Roaming Profiles set up

All questions pertaining to Windows Active Directory Service can go here
Forum rules
1) This is a user forum for Synology users to share experience/help out each other: if you need direct assistance from the Synology technical support team, please use the following form:
https://myds.synology.com/support/suppo ... p?lang=enu
2) To avoid putting users' DiskStation at risk, please don't paste links to any patches provided by our Support team as we will systematically remove them. Our Support team will provide the correct patch for your DiskStation model.
dshelly
I'm New!
I'm New!
Posts: 2
Joined: Fri Jan 27, 2017 2:10 pm

Roaming Profiles set up

Postby dshelly » Fri Jan 27, 2017 2:17 pm

Hi,

I was wondering how to set up roaming profiles for 50 staff on the DiskStation DS416 and if this is at all possible. I have read a press release from 2013 saying that an new update means you can now use roaming profiles with windows. Has anyone set up roaming profiles or know how to do it?

cheers
Damien
Puzzle
Sharp
Sharp
Posts: 173
Joined: Tue Oct 30, 2012 8:43 am

Re: Roaming Profiles set up

Postby Puzzle » Fri Jan 27, 2017 2:59 pm

Hello dshelly

I assume, you are using a Windows Server to manage the roaming profiles, right?
If so, you can just create a share on the DS416 and then provide the UNC to this share in the ActiveDirectory Users and Groups console on the tab "Profile" in the user properties. Create a separate folder for each user and set the appropriate permissions.
To avoid trouble with permissions, I recommend joining your DiskStation to the ActiveDirectory domain.

I hope that answers your question.
dshelly
I'm New!
I'm New!
Posts: 2
Joined: Fri Jan 27, 2017 2:10 pm

Re: Roaming Profiles set up

Postby dshelly » Mon Jan 30, 2017 2:50 pm

Thank you puzzle for replying to me.

I currently don't have roaming profiles set up for each individual staff member. We are all logging in on the same profile, which is the problem. We have an out of date Windows server that we now use solely as a printing server, the Synology 4 bay box is the replacement to this. It has a capacity of 500GB which has reached its capacity . Ideally I would like going forward for each staff member to have a roaming profile so they can log onto any PC and be able to draw down their own profile from the DS416.

Thanks again,
Damien
bsharpe
I'm New!
I'm New!
Posts: 1
Joined: Thu Feb 16, 2017 6:23 pm

Re: Roaming Profiles set up

Postby bsharpe » Thu Feb 16, 2017 7:32 pm

Hi!

We just did this.

It took a bit to figure out but once we did it works.

We have AD with Folder Redirection and Roaming Profiles
1: We opened the synology and updated it to latest version. (installed File station) Named it NAS10150(Our Inventory #) you can name it w/e you like.
2: Joined the Synology to the Domain ( We have a DS916+)
3: Created a new Folder called "Profiles" You can name this whatever you like.
4: Right Clicked Profiles in the File Station and selected Properties ( the left hand side, the latest update for some reason the buttons at the top don't work)

5: Click Advanced Permissions
6: Check Enable Advanced Share Permissions
7: Under "local Users" Guest No Access Admin Read/Write
Change to domain Group:
Set groups you want to have access to Read/Write Domain Users Enterprise admins Domain Adminss, T3 Password Reset ect...
Hit OK

8: Clicked Permission

Permissions are as follows:
Guest - Deny - Check everything
DOMAINNAME\admin Allow Read & Write
DOMAINNAME\bsharpe Allow Read & Write (bsharpe is my profile) Its not required you set yourself in here if your using groups correctly I just do it because If anything ever changes to a group or I'm accidentally removed I'm not denied permission.

DOMAINNAME\domain admins Allow Read & Write
DOMAINNAME\enterprise admins Allow Read & Write
DOMAINNAME\domain users Custom Read & Write <- Traverse Folders / Execute Files List Folder / Read Data Create Folder / Append Data (Apply to set it to "This Folder")
Owner Allow Full Control
administrators allow Read & Write

Now that the folder permissions are setup we can setup the AD / Server Side.

From your client computer or server you should be able to access it via \\NAS10150\Profiles or Whatever you named your NAS and the Folder Name. (At this point its an empty folder)

First you need to open your AD and find the user profile you want to place on the NAS.

I'm assuming you have AD role installed on your Server, and GPO installed as well.
I'm assuming you created an OU inside the domains AD. EG: AD Users and Computers > domain.org > domain > Users > Bob Hope

We are going to open up Bob Hopes Properties select Profiles
\\NAS10150\Profiles\BHope\Profile to apply to large groups you can use \\NAS10150\Profiles\%username%\Profile and it will auto put in the profile name.
We want a home folder for easy access for this user. \\NAS10150\Profiles\BSharpe or \\NAS10150\Profiles\%username% and it will auto put in the profile name.
You can choose any Drive Letter you want, we recommend something far down the alphabet so local connected drives don't conflict. Z is what we used.
Make sure in Member OF the user is part of the user group you assigned in the permissions above. If You want you can make a new user group for Permissions.

Now that the user profile is pointed in the right place we want to make sure the Folders Follow them computer to computer without causign too much load time.

So we need to open Group Policy Management
Right Click the OU that your User is listed under.
Select Create a GPO in this domain, and Link it here...
We named our NAS10150 Folder Redirection , starter source is "None"
Right Click it and Edit
Set the Below:
User Configuration > Policies > Windows Settings > Folder Redirection

[b]App Data (Roaming): [/b] Basic
Path: Redirect to local user profile path
Options check box's in order from top to bottom: Disabled > Disabled > Enabled > Restore contents

Contacts : Basic Redirect everyones folder to same location
Path: Redirect to local user profile path
Options: Disable > Enabled > Disabled > Restore contents

Desktop : Basic Redirect everyones folder to same location
Create a folder for each user unthe root path.
Path: \\NAS10150\Profiles
Options: Disabled > Enabled > Enabled > Restore
Grant user exclusive rights to Desktop Disabled
Move the contents of Desktop to the new location Enabled
Also apply redirection policy to Windows 2000, Windows 2000 server, Windows XP, and Windows Server 2003 operating systems Enabled

Documents: Basic
REDIRECT TO USER's HOME DIRECTORY
Grant user exclusive rights to Documents Disabled
Move the contents of Documents to the new location Enabled
Also apply redirection policy to Windows 2000, Windows 2000 server, Windows XP, and Windows Server 2003 operating systems Enabled
Policy Removal Behavior Restore contents

Pictures Follow the documents folder
Music Follow the documents folder
Video Follow the documents folder
Favorites / Contacts / Downloads / Links / searches / saved games ALL Redirect to local userprofile


Now that the profile locations are directed we need to continue to edit the same policy to make sure admins can access these locations and local users can't play with their settings to mess up sync.
User Configuration > Policies > Administrative Templates > Network / offline Files

Prohibit user configuration of Offline Files Disabled (I'm pretty sure best practices says Enabled but my work has some odd managers)
Synchronize all offline files before logging off Enabled


Ideally this should be its own policy!!!! You can make a new one the same way you made this one. It's bad practive to mix USER and COMPUTER Policies under a single policy.

Computer Configuration > Policies > Administrative Templates > System/User Profiles
Add the Administrators security group to roaming user profiles Enabled <- Now your admins can access user files!!!!



Close the editor.
Now we need to link it to what it needs to be linked to.
Scope / Links
Location: This is the OU it's under. This should auto fill the the location of the GPO there is no need to alter this.
Security Filtering: This is where we tell it who or what to apply this GPO inside the OU To.
In our case we have a Group for Folder Redirection and Domain Computers. Since we setup this GPO and were lazy both the computer and user policies are inside the single GPO.
We have Domain Computers, and Folder Redirection. You can also use Domain users because if you didnt add a Folder Redirection Group to your security permissions at the top the NAS wont allow you create folders as a USER.


Right Click the policy and set it to ENFORCED



Go to a computer that is already joined to your domain.
Login as the local admin
Open command prompt, doesn't need to be as admin. (cmd)
type gpupdate /force

when it finish's type gpresult /r

Under APplied Group Polic Objects you should see your GPO you made.
REBOOT the computer.
Login as a user who is redirected.


Let me know if you have any issues.

Return to “Windows AD Domain”

Who is online

Users browsing this forum: No registered users and 1 guest