Re: How do I get roaming profiles to work??

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

On Tue, 26 Feb 2008 17:40:32 -0500, Lanwench [MVP - Exchange] wrote:

Rene Brehmer <rene@xxxxxxxxxxxxxx> wrote:
I edited the user templates to link drive U: to
\\server1\userdata\%username%\, but this is not applied to new users.
I've had to manually edit every single user to make this work. On a
couple new users I've been experimenting getting the roaming profile
to work, but still have some ways to go. I set the profile path to
\profiles\%username%,

No - don't use a path like that (the share doesn't exist, won't, and doesn't
need to). Read below....

Actually the share already existed, and had profiles in there for users
that worked here when the server was originally set up in 2004. But anyone
added to the system since 2006 have not been setup properly on the server
this way. We have over 60 GB free, which is more than plenty for the type
of work we do (we're a hotel, file creation in those folders would be
minimal, since most data is kept in shared folders).

What else do I need to do to get the roaming profiles to work? I want
it to save desktop settings, star menu settings, and whatever else
preferences these users change on their user.

Here's my boilerplate on roaming profiles. Can't help you now with the user
template, but you do not need to map a drive for My Documents or for
profiles to work. You should not mix up your user data & your profile paths,
and you should not map a drive to the profile share/folder.

I wasn't mapping a drive for My Documents. The U-drive was added as a
solution to make it easier for people to save important files to the server
in a private folder, instead of saving volatile files to the shared folders
(our HR department for instance is 1 person, but we do not have a HR
department folder for the same reason, something I want to change, but I
have to fight with how things have been done for over 8 years). We don't
backup the workstations, only the server, so it is important to me to offer
all users a way to save their files on the server, as none of them appear
to understand quite how essential some of the data is.

General tips:

1. Set up a share on the server. For example - d:\profiles, shared as
profiles$ to make it hidden from browsing. Make sure this share is *not* set
to allow offline files/caching! (that's on by default - disable it)

2. Make sure the share permissions on profiles$ indicate everyone=full
control. Set the NTFS security to administrators, system, and users=full
control.

d:\profiles already exist. I will have to change the share permissions to
match your suggestion though. Do I rename the folder to include the $ or is
that only in the share name??

3. In the users' ADUC properties, specify \\server\profiles$\%username% in
the profiles field

I still have some issues figuring out the AD. Found that since the AD
interface is rather stupid designed, changing any settings takes forever
and a day, even for the smallest things. Took me nearly 2 workdays to
figure out how to make it stop turning on the Windows firewall after I
disabled it.

4. Have each user log into the domain once from their usual workstation
(where their existing profile lives) and log out. The profile is now
roaming.

This should not be a problem. Most times, same people use the same
computers. There's luckily only 6-7 of them where the roaming profile will
have to be applied.

5. If you want the administrators group to automatically have permissions to
the profiles folders, you'll need to make the appropriate change in group
policy. Look in computer configuration/administrative templates/system/user
profiles - there's an option to add administrators group to the roaming
profiles permissions.

That will not be an issue. Sysadmin (me) can access the folders through the
server. That is all the outside access there is needed. This company is not
ready for full-blown paranoid security, but I am trying to get them steered
in a slightly more secure way of working. Too many of them are used at
handing out their usernames and passwords to everyone that they think may
need it, because they don't quite understand that nearly all data is on the
server, and whoever needs to access it can access it. It's an uphill fight
trying to explain to people that what drive K is on one machine may not be
drive K on a different one, but could be M, and that's why they can't find
the files they're looking for when they're trying to help a comrade with a
project. It's unfortunate that the drive letters aren't consistent, but
unfortunately making it that way would confuse people even more.

Notes:

* Make sure users understand that they should not log into multiple
computers at the same time when they have roaming profiles (unless you make
the profiles mandatory by renaming ntuser.dat to ntuser.man so they can't
change them). Explain that the
last one out wins, when it comes to uploading the final, changed copy of the profile.

In other words, the last machine they log out of has the profile that will
be applied on the server?

* Keep your profiles TINY. Via group policy, redirect My Documents at the
very least - to a subfolder of the user's home directory or user folder.
Also consider redirecting Desktop & Application Data similarly..... so the
user will have:

\\server\home$\%username%\My Documents,
\\server\home$\%username%\Desktop,
\\server\home$\%username%\Application Data.

That was actually the reason I have \profiles and \userdata. Profiles for
start menu, desktop, and all that stuff, and Userdata for my documents and
other files. I do not prescribe to Windows' default mess of mixing
documents and program settings. It's stupid and unpractical, and merely
causes people to delete their program settings or save files in the middle
Application Data, or somewhere in the Start Menu. Having it seperate makes
it easier to back up important stuff, and just dump the rest when needed.

Alternatively, just manually re-target My Documents to
\\server\home$\%username% (this is not optimal, however!)

If you aren't going to also redirect the desktop using policies, tell users
that
they are not to store any files on the desktop or you will beat them with a
stick. Big profile=slow login/logout, and possible profile corruption.

Luckily most only use the Desktop for shortcuts to network drives and
folders, and very rarely save anything to it, so it is not the biggest
concern.

* Note that user profiles are not compatible between different OS versions,
even between W2k/XP. Keep all your computers. Keep your workstations as
identical as possible - meaning, OS version is the same, SP level is the
same, app load is (as much as possible) the same.

All machines are WinXP Pro SP2. Or they will be. We have 1 WinXP Home, that
may be upgraded to XP Pro, but again, we have an uncertain license issue I
am still working on rectifying.

* Do not let people store any data locally - all data belongs on the server.

How on earth do you prevent that? Considering that I have to give people
admin rights just to run Outlook, enforcing any kind of security is very
difficult.

* The User Profile Hive Cleanup Utility should be running on all your
computers. You can download it here:
http://www.microsoft.com/downloads/details.aspx?familyid=1B286E6D-8912-4E18-B570-42470E2F3582&displaylang=en

Was looking for that, but weren't sure what I was actually looking for.
Never had to actually set up roaming uses on Windows before, been one many
times though. Too used at Linux servers me.

Roaming profile & folder redirection article -
http://www.windowsnetworking.com/articles_tutorials/Profile-Folder-Redirection-Windows-Server-2003.html
.

Relevant Pages

  • Re: moving roaming profile folder
    ... you will want to do a small ADSI or WSH script to change that ... You have to do this, also, if the profiles are moved to a Novell ... Ensure new server is part of the domain, and you have admin rights on ... >>the files and folders, inc sub folders. ...
    (microsoft.public.win2000.networking)
  • Re: HELP! Lost Raid 1, now Error loading operation system!
    ... when you said "Backup the existing server to your usb drive". ... I do use some roaming profiles. ... do those clicks with the SBS backup wizard. ... drives which are about $100-140 US for 500 gigs. ...
    (microsoft.public.windows.server.sbs)
  • RE: Folder re-direction and "Offline files".
    ... You may want to think through deleting the cached copies of profiles via GPO. ... I could then still SYNC the My Docs folder with offline files. ... not connected to the sever (laptops, down server, etc). ... GPO set up to redirect certain folders on network server. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Default Administrator account as roaming profile?
    ... Server not compatible with SBS 2008. ... You set up shares on the server, and redirect the user profile My ... Documents folder ... roaming *profiles* but I think ...
    (microsoft.public.windowsxp.network_web)
  • Re: Best way to handle SBS 2003 users who are permanently remote
    ... profiles stored in server box. ... This newsgroup only focuses on SBS technical issues. ... you need not configure roaming profile or folder ...
    (microsoft.public.windows.server.sbs)