Re: How do I get roaming profiles to work??
- From: "Lanwench [MVP - Exchange]" <lanwench@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 27 Feb 2008 16:33:04 -0500
Rene Brehmer <rene@xxxxxxxxxxxxxx> wrote:
On Tue, 26 Feb 2008 17:40:32 -0500, Lanwench [MVP - Exchange] wrote:
Rene Brehmer <rene@xxxxxxxxxxxxxx> wrote:
I edited the user templates to link drive U: to
\\server1\userdata\%username%\, but this is not applied to new
users. I've had to manually edit every single user to make this
work. On a couple new users I've been experimenting getting the
roaming profile to work, but still have some ways to go. I set the
profile path to \profiles\%username%,
No - don't use a path like that (the share doesn't exist, won't, and
doesn't
need to). Read below....
Actually the share already existed, and had profiles in there for
users that worked here when the server was originally set up in 2004.
It still wasn't set up properly - you should fix it.
But anyone added to the system since 2006 have not been setup
properly on the server this way. We have over 60 GB free, which is
more than plenty for the type of work we do (we're a hotel, file
creation in those folders would be minimal, since most data is kept
in shared folders).
What else do I need to do to get the roaming profiles to work?
Seriously, follow all my steps!
I
want it to save desktop settings, star menu settings, and whatever
else preferences these users change on their user.
Here's my boilerplate on roaming profiles. Can't help you now with
the user template, but you do not need to map a drive for My
Documents or for
profiles to work. You should not mix up your user data & your
profile paths,
and you should not map a drive to the profile share/folder.
I wasn't mapping a drive for My Documents. The U-drive was added as a
solution to make it easier for people to save important files to the
server in a private folder, instead of saving volatile files to the
shared folders (our HR department for instance is 1 person, but we do
not have a HR department folder for the same reason, something I want
to change, but I have to fight with how things have been done for
over 8 years).
Understood.
We don't backup the workstations, only the server, so
it is important to me to offer all users a way to save their files on
the server, as none of them appear to understand quite how essential
some of the data is.
This is what My Documents redirection is for. You can create additional
shares, etc., and map drive letters via a login script - but folder
redirection for My Docs, Application Data, and Desktop, are critical if
you're using roaming profiles (and a very good idea even if you aren't).
Someone clearly set this up in a bungled way, and it's impossible for me to
attempt to fix it - all I can suggest is pulling back and setting it up
properly now from start to finish.
General tips:
1. Set up a share on the server. For example - d:\profiles, shared as
profiles$ to make it hidden from browsing. Make sure this share is
*not* set
to allow offline files/caching! (that's on by default - disable it)
2. Make sure the share permissions on profiles$ indicate
everyone=full
control. Set the NTFS security to administrators, system, and
users=full
control.
d:\profiles already exist. I will have to change the share
permissions to match your suggestion though. Do I rename the folder
to include the $ or is that only in the share name??
That's only the share. It's hidden that way.
3. In the users' ADUC properties, specify
\\server\profiles$\%username% in
the profiles field
I still have some issues figuring out the AD. Found that since the AD
interface is rather stupid designed, changing any settings takes
forever and a day, even for the smallest things. Took me nearly 2
workdays to figure out how to make it stop turning on the Windows
firewall after I disabled it.
That's not "the AD" - that's group policy. But you should really leave it
enabled, with exceptions.
4. Have each user log into the domain once from their usual
workstation (where their existing profile lives) and log out. The
profile is now
roaming.
This should not be a problem. Most times, same people use the same
computers. There's luckily only 6-7 of them where the roaming profile
will have to be applied.
It should be applied everywhere, even if it rarely changes :)
5. If you want the administrators group to automatically have
permissions to
the profiles folders, you'll need to make the appropriate change in
group
policy. Look in computer configuration/administrative
templates/system/user
profiles - there's an option to add administrators group to the
roaming
profiles permissions.
That will not be an issue. Sysadmin (me) can access the folders
through the server. That is all the outside access there is needed.
This company is not ready for full-blown paranoid security, but I am
trying to get them steered in a slightly more secure way of working.
Too many of them are used at handing out their usernames and
passwords to everyone that they think may need it, because they don't
quite understand that nearly all data is on the server, and whoever
needs to access it can access it. It's an uphill fight trying to
explain to people that what drive K is on one machine may not be
drive K on a different one, but could be M, and that's why they can't
find the files they're looking for when they're trying to help a
comrade with a project. It's unfortunate that the drive letters
aren't consistent, but unfortunately making it that way would confuse
people even more.
Well, the only way to fix that is to use login scripts and consistent drive
letters - period. I totally understand what you're up against - I'd write up
a simple bullet-point doc of what you plan to do, and do it over a weekend,
and make sure you're available the following business morning for training &
tweaking. I've been doing this for years. People *can* learn....you just
need management to give you your head. If you aren't there as a trusted IT
consultant, but a break/fix person, that's another story - but I don't take
work like that, myself, as it's too much of a PITA over time.
Notes:
* Make sure users understand that they should not log into multiple
computers at the same time when they have roaming profiles (unless
you make
the profiles mandatory by renaming ntuser.dat to ntuser.man so they
can't
change them). Explain that the
last one out wins, when it comes to uploading the final, changed
copy of the profile.
In other words, the last machine they log out of has the profile that
will be applied on the server?
* Keep your profiles TINY. Via group policy, redirect My Documents
at the
very least - to a subfolder of the user's home directory or user
folder.
Also consider redirecting Desktop & Application Data similarly.....
so the
user will have:
\\server\home$\%username%\My Documents,
\\server\home$\%username%\Desktop,
\\server\home$\%username%\Application Data.
That was actually the reason I have \profiles and \userdata. Profiles
for start menu, desktop, and all that stuff, and Userdata for my
documents and other files. I do not prescribe to Windows' default
mess of mixing documents and program settings.
OK - pull back. What in Windows XP does that? Some stupidly written third
party software does that; Windows does not. Users can't even write to
Program Files or to most of the built-in folders.
It's stupid and
unpractical, and merely causes people to delete their program
settings or save files in the middle Application Data, or somewhere
in the Start Menu. Having it seperate makes it easier to back up
important stuff, and just dump the rest when needed.
Of course. Please reread how folder redirection works. Application Data is a
profile folder - and it goes in one place. Documents are another folder, and
go in *another* place.
Alternatively, just manually re-target My Documents to
\\server\home$\%username% (this is not optimal, however!)
If you aren't going to also redirect the desktop using policies,
tell users
that
they are not to store any files on the desktop or you will beat them
with a
stick. Big profile=slow login/logout, and possible profile
corruption.
Luckily most only use the Desktop for shortcuts to network drives and
folders, and very rarely save anything to it, so it is not the biggest
concern.
* Note that user profiles are not compatible between different OS
versions,
even between W2k/XP. Keep all your computers. Keep your workstations
as
identical as possible - meaning, OS version is the same, SP level is
the
same, app load is (as much as possible) the same.
All machines are WinXP Pro SP2. Or they will be. We have 1 WinXP
Home, that may be upgraded to XP Pro, but again, we have an uncertain
license issue I am still working on rectifying.
It's worth it. Nobody should be using a non-domain-compatible OS - and all
should be on the same OS. But you know that.
* Do not let people store any data locally - all data belongs on the
server.
How on earth do you prevent that? Considering that I have to give
people admin rights just to run Outlook, enforcing any kind of
security is very difficult.
That's incorrect - users do not need admin rights to run *any* MS Office
app, or any properly written app. If your users require this, someone has
badly botched up these workstation installes.
Do not give any user admin rights. You can further restrict their ability to
write to the local hard drive, but since if you use redirection, they'd have
to go WAAAY out of their way to try to write to any local disk. Making it
unlikely.
* The User Profile Hive Cleanup Utility should be running on all your
computers. You can download it here:
http://www.microsoft.com/downloads/details.aspx?familyid=1B286E6D-8912-4E18-B570-42470E2F3582&displaylang=en
Was looking for that, but weren't sure what I was actually looking
for. Never had to actually set up roaming uses on Windows before,
You should use it even if they aren't roaming, IMO.
been one many times though. Too used at Linux servers me.
No offense, but I can kind of tell - your biases are showing in this post.
I've been working with this stuff for a gazillion years. It works perfectly
well if you set it up right - and that statement is true of nearly any
platform/operating system :-) If you don't have much experience with
AD/policies, etc., let alone the quixotic nature of SBS, you ought to do
some work on a test system of your own - I've gotten quite a lot of work
from companies who needed me to go in & do cleanup work after someone else
made a hash of it. It sounds like whomever you're replacing didn't know what
they were about, frankly - but you ought to be able to fix it, if you're
careful.
Roaming profile & folder redirection article -
http://www.windowsnetworking.com/articles_tutorials/Profile-Folder-Redirection-Windows-Server-2003.html
Best o' luck.
.
- Follow-Ups:
- Re: How do I get roaming profiles to work??
- From: Rene Brehmer
- Re: How do I get roaming profiles to work??
- References:
- How do I get roaming profiles to work??
- From: Rene Brehmer
- Re: How do I get roaming profiles to work??
- From: Lanwench [MVP - Exchange]
- Re: How do I get roaming profiles to work??
- From: Rene Brehmer
- How do I get roaming profiles to work??
- Prev by Date: RE: Remote Web Workplace
- Next by Date: Re: New Users (accounts) can't see/get to My Docs or Email
- Previous by thread: Re: How do I get roaming profiles to work??
- Next by thread: Re: How do I get roaming profiles to work??
- Index(es):
Relevant Pages
|
