Re: Roaming Profiles and ICF

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

---

• From: "Lanwench [MVP - Exchange]" <lanwench@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
• Date: Sat, 15 Apr 2006 22:40:08 -0400

---

In news:73BC9091-DC6A-41FE-8908-BFBE055BD9EC@xxxxxxxxxxxxx,
jilltre <jilltre@xxxxxxxxxxxxxxxxxxxxxxxxx> typed:

I didn't see anything in your replies that indicated a different path
to try, or a suggestion as to what may be wrong...

Ah, but surely that doesn't mean your path was the right one, though, does
it? :-)

OK - that said:

* check for event log errors on the clients
* check permissions everywhere
* try downloading & installing the User Profile Hive Cleanup Utility (free
from MS)
* see whether the problem is entirely reproducible on other clients

Here's my boilerplate on roaming profiles:

1. Set up a share on the server. For example - d:\profiles, shared as
profiles$ to make it hidden from browsing. Make sure this share is not set
to allow offline files/caching!
2. Make sure the share permissions on profiles$ indicate everyone=full
control. Set the NTFS security to administrators, system, and users=full
control.
3. In the users' ADUC properties, specify \\server\profiles$\%username% in
the profiles field
4. Have each user log into the domain once from their usual workstation
(where their existing profile lives) and log out. The profile is now
roaming.
5. If you want the administrators group to automatically have permissions to
the profiles folders, you'll need to make the
appropriate change in group policy. Look in computer
configuration/administrative templates/system/logon -
there's an option to add administrators group to the roaming profiles
permissions.

Notes:

* Make sure users understand that they should never log into multiple
computers at the same time when they have roaming profiles (unless you make
the profiles mandatory by renaming ntuser.dat to ntuser.man so they can't
change them). Explain that the
last one out
wins, when it comes to uploading the final, changed copy of the profile.

* Keep your profiles TINY. Redirect My Documents
to a subfolder of each user's home directory on the server - either via
group policy (folder redirection) or manually (less advisable). If you
aren't going to also redirect the desktop using policies, tell people that
they are not to store any files on the desktop or you will beat them with a
stick. Big profile=slow login/logout, and possible profile corruption.

* Note that user profiles are not compatible between different OS versions,
even between W2k/XP. Keep all your computers. Keep your workstations as
identical as possible - meaning, OS version is the same, SP level is the
same, app load is (as much as possible) the same.

* Do not let people store any data locally - all data belongs on the server.

In news:78495113-C257-4A34-A4EA-F601AC886792@xxxxxxxxxxxxx,
jilltre <jilltre@xxxxxxxxxxxxxxxxxxxxxxxxx> typed:

Thanks for the reply. I did find out that it is the individual user
computers that have the ICF enabled via a group policy.

Right.

It cannot be
disabled via the user,

Well - you can log in as an account with local admin rights and stop
the underlying Windows service as a test.

but through the group policy.. I found this
article:

Right, but again, this is *not relevant* - the windows firewall on
the client workstations is *not* the cause of your profile problem.

http://www.windowsecurity.com/articles/customizing-Windows-Firewall.html

It gives the instructions I need to change the policy... I'm just
waiting for permisssions from the head honchos to do this...

No - don't. It is not the cause of your problem.

Since we are already behind two firewalls (isp and our sonicwall), i
don't see the need to have this enabled on the users computers...

Worms/trojans/whatnot can easily get onto your computers from one
sales guy plugging in his laptop. I would leave the firewall enabled.

especially if they want roaming profiles.

Again, this is not the source of your problem. Something else is
wrong. You need to pull back and start looking at this with fresh
eyes, as it were....I don't think you've really been reading my
replies fully. :)

j

In news:24396720-BFA5-4458-BDA2-5C8E4A64EDD5@xxxxxxxxxxxxx,
jilltre <jilltre@xxxxxxxxxxxxxxxxxxxxxxxxx> typed:

okay,, more information... it appears its not the server that I
need to disable the ICF but the computer where the original
profile is located... in this case, mine.

Hmm. No, the Windows firewall protects inbound traffic only. Do you
even have the Windows firewall on your server? I don't....and
wouldn't. If you do, disable it - either use ISA or an
Internet-facing firewall or both.

When I try to disable the ICF, it is grayed out.. so, there is a
group policy enforcing the ICF to be turned on... where in the
group policy mgmt list do I disable this?

The workstations don't need to have the firewall disabled for this
purpose.

Thanks for the info... i'm going by what this article states:

KB832850

it shows the error message I am receiving, and the resolution is
disable the ICF...

I am using SBS, so maybe it's slightly different from
winServ2k3...

--
jilltre


"Lanwench [MVP - Exchange]" wrote:

In news:CA752041-859A-41EF-AF35-BB9A5940FEA0@xxxxxxxxxxxxx,
jilltre <jilltre@xxxxxxxxxxxxxxxxxxxxxxxxx> typed:

I know this is a loaded question. I've got some users (vice
president of company) who would like to have roaming
profiles... but, the known issue is that if the ICF is turned
on, the profiles cannot be saved to the server...

If I have a firewall at the ISP level, and we also have our own
firewall (SonicWall),,is ICF needed? I know that Microsoft has
to not recommend turning it off, but what are the opinions out
there? Is it really too risky to turn it off for this one
function?

I'm not sure what's going on on your network, but I use roaming
profiles, and I have the Windows firewall enabled on all
workstations, and it works fine.

.

---

• References:
  • Re: Roaming Profiles and ICF
    • From: Lanwench [MVP - Exchange]
  • Re: Roaming Profiles and ICF
    • From: Lanwench [MVP - Exchange]
  • Re: Roaming Profiles and ICF
    • From: jilltre
  • Re: Roaming Profiles and ICF
    • From: Lanwench [MVP - Exchange]
  • Re: Roaming Profiles and ICF
    • From: jilltre

• Prev by Date: Re: User desktops
• Next by Date: Re: Retrieving Outlook 2003 Calender and Address book from SBS 2003
• Previous by thread: Re: Roaming Profiles and ICF
• Next by thread: SBS 2003 sudden services problem over router based vpn
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Windows Server 2008 Firewall ? ... The definitions are made for home, overall internet, internet cafe for exampleand DOMAIN as it's describe itself. ... So you have 3 different profiles you can configure for your users needs. ... Additional start here for the Windows Firewall: ... Open POP3 in on the external adapter only. ... (microsoft.public.windows.server.general) Re: Roaming Profiles and ICF ... jilltre typed: ... computers that have the ICF enabled via a group policy. ... I would leave the firewall enabled. ... especially if they want roaming profiles. ... (microsoft.public.windows.server.sbs) Full solution products ... Simple question, can anyone list a vendor that has a firewall, with IDP capability that uses (not profiles) vulnerability assessment info to make intelligent blocking decisions. ... (Security-Basics) Re: Roaming Profiles and ICF ... the Windows firewall protects inbound traffic only. ... When I try to disable the ICF, ... but, the known issue is that if the ICF is turned on, the profiles ... (microsoft.public.windows.server.sbs) Re: Roaming Profiles and ICF ... jilltre typed: ... computers that have the ICF enabled via a group policy. ... I would leave the firewall enabled. ... (microsoft.public.windows.server.sbs)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.sbs  > 2006-04