (NTUSER.DAT registry hive and profile folders) to a network location and synchronize it at logon and logoff. The two technologies are often used together: Folder Redirection for large data folders (reducing roaming profile size and sync time), and Roaming Profiles for application settings in AppData.

Preparing the File Server Share

Both Folder Redirection and Roaming Profiles require a properly configured network share. Create a shared folder on your file server, typically on a volume with sufficient space and redundancy. Use a dedicated server for profile storage to avoid performance issues on your domain controllers.

Create the folder and share:

New-Item -Path "D:UserProfiles" -ItemType Directory
New-SmbShare -Name "Profiles$" -Path "D:UserProfiles" -FullAccess "Domain Admins" -ChangeAccess "Authenticated Users"

The trailing dollar sign in the share name (Profiles$) makes it a hidden administrative share, not visible when browsing the network. This is a security best practice for profile and redirection shares.

The NTFS permissions on the root folder must be configured precisely. Microsoft’s recommended permissions for folder redirection shares are:

# Set NTFS permissions on root folder (D:UserProfiles):
# SYSTEM - Full Control - This folder, subfolders, and files
# Domain Admins - Full Control - This folder, subfolders, and files
# Creator Owner - Full Control - Subfolders and files only
# Authenticated Users - List Folder / Read Data, Create Folders / Append Data - This folder only

icacls "D:UserProfiles" /inheritance:r
icacls "D:UserProfiles" /grant "SYSTEM:(OI)(CI)F"
icacls "D:UserProfiles" /grant "Domain Admins:(OI)(CI)F"
icacls "D:UserProfiles" /grant "CREATOR OWNER:(OI)(CI)(IO)F"
icacls "D:UserProfiles" /grant "Authenticated Users:(AD)(GD)"

The “Authenticated Users” entry grants Create Folders permission on the root only. This allows the system to create a per-user subfolder the first time a user logs on, while preventing users from seeing or accessing each other’s folders at the root level. Folder Redirection Group Policy will automatically create per-user subfolders with exclusive permissions when “Grant the user exclusive rights” is checked in the policy settings.

Configuring Folder Redirection via Group Policy

Open Group Policy Management Console (gpmc.msc). Create a new GPO linked to the OU containing your target users and name it something like “User Policy – Folder Redirection.” Edit the GPO and navigate to:

User Configuration > Policies > Windows Settings > Folder Redirection

You will see a list of redirectable folders: AppData (Roaming), Desktop, Start Menu, Documents, Pictures, Music, Videos, Favorites, Contacts, Downloads, Links, Searches, Saved Games. Right-click Documents and select Properties.

In the Target tab, set the Setting dropdown to “Basic – Redirect everyone’s folder to the same location.” For Root Path, enter the UNC path to your share: \FILESERVERProfiles$. With the “Create a folder for each user under the root path” option selected (which is the default), each user’s Documents folder will be redirected to \FILESERVERProfiles$%USERNAME%Documents.

On the Settings tab, key options include:

Grant the user exclusive rights to Documents: Check this. It ensures the redirected folder has permissions only for the user and SYSTEM, preventing administrators from browsing user data without explicitly taking ownership. This is required for compliance in many organizations.

Move the contents of Documents to the new location: Check this to migrate existing local profile data to the server during the first GPO application. Leave unchecked if users have large local profiles and you want to start fresh.

Also apply redirection policy to Windows 2000, Windows 2000 Server, Windows XP, and Windows Server 2003 operating systems: Uncheck this in modern environments (it is a legacy compatibility option).

Repeat the same configuration for Desktop, and optionally for Pictures, Music, and Videos depending on your organization’s requirements.

AppData Redirection Considerations

Redirecting AppData (Roaming) deserves special attention. The AppDataRoaming folder contains application settings that are intended to roam with the user. Redirecting it to the server stores those settings centrally but comes with performance implications: some applications generate large amounts of data in AppDataRoaming (browser caches, Outlook OST files, Skype data), which can cause slow logons if this data must sync over the network.

Best practice is to redirect AppDataRoaming only if you have fast, reliable LAN connectivity between clients and the file server. For branch office users on slow WAN links, avoid AppData redirection. Also exclude known large or frequently-changing subfolders using the Offline Files exclusion list.

Do not redirect AppDataLocal or AppDataLocalLow — these folders contain machine-specific settings and caches that should not roam. Redirecting them causes application compatibility issues.

Configure folder redirection exclusions to prevent specific subfolders from being redirected. While GPO does not offer per-subfolder exclusions natively, you can use Offline Files policies to exclude specific paths from synchronization:

# In Group Policy, configure Offline Files exclusions:
# Computer Configuration > Policies > Administrative Templates > Network > Offline Files
# "Exclude specific paths from offline availability"
# Add: %APPDATA%MicrosoftWindowsIECompatCache
#      %APPDATA%MicrosoftWindowsTemporary Internet Files
#      %APPDATA%GoogleChromeUser DataDefaultCache

Setting Up Roaming Profiles

Roaming Profiles store the user’s entire profile directory on a network share and sync it at logon (download) and logoff (upload). To configure roaming profiles, first prepare a share as described earlier (or use the same Profiles$ share with a separate subfolder).

Assign the roaming profile path to users via Active Directory. In Active Directory Users and Computers (dsa.msc), open a user’s Properties, go to the Profile tab, and set the Profile path:

\FILESERVERProfiles$%USERNAME%

To configure roaming profiles for multiple users simultaneously using PowerShell:

Get-ADUser -Filter {Department -eq "Finance"} | ForEach-Object {
    Set-ADUser -Identity $_ -ProfilePath "\FILESERVERProfiles$$($_.SamAccountName)"
}

You can also configure roaming profiles via Group Policy (which overrides the per-user AD setting) under:

Computer Configuration > Policies > Administrative Templates > System > User Profiles
# Enable "Set roaming profile path for all users logging onto this computer"
# Value: \FILESERVERProfiles$%USERNAME%

This GPO setting applies to all users logging into machines in the OU where the GPO is linked, regardless of their individual AD profile path setting.

Mandatory Profiles

Mandatory profiles are read-only roaming profiles. Changes the user makes during a session (shortcuts, settings) are not saved back to the server at logoff. This is ideal for kiosk or public terminals, shared workstations, or any scenario where you want to ensure users always start with a consistent, known-good profile.

To create a mandatory profile:

# 1. Configure a template user account with the desired profile settings
# 2. Log on as the template user on a test machine, configure settings
# 3. Log off
# 4. Copy the profile to the network share (as an admin):
#    Control Panel > System > Advanced System Settings > User Profiles > Copy To
#    Set the share path and give "Everyone" Read permission
# 5. Rename NTUSER.DAT to NTUSER.MAN in the profile folder

The rename of NTUSER.DAT to NTUSER.MAN is what makes the profile mandatory. Windows recognizes the .man extension and loads the profile as read-only. Set the user’s profile path to point to this folder (without a username suffix, since all users share the same mandatory profile):

\FILESERVERProfiles$MandatoryProfile

Managing Profile Size

Roaming profiles grow over time. Large profiles cause slow logon and logoff because more data must be synchronized. Implement profile size management through Group Policy:

# Computer Configuration > Policies > Administrative Templates > System > User Profiles
# Enable "Limit profile size"
# Set maximum profile size (e.g., 500000 KB = ~488 MB)
# Enable warning at 75% of limit
# Message to display to users approaching the limit

Also implement folder redirection for Documents, Desktop, and Pictures — this keeps the largest user data folders off the roaming profile, dramatically reducing the amount of data that must sync at logon. A well-configured deployment uses both Folder Redirection (for user data) and Roaming Profiles (for application settings), keeping the roaming profile under 50MB for most users.

Monitor profile sizes with PowerShell:

Get-ChildItem "\FILESERVERProfiles$" | ForEach-Object {
    $size = (Get-ChildItem $_.FullName -Recurse -ErrorAction SilentlyContinue | Measure-Object Length -Sum).Sum
    [PSCustomObject]@{
        User = $_.Name
        SizeMB = [math]::Round($size / 1MB, 2)
    }
} | Sort-Object SizeMB -Descending

User Experience Virtualization and OneDrive Known Folder Move

Microsoft User Experience Virtualization (UE-V) was Microsoft’s enterprise tool for capturing application settings and syncing them via a central store. While still functional, UE-V has been superseded in Microsoft 365 environments by OneDrive Known Folder Move (KFM), which redirects Desktop, Documents, and Pictures to OneDrive cloud storage rather than an on-premises file server.

OneDrive KFM is configured via Group Policy or Intune. The relevant GPO settings are in:

Computer Configuration > Policies > Administrative Templates > OneDrive
# Enable "Silently move Windows known folders to OneDrive"
# Provide your Azure AD tenant ID
# Enable "Prevent users from redirecting their Windows known folders to their PC"

KFM provides cloud backup, cross-device access, version history, and eliminates the need for an on-premises file server for user data. For hybrid environments, KFM and on-premises folder redirection can coexist, but Microsoft recommends choosing one approach and applying it consistently. For organizations moving toward Microsoft 365, KFM combined with Enterprise State Roaming (for settings sync) is the modern replacement for the traditional Folder Redirection plus Roaming Profiles stack.

Offline Files configuration is still relevant for on-premises folder redirection in environments with intermittent network connectivity. Configure Offline Files via Group Policy to ensure users can access their redirected folders even when disconnected from the corporate network:

# User Configuration > Policies > Administrative Templates > Network > Offline Files
# Enable "Allow or Disallow use of the Offline Files feature" - Enabled
# Enable "Synchronize all offline files when logging on" - Enabled
# Enable "Synchronize all offline files before logging off" - Enabled

With these settings, redirected folders are available offline, and changes are synced when the user reconnects to the corporate network. This provides a seamless experience for laptop users who travel or work from home without requiring a VPN for basic file access.