Archive for Roaming Profiles

Setting up a Mandatory Roaming Profile on 2008 R2

June 10, 2014 Roaming Profiles 5 comments

Roaming

What is a Mandatory Roaming Profile?

A mandatory user profile is a special type of pre-configured roaming user profile that administrators can use to specify settings for users. With mandatory user profiles, a user can modify his or her desktop, but the changes are not saved when the user logs off. The next time the user logs on, the mandatory user profile created by the administrator is downloaded. There are two types of mandatory profiles: normal mandatory profiles and super-mandatory profiles.

User profiles become mandatory profiles when the administrator renames the NTuser.dat file (the registry hive) on the server to NTuser.man. The .man extension causes the user profile to be a read-only profile.

User profiles become super-mandatory when the folder name of the profile path ends in .man; for example, \\server\share\mandatoryprofile.man\.

Super-mandatory user profiles are similar to normal mandatory profiles, with the exception that users who have super-mandatory profiles cannot log on when the server that stores the mandatory profile is unavailable. Users with normal mandatory profiles can log on with the locally cached copy of the mandatory profile.

Only system administrators can make changes to mandatory user profiles.

This has advantages and disadvantages

Advantages

  • Since mandatory profiles are read-only, a single mandatory profile can be used for large groups of users. Storage requirements are minimal – a single mandatory profile is kept on the file servers instead of thousands of roaming profiles.
  • Users cannot interfere with a mandatory profile. As soon as they log off and back on, everything is reset to its original created state.
  • Because a mandatory profile can be used for large groups of users, very few mandatory profiles are needed. This makes manual customization possible. Adding a link here and changing a registry value there poses no problems at all. Compare this to thousands of roaming profiles – carefully fine tuning each profile is out of the question for the huge amount of work involved.
  • Mandatory profiles must not contain user-specific data. That makes them very small. As a result, logons are fast since the amount of data that needs to be copied over the network is negligible

Disadvantages

  • Users like to customize their own work environment in some way or another. These customizations are stored in the user profile. With mandatory profiles, any changes are discarded upon logoff. This can tend to annoy users who have saved work only to find it gone on their next logon but with education this can be a business process that everyone should adhere to
  • Mandatory profiles are difficult to create. Although the process looks pretty straightforward at first, it is hard to get exactly right. Do not underestimate the amount of tuning required.

Instructions on setting up a Mandatory Roaming Profile

  1. Create a folder called Profiles on one of your servers
  2. Right click on the folder and select Properties
  3. Click Sharing > Advanced Sharing
  4. Put a tick in Share this folder

Roaming1

  • Select permissions and remove the Everyone Group and add Authenticated User with Read Permissions and Administrators with Full Control

Roaming2

  • Click OK and click Security to set the NTFS Permissions on the folder
  • System should have Full Control
  • Administrators should have Full Control
  • Authenticated Users should have Read and Execute

Roaming4

  • Inside the Profiles folder you need to create a folder which will house your Mandatory Roaming Profile Account. See below. It needs to have .v2 added on to the end of it

Roaming5

  • Create a new Profile in Active Directory. I called mine Mandatory
  • Add the security groups you need for this account

Roaming3

  •  Next you will need to log on to a server as your mandatory profile and configure the necessary customisations. For example put shortcuts on the desktop, pin applications to the Start menu and open applications and configure settings etc
  • When you have finished customising then you will need to log off
  • Next log on with a different Administrator account
  • Click Start > Right click on My Computer and select Properties. Select Advanced System Settings
  • Click Settings under User Profiles

Roaming6

  • You will then see your profiles. I have left my mandatory one highlighted for visibility.
  • Then I encountered a problem. It turns out in Windows 2008 R2 and Windows 7, Microsoft has disabled the “Copy To” button on the User Profiles screen. See link below for more information but carry on for now. You can read this later as well.
  • http://support.microsoft.com/kb/973289

Roaming7

  • I have found a way to get round this by using a piece of software called Windows Enabler. You will need to download and extract this to the server where the profile is. Should look like the below screenprint

Roaming8

  • Right click on Windows Enabler and select Run as Administrator
  • Once you have started the Windows Enabler application you will notice a new icon in the system tray.
  • Make sure you click on it once to enable the application. You will see a small message appear on the icon when you have enabled it
  • Click Start > Run and type sysdm.cpl

Roaming10

  • Navigate to the Advanced tab | User profiles | Settings
  • Click on the desired profile and you will notice that ‘Copy To‘ button is disabled
  • Click on the Copy To button and you will notice it will become enabled
  • Click Copy To and the following box will pop up

Roaming11

  • Click Browse and browse or type the location where you set up the folder share \\server\profiles\mandatory.v2
  • Click on Permitted to use > Change and select Everyone

Roaming12

  • You will get a message come up as per below screenprint

Roaming13

  • If it errors after this message then the account you are trying to use to copy the profile does not have access to the \\server\profiles\mandatory.v2 folder
  • When it has copied, have a look at the share and check you have all your user profile folders there

Roaming14

  • Next you need to look for a file called NTUSER.DAT in the profile folder
  • You may need to open Folder Options and deselect Show Hidden folders, Files and Drives and possibly Hide Protected Operating System Files

Roaming15

  • You will then see it in the Profile folder

Roaming16

  •  Leave this for now and go Start > Run > regedit and highlight HKEY_LOCAL_MACHINE

Roaming20

  • Click File > Load Hive > Select ntuser.dat

Roaming21

  • In Load Hive put in your username which is mandatory

Roaming22

  • You will see the profile as per below screenprint

Roaming23

  • Right click on the mandatory key and select Permissions

Roaming24

  • You need to add Domain Admins Full Control and replace all child object permissions with inheritable permissions from this object and replace all child object permissions
  • You need to add Authenticated Users Full Control and replace all child object permissions
  • You need to add Domain Admins Full Control and replace all child object permissions
  • See screenprint below

Roaming26

  • Now we need to unload the hive. Go to File Unload Hive

Roaming27

  • Now go back to your mandatory profile folder and we need to rename ntuser.dat to ntuser.man. When you have renamed it, it should look like the below (ntuser.man)

Roaming17

  • Next Delete the Local and LocalLow folders from the AppData folder if they exist. They are Local profile folders and uneeded
  • Next we need to configure a Group Policy to enable the mandatory profile for Remote Desktop Services
  • Open up GPMC
  • Create a new GPO and attach it to your Terminal Server/RDS OU
  • Add the RDS Servers into the scope along with Authenticated Users
  • Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Profiles > Use Mandatory Profiles on the RD Session Host Server

Roaming19

  • Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Profiles >Set Path for Remote Desktop Services Roaming User Profile > Enabled
  • Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Profiles >Set Path for Remote Desktop Services Roaming User Profile > \\servername\profiles\mandatory (Do not include the .v2 on the end of the profile folder name)

Roaming31

  • You now need to run a gpupdate /force on the Domain Controller and on the Terminal/RDS Servers to refresh Group policy
  • Now test logging on to an RDS Server and note you will be able to save a doc say into My Documents but try logging off and logging on again and you will find it has gone
  • If you go Start > Run sydm.cpl > Advanced > User Profiles > Settings > Check your user profile which you have logged on with (In my case Eskimo1) you should see that the type of profile is now mandatory

Roaming29

  • Congratulations. You have set up a Mandatory Roaming Profile 🙂

Roaming Profiles and Redirecting Folders on Windows Server 2008 R2Terminal Servers

January 4, 2013 Roaming Profiles No comments

redirect

What is a Roaming Profile?

A roaming user profile is user data, stored in a specific folder structure, to follow users as they log on to and log off from different computers. Roaming user profiles are stored on a central server location. At log on, Windows copies the user profile from the central location to the local computer. When the user logs off, Windows copies changed user profile data from the client computer to the central storage location. This ensures that the client data follows users as they roam the environment.

Roaming user profiles solve part of the roaming problem, but it also creates added concerns. User profiles can increase in size, some as large as 20 megabytes or more. This increase causes delays in user logons, because it takes some time for Windows to copy the information to the local computer. Another concern with roaming user profiles is that they are saved only at logoff. Therefore, when a user logs on to one computer and changes data within their profile, the changes remain local and remain local until the user logs off, making real-time access to user data challenging in a roaming user environment. Folder Redirection reduces some of these problems.

Folder Redirection

Folder Redirection is a client side technology that provides an ability to change the target location of predetermined folders found within the user profile. This redirection is transparent to the user and gives the user a consistent way of saving their data, regardless of its storage location. Folder Redirection provides a way for administrators to divide user data from profile data. This division of user data decreases user logon times, and Windows downloads less data. Windows redirects the local folder to a central location, giving the user immediate access to their data when they save it, regardless of the computer they are using. This immediate access removes the need to update the user profile.

Folder Redirection helps with slow logons and missing data problems because the Application Data, Desktop, My Documents, My Pictures, and Start Menu can be supported by Folder Redirection in Windows XP/Vista/7

Windows XP Profile Folder Locations

* These directories are hidden by default. To see these directories, change the View Options.

XPLocation2

Windows 7 Profile Folder Locations

  • The biggest change is the location of the profiles themselves – the user profiles are now located under c:\users\<username> instead of c:\documents and settings\<username>
  • Appdata – This is now a combination of c:\documents and settings\\application data\ and c:\documents and settings\\local settings\ – this folder contains three folders – “Local”, “LocalLow” and “Roaming”

7Location2

Setting up a Profile and Home Directory Folder Requirements

Note: Profiles and Home Directories can be on the same server

  • A Profile Server
  • A Home Directory Server

Instructions

When setting up the file server you need to be sure that the permission on the folder are setup so that a user can create a new folder however you also need to ensure that they can only see their own files.

Note: When creating the Share, it is Best Practice to add a $ sign to the end of the Share which will keep it hidden from regular users

  • Create a new folder and call it Profiles

profile folder

  • Click the Sharing tab and then click Advanced Sharing then click Permissions
  • Make sure the Everyone Group has Full Control
  • Make sure the Administrators Group has Full Control, you may have a differently named Admin Group so add as necessary
  • Make sure the SYSTEM group has Full Control

permissions

  • Click OK
  • Click on the Security Tab and Untick “Include inheritable permission form this object’s parent”
  • Click on the Security Tab and Select Advanced
  • Select Change Permissions and make sure your permissions look like the below screenprint and conform to the below information
  • Configure the folder to not inherit permissions and remove all existing permissions.
  • Add the file server’s local Administrators group with Full Control of This Folder, Subfolders, and Files.
  • Add the Domain Admins domain security group with Full Control of This Folder, Subfolders, and Files.
  • Add the System account with Full Control of This Folder, Subfolders, and Files.
  • Add the Creator/Owner with Full Control of Subfolders and Files.
  • Add the Authenticated Users group with both List Folder/Read Data and Create Folders/Append Data – This Folder Only rights. The Authenticated Users group can be replaced with the desired group, but do not choose the Everyone group as a best practice.

The share permissions of the folder can be configured to grant administrators Full Control and authenticated users Change permissions.

perms2

  • After you configure the share and security permissions, click on the Sharing tab and then the “Caching” button and select the “No Files or programs from the share folder are available offline” options then press OK then OK then Close.

caching

  • Next do exactly the same to create a shared folder for the Home Directory folder

Setting up a User account with a Profile Path Remote Desktop Profile Path and Home Directory

NOTE: This can be controlled by Group Policy but do it manually while you test a user

NOTE: I had to put the same path in the Profile Path and the Remote Desktop Services Profile Path to get full roaming profile on my folders

  • You configure the profile location for a user on the Profile or Remote Desktop Services Profile tab within Active Directory Users and Computers. Type a UNC path to where Windows should create the user profile. The following screen shots below give you an example a user account configured with a profile path and a Remote Desktop Services Profile
  • The folder redirection client side extension is only able to process two environment variables: %username% and %userprofile%. Other environment variables such as %logonserver%, %homedrive% and %homepath% will not work with folder redirection.

profiles2

  • And also add the same for the Remote Desktop Services Profile (Note this can be controlled by Group Policy as detailed at the end of this document. For now, I’ve just added it in manually so you can see where it is)

rdprofile

Setting up Group Policy for re-directing User Profile folders

  • To start the Group Policy snap-in from the Active Directory Users and Computers snap-in, click Start, point to Programs, click Administrative Tools, and then click Group Policy Management
  • In the MMC console tree, right-click the domain or the OU for which to access Group Policy and select  Create a GPO in this domain and link it here
  • Click New, and type the name to use for the GPO. For example, type Roaming Profile GPO
  • Expand the OU so you can see the new Policy and right click and Edit to open the Group Policy
  • Click Edit to open the Group Policy snap-in and edit the new GPO
  • In the Group Policy console, expand the User Configuration, Policies, Windows Settings, and Folder Redirection nodes. Icons for the personal folders that can be redirected will be displayed

gpfolders1

  • Right click on AppData (Roaming) and select Properties
  • There are 3 settings to choose from –  Not Configured, Basic Redirection and Advanced Redirection

Basic Redirection and Advanced Redirection are available to all folders listed in the snap-in. You use basic redirection when you store the selected folder in the Group Policy object on the same share for all users. You use Advanced Redirection when you want to redirect the selected folder to a different location based on a security group membership of the user. For example, you would use Advanced Folder Redirection when you want to redirect folders belonging to the Accounting group to the Finance server and folders belonging to the Sales group to the Marketing server

  • Choose Basic – Redirect everyone’s folder to the same location
  • Choose Create a folder for each user under the root path
  • Type the root path to the shared folder

appdatar

  • Click Settings
  • Untick Grant the User Exclusive rights to AppData(Roaming)

If you leave “Grant the user exclusive rights to Documents” ticked then when the folder is initially setup Windows will block inheritance on the folder and grant exclusive access to the users on these files. This will lockout even administrators to the files which makes administration of these folders very difficult. If an administrator did need to access these files they will need to take ownership which in turn removes access from the users to their files. The admin will then need to ensure that they need to re-setup the permission on the folder to ensure that they users can still access the files.

gpappdatasettings

  • Only apply redirection policy when you have multiple O/S’s
  • Generally recommended for Policy Removal to Leave the folder in the new location when the policy is removed
  • The Pictures, Music and Videos Properties page provides an additional options for the folder as seen in the below screenprint: Follow the Documents Folder

gppictures

  • When it comes to the My Documents/Documents folder there are several options again
  • Note: Unlike Windows 2000, you do not need to type in the %username% variable. The folder redirection code will automatically create a My Documents folder for each user, inside a folder based on their user name. For example, type \\FolderServer\MyDocumentsFolders rather than \\FolderServer\MyDocumentsFolders\%username% as you would on Windows 2000.

docsnew1

  • Click the Settings Tab
  • By default, Administrators do not have permissions to users’ redirected folders. If you require the ability to go into the users folders you will want to go to the “Settings” Tab, and uncheck: “Grant the user exclusive rights to” on each folder that is redirected. This allows Administrators to enter the users redirected folder locations without taking ownership of the folder and files.

docsnew2

  • Note: If you already have a shared home folder as we set up earlier, it is best not to select Redirect to the Users Home Directory. See Link below for more info

http://support.microsoft.com/kb/321805

gpdocuments_homedir

  • Go through all the rest of the folders you want to redirect
  • Finish

When you enable folder redirection for users for the first time, you will find the logon to be very slow. You are in effect copying the contents of all the user’s personal folders across the network to the server and you can imagine the effect if you are doing this for multiple users at the same time when the login. Before applying this policy to an OU containing hundreds of users, it may be worth creating a new OU and migrating a few users at a time across and will also help you troubleshoot easier without thousands of helpdesk calls about profiles.

You can enable Access based Enumeration however if there is going to a lot of user folders on any one of these shares you could experience degradation of performance. Enabling ABE on a share does come at a price of performance

Other Group Policy Settings

  • Setting the same Roaming Profile path for all users logging on

Navigate to Computer Configuration > Policies > Administrative Templates > System > User Profiles and enable the “Set roaming profile path for all users logging onto this computer” and configure the path to the shared folder for profiles.

gp1

  • Add the Administrators Security Group to roaming user profiles

Navigate to Computer Configuration > Policies > Administrative Templates > System > User Profiles and enable the “Add the Administrators Security Group to roaming user profiles”

gp2

  • Set Path for the Remote Desktop Services Roaming User Profile

Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host\Profiles

rdgp

  • Set Remote Desktop Services User Home Directory

Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host\Profiles

rdhome2

  • Background upload of a roaming profile’s registry while user is logged on

Navigate to Computer Configuration > Policies > Administrative Templates > System > User Profiles > Background upload of a roaming profile’s registry while user is logged on

sync

  • User Group Policy loopback processing mode

Navigate to: Computer Configuration > Policies > Admin Templates > System > Group Policy and change the following setting: User Group Policy loopback processing mode to Replace

loopback

Quotas

Quotas on Profile and Home Directories can be controlled to stop them growing large. Please see the following Blog post for details on setting this up

http://www.electricmonk.org.uk/?s=quota

Issues

  • If you set the Group Policy Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Profiles > Set Remote Desktop Services User Home Directory as per below

gpo

and

gpo2

  • You will get a folder mapped which is actually \\server\homedrive%username%.%domain%
  • The username only folder which is what you actually want when it is mapped not the username.domain folder is created just after the username.domain folder, this is actually when the redirection policy is running. The folder redirection is creating the username directory and you will see the redirected folders underneath this. If you try redirecting to %username%.%userdomain% it starts to mess redirection up.

What can you do?

  • You could live with the fact that your \\server\homedrive\%userame% folder is holding the redirected folders and
  • You could live with the fact that your \\server\homedrive%username%.%domain% folder is the offiical GPO created tshome folder
  • But you can not set this policy at all and simply leave it as unconfigured and set the home drive on the user’s AD Profile as per below
  • Then it setups correctly and you’ll see all your redirected folders in here as well.

gpo3

 

 

User Profiles and configuring Roaming Profiles

October 18, 2012 microsoft, Roaming Profiles No comments

Introduction:

This blog post contains a high-level overview of different types of profiles, considerations for choosing a profile solution for your deployment, highlights of new profile features in Windows Server 2008 R2, and a best practices recommendation for deploying roaming user profiles with folder redirection in a Remote Desktop Services environment.

Terminology

Below are some basic definitions for background understanding of different types of profiles and folder redirection.

Local user profiles

A local user profile is created the first time a user logs on to a computer. The profile is stored on the computer’s local hard disk. Changes made to the local user profile are specific to the user and to the computer on which the changes are made.

Roaming user profiles

A roaming user profile is a copy of the local profile that is copied to, and stored on, a server share. This profile is downloaded to each computer a user logs onto on a network. Changes made to a roaming user profile are synchronized with the server copy of the profile when the user logs off. The advantage of roaming user profiles is that users do not need to create a profile on each computer they use on a network.

Mandatory user profiles

A mandatory user profile is a type of profile that administrators can use to specify settings for users. Only system administrators can make changes to mandatory user profiles. Changes made by users to desktop settings are lost when the user logs off. Mandatory profiles can be created from roaming or local profiles.

Temporary User Profiles

A temporary user profile is issued each time an error condition prevents the user’s profile from loading. Temporary profiles are deleted at the end of each session, and changes made by the user to desktop settings and files are lost when the user logs off. Temporary profiles are only available on computers running Windows 2000 and later.

Folder Redirection

Folder redirection is a client-side technology that provides the ability to change the target location of predetermined folders found within the user profile. This redirection is transparent to the user and gives the user a consistent way of saving their data, regardless of its storage location. Folder redirection provides a way for administrators to divide user data from profile data. This division of user data decreases user logon times because Windows downloads less data. Windows redirects the local folder to a central location, giving the user immediate access to their data when they save it, regardless of the computer they are using. This immediate access removes the need to update the user profile.

There are two primary benefits to Folder Redirection as it applies to profile data:

  1. When used with roaming profiles, it can significantly reduce the size of the portable profile data carried around by users for logon/logoff. Since these folders are redirected to network shares, you trade local I/O impact for network/remote I/O impact. This can be very helpful on disk-constrained deployments.
  2. Using Folder Redirection with mandatory profiles allows users to have some control/persistence of customization such as application configuration settings (AppData) or IE Favorites.

Useful Links

  • Managing Roaming User Data Deployment Guide

http://go.microsoft.com/fwlink/?LinkId=73760

  • User Profiles on Windows Server 2008 R2 Remote Desktop Services

http://blogs.msdn.com/b/rds/archive/2009/06/02/user-profiles-on-windows-server-2008-r2-remote-desktop-services.aspx