Roaming Profiles on Workgroup

I have a question about roaming profile on WORKGROUP. Now, this concept clearly makes sense on a domain setting, but maybe not on workgroup in my opinion, which is why I ask here for clarification.

The reason this concept make sense on domain is that, a domain user account conceptually belongs to the domain, and is not fixed to any particular computer in the domain. In talking about the roaming profile, you also wants the profile to "move" across computer; i.e. not fixed to any particular computer. So they are a perfect match.

But for a workgroup .... Well, say there is a user named "fred", with a LOCAL user account also named "fred" on each of 5 computers on a workgroup. He wants to move among these computers and still use the same profile. How are you going to setup?

Say a remote share \\SERVER\PROFILES has already been created to store roaming profiles.

These 5 "fred" accounts are DIFFERENT (with different SID) even the names are the same. How can the permissions on \\SERVER\PROFILES be set? What about \\SERVER\PROFILES\fred? Would it be necessary to set FIVE set of permissions to each SID of these different "fred" account (which I can make sense anyway)?

Or should I simply create another "fred" user account on SERVER? What happens if I set a password different from those 5 "fred" accounts and then I log on?

What if now "fred" wants to move to a sixth computer? Any adjustment needed on the permissions of \\SERVER\PROFILES\fred?

I ask these questions because in my notes (for 70-210 exam) and various places on the Internet, LOCAL accounts are used. I guess it means roaming profiles can be used even on workgroup ...

Thanks for your help guys!

Who is Participating?
to answer your question simply, NO you cannot set up roaming profiles.  -- plain and simple. (like stardust already said)

if you create a workgroup server which gives access to a bunch of different local account "freds", this is still not romaing profiles, this is a huge headache.  

Roaming profiles can't be used on workgroups simple because for roaming profile you need a central location where everyone have access to store their profiles. In workgroups, it's not possible, because you can't give access to someone from other computer on your own computers. The computers don't know each other.
The only thing you can do is give access to the 'Everyone' group, and I'm sure you don't want to do that.

Local accounts are used alot, question is in what context they are used?
GatingAuthor Commented:
Thanks for the reply. The context of "Local accounts" is the creation of roaming profiles as discussed in my notes. I'll paraphrase from my notes:

    1. Log on as Administrator to the LOCAL machine. (Hint 1)
    2. Create a network share PROFILES on a remote computer SERVER.
    3. In Administrative Tools, select Computer Management. Expand System Tools and
        Expand Local Users and Groups (Hint 2). Create a new user "fred".
    4. Right-click the user and choose the "Profile" Tab. In the "Profile path" box, enter the
        path \\SERVER\PROFILES\%username%.


The point is that my notes creates roaming profiles on LOCAL user accounts ... Is it trying to use roaming profiles on workgroups (which I don't feel right)?

Cloud Class® Course: C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

and what are the permissions on \\SERVER\PROFILES\%username%?
As you say, it is posssible to use roaming profiles, but it is going to be a complete pain in the neck to administer.

You will have to manually keep the usernames and passwords in sync on all machines, (server and workstations)
You will have to manually create a new user and configure that user to use a roaming profile on every new workstation.

As soon as you start to think about implementing these things, setting up a domain begins to look extremely attractive - more pain in the short term, but long term no contest.

GatingAuthor Commented:
To stardust126:

\\Server\Profiles\%username% does not exist yet because I am testing it for a new user. Besides, for a new user, this folder is supposed to be created when the user logon and logoff the first time (hopefully --- right?).

For the sake of argument, say the user account is "fred" and the computer "CLIENT" is used to logon.

\\SERVER\Profiles has "full control" share and NTFS permissions for everyone.

I logon as "fred" on CLIENT. An error message was displayed about insufficient permissions to access the folder \\SERVER\Profiles\fred. I checked the subfolder "fred" was NOT created under \\SERVER\Profiles.

It turned out I must create "fred" account on SERVER. Then I created such account. The error message was "improved" to be about "improper permissions on the folder \\SERVER\Profiles\fred".

Now the subfolder "fred" was indeed created under \\SERVER\Profiles, but the ownership was very weird: it was not owned by SERVER\fred, but by CLIENT\fred. Of course, local accounts are not visible to remote computers, so it was not displayed as CLIENT\fred, but as the SID of CLIENT\fred.

I changed the owner to SERVER\Administrators group and grant SERVER\fred full control rights. Then things were OK.

With domain environment and with domain user account, things worked like a breeze - there was no error messages; no ownership or permissions needed to be "corrected".

There are "workarounds" of course - e.g. to create \\SERVER\Profiles\fred and setup permissions in advance. But my gut feeling says it is not the way to go - maybe roaming profiles do not make sense for workgroups?
GatingAuthor Commented:
BTW, I need to know not because I am going to implement roaming profiles, but because I am revising MCSE and my notes are doing it in a Workgroup environment. This is conceptually problematic. (If the notes get it wrong, I will have troubles ......)

GatingAuthor Commented:
Does Microsoft say anything on this subject?

If not, then I will conclude:

swinterborn recommended strongly a domain environment, but did not completely defy workgroups.

stardust126 said NO, internetsavant said a very definite NO.

If there are no more response, I am going to assign 40 to each of stardust126 and internetsavant; 20 to swinterborn, unless somebody can point out a Microsoft article on this matter. So I'll wait for one day or two.

Thanks a lot guys!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.