I've set up roaming profiles (client insists) as per this doc: https://docs.microsoft.com/en-us/windows-server/storage/folder-redirection/deploy-roaming-user-profiles and it works, but there's something I don't get.
Step 2 - Creating a security group. It seems like roaming profile should be created for any User that I put in this group regardless of what machine they are accessing, but it doesn't work like that for me. In my environment roaming profiles are only applied if the User AND Computer are added to the security group.
Is there something wrong with my setup, or is this expected behaviour? If expected, why, what am I missing? It seems to me that the policy should apply to any object that is in that group, be it a user or a computer.
Thanks in advance.
You must grant the "Read" rights to your computers, Microsoft says that in Step 4:
Step 4 .9:
So, grant the "Apply group policy" and "Read" permissions to the group containing the users, and "Read" to the group containing the computers (it can be "Domain computers" for example. Or "Authenticated users", but double check that you only gave the "Read" permission and not "Apply group policy" otherwise your user-group filtering will be useless).
This is because technically the computer account is used to download the group policy from the domain controllers, even for the "User" part of the GPO (that's why the computers must be able to Read the GPOs even for User settings).
You can read this blog post if you want more details about that : https://docs.microsoft.com/fr-fr/archive/blogs/askds/deploying-group-policy-security-update-ms16-072-kb3163622