A full walkthrough of configuring Folder Redirection via Group Policy in Windows Server 2022 — OU and group setup, hidden SMB share, NTFS permissions, GPO security filtering with delegated Read for Authenticated Users, and a Windows 10 client test — plus a deep dive on why Folder Redirection still needs Authenticated Users to have Read on the GPO.
A roaming profile follows the user across machines - sign into PC-A, then PC-B, and the same desktop, files, and app settings appear. Five-step setup on Windows Server 2022: AD security group (Roaming Profiles Users), hidden SMB share (profiles$ with access-based enumeration and a custom ACL granting only Create-Folders to the security group on This folder only), user profile path attribute set to \\\\\\profiles$\\%username%, GPO 'Add the Administrators security group to roaming user profiles' linked to the client OU (must be in place BEFORE first roaming logon - not retroactive), then verify on a Windows 10/11 client (gpupdate, sign in, drop a Test folder on the desktop, sign out / in, browse the share, confirm sysdm.cpl reports profile Type: Roaming). Includes the .V6 profile-version suffix explainer (different OSes get separate folders), the logon/logoff lifecycle, and the seven common pitfalls (path-before-share trap, forgotten Admins GPO, caching-on-the-share, mixed-OS .V6 collisions, profile bloat without limits).
The classic 'net use' line in a logon script stalled the desktop, did not scale to multiple departments, and was painful to clean up when someone changed teams. Group Policy Preferences Drive Maps + item-level targeting replaces all of it: declarative, parallel, and scoped to AD group membership. This article walks the full workflow - create the security group in dsa.msc, share the folder with matching share + NTFS ACLs, create and link a GPO to the user OU, add a Drive Maps preference (Action: Create, Reconnect: yes, Drive Letter: S, Label as: Sales Group), then move the membership check off the OU link and onto the preference itself via Common - Item-level targeting - Security Group - User in group. Verifies with gpresult and Get-PSDrive on a domain-joined client. Includes the common pitfalls (linking to the computer OU, skipping share permissions, picking a domain-local group, forgetting the User-in-group vs Computer-in-group choice).
