SolutionBase: Working with roaming profiles and Folder Redirection
/One of the nice things about the Windows XP operatingsystem (and some of the other previous Windows operating systems) is the waythat it allows each user to maintain their own individual settings. If multipleusers share a PC, each user can have their own wallpaper, screen saver,desktop, etc. without interfering with anything that other users might have setup. Windows accomplishes this feat be maintaining a separate profile for eachuser.
Although profiles do a great job of allowing each user totreat the PC as if it was their own, there is one major problem with them. Bydefault, profiles do not follow users from one machine to another. This meansthat if a user goes to use a different machine, they will have a totallydifferent experience from what they are used to. Profiles can help solve this problem, butthey can be a nightmare when users jump from machine to machine. Here’s how youcan make them work using Windows Server 2003’s Folder Redirection feature.
Why are roaming profiles a pain?
The reason why this is a problem is because a user’s profilecontains much more than just the user’s cosmetic preferences. A profile alsocontains application configuration data. For example, Microsoft Outlook doesn’tjust automatically know where to find a user’s mailbox, it must be configured.Since each user uses a different mailbox, there isn’t one global configurationthat can be applied to Outlook. Each user’s individual configurationinformation for Outlook is therefore stored within the user’s profile.
Obviously, this means that if a user decided to use adifferent PC, then Outlook won’t work, and there will probably be a few otherthings missing such as icons, Start menu items, and Internet Explorerfavorites. However, if you work in an office in which everyone has their ownPC, this might not even be a concern because there is no reason for users to beusing someone else’s PC.
In a perfect world, that might be true, but keep in mindthat PCs do occasionally malfunction. Imagine for a moment that a user is inthe middle of a critical project and their PC malfunctions. They would probablyend up having to borrow someone else’s PC while you fix their PC. If theborrowed PC isn’t set up for the user though, you may find yourself having toconfigure the PC for the user before you can even start trying to fix themalfunctioning computer. This means a lot of extra work for you.
Now, let’s look at another reason why local profiles mightbe an issue for you. Suppose that a user’s hard disk goes out. The user isn’tworking on anything important at the moment, so they can take the rest of theafternoon off while you replace the damaged hard drive. As you replace thedrive, you think to yourself how easy this job is going to be. You can use yourRIS server to reload the operating system and applications for you. Since theuser’s documents are all stored on the network, there is nothing for you torestore. However, the next day, the user comes back, logs on to their PC, andasks you “Where’s all my stuff”? The computer is no longer displayingthe user’s custom desktop, and the user’s shortcuts and Internet Explorerfavorites are all missing.
The problem is that all of the files related to the thingsthat are missing were stored locally. This means that those files were lostwhen the user’s hard drive failed. Since most companies do not backupworkstations, there is no way of getting the user’s configuration back. It willbe up to the user to recreate anything that was lost, and it will be up to youto reconfigure the user’s applications. You’ve now got that job ahead of youand you’ve got an upset user on your hands.
All of these problems could be prevented if you tookadvantage of the roaming profiles and folder redirection features offered byWindows Server 2003. The basic idea behind this concept is that the user’sprofiles are stored on the server. This means that the user will have the sameprofile regardless of where they log on. It also means that you can backup allof the files that make up the user’s profile.
It’s actually very easy to implement roaming profiles.Before I show you how to set up roaming profiles though, there are some issuesthat you need to be aware of. If you just blindly enable roaming profiles, youcan cause some serious performance and availability problems for your users.Just to make sure that we are all on the same page, I want to start out bytalking about what exactly is contained within a user’s profile.
How Windows handles profiles
Different versions of Windows handle profiles slightlydifferently, but in Windows XP Professional, user profiles are stored withinthe C:\Documents and Settings folder. The C:\Documents and Settings foldercontains sub folders for every user who has ever logged into the machine. Forexample, on the workstation that I am using to write this article, there arefolders named Administrator.Production, Administrator.Stewie, Brien, and AllUsers. There are also hidden folders named Default User, LocalService, andNetworkService. The three hidden folders are used by applications and servicesto interact with the operating system. They are beyond the scope of thisarticle, but I wanted to at least mention their existence.
OK, so what about the visible folders? The All Users foldercontains profile elements that apply to anyone who logs into this machine. TheBrien folder contains the profile for my user account. There are twoAdministrator folders; Administrator.Production and Administrator.Stewie.Production is the name of the domain that the workstation is connected to andStewie is the name of the local machine (named after one of the characters onthe cartoon Family Guy).
Windows treats a local user and a domain user as twocompletely separate user accounts, even if they have the same name, andtherefore maintains completely separate profiles for them. You will notice thatthe folder named Brien does not contain an extension. This folder contains aprofile for a domain user named Brien, but no extension is necessary becausethere isn’t a local user with the same name.
I should also point out that there are certain disasterrecovery situations in which you may have to install a fresh copy of Windows.When this happens, Windows won’t overwrite existing profiles, but it won’tre-use them either. Instead, Windows will add yet another extension. Forexample, if the Administrator.Production folder already existed, but Windowshad to be reloaded from scratch, then the next time that the Administrator fromthe Production domain logged on, Windows would create a profile folder namedAdministrator.Production.000. In a situation like this, you could actuallyrestore the user’s original profile by copying all of the files from Administrator.Productionto Administrator.Production.000.
Now that you know how the naming conventions work forprofile folders, let’s talk about the folder’s contents. Normally, a profilefolder contains about a dozen sub-folders and at least three files. Most of thefolders are pretty self explanatory. For example, the Cookies folder containsInternet Explorer cookies. The Application Data folder stores configurationinformation user specific information related to applications. However, theLocal Settings folder also contains its own Application Data folder.
Aside from that, the most important folders within a profilefolder are My Documents, Desktop, and Start Menu, which store the profile owner’sdocuments, desktop settings, and Start menu configurations respectively. Thereare several other folders used by profiles, but they are fairly self explanatory,and you won’t have to do anything with these folders as a part of any of thetechniques that I will be showing you.
As you can see, there are a lot of different components thatmake up a user profile. Profiles include a user’s application data, documents,cookies, desktop, favorites, recently opened document list, networkneighborhood list, network printer list, send to option list, and templates.The reason why I am telling you this is because after you enable roamingprofiles, all of these profile components will have to be copied to thenetwork. It wouldn’t be so bad if the information only had to be copied once,but usually, everything that I named has to be copied every time that a userlogs in or out.
The first time that a user logs on after roaming profileshave been enabled, Windows has to copy the local profile to the designated spoton the network. After that, every time the user logs on, the entire profile iscopied from the network server to the user’s local hard disk. The user thenworks off of the local copy of the profile throughout the duration of theirsession. When the user logs off, the local profile (including any changes thathave been made to it) is copied to the network. This might not sound so bad,but keep in mind that user’s profiles can be huge. Just the My Documents folderalone can easily be several hundred megs in size. I have personally seenseveral instances in which a user’s profile was so large that it took over anhour for the user to log on or off because so many files had to be copied.
The easiest way to get around this problem is to use folderredirection. The idea behind folder redirection is that you can tell Windowsthat certain parts of the user’s profile should remain on the server rather thanbeing copied each time that the user logs on or off. This drastically reducesthe amount of time that it takes users with large profiles to log on or off.
Windows allows you to individually select which folders youwant to redirect, but the folders that are most often redirected are MyDocuments, Application Data, Desktop, and Start Menu.
In a few moments I’ll show you how to enable roamingprofiles and folder redirections. Before I do though, there are a few caveatsthat I want to talk about. The first issue that you might encounter has to dowith the user having limited functionality on a machine. Technically, a usershould be able to log into any PC and have the exact same experience. However,I have seen a few situations in which the user’s experience won’t be quiteright unless the user has been configured to be a power user on the machine.For example, the user’s wallpaper might not display, or the user’s screen savermight not work.
This behavior is the exception rather than the rule. If youdo run into this type of behavior though, you can fix the problem by openingthe Control Panel and clicking the User Accounts link. You can then add theuser’s domain account to Windows and make the user a member of the Power Usersgroup.
Another issue that sometimes causes a roaming profile to notact quite right is when the profile references a local file that existssomewhere other than the profile directory. For example, if a user were tocreate a wallpaper file and then place the file into the C:\Windows folder, theprofile would reference the wallpaper file, but would not actually include thewallpaper file. That means that if the user were to log onto a differentmachine, the profile would be unable to load the user’s wallpaper because thewallpaper file does not exist on the local machine or within the user’sprofile.
One last issue that I want to discuss is availability. EarlierI explained that it was a good idea to store profiles on a server because itallows you to back the profiles up each night. However, if the servercontaining the profiles were to go down, it can cause some problems for theusers.
If the server containing the profiles were to fail, theusers would still be able to log in and in may even be able to use their ownprofile because Windows XP maintains a cached copy of the profile. This cachedcopy would be available for the user’s use assuming that they had previouslylogged into the workstation. The users would just not be able to save changesto the profile since the profile server is down.
I have gotten around this particular issue by placing theuser profiles and redirected folders onto a DFS root. The reason for this isthat you can create multiple replicas of a DFS root. This means that you canhave copies of profiles and redirected folders on multiple servers. Wheneverything is functioning properly, the multiple replicas help to balance theworkload. If a DFS server goes down though, the remaining replicas can pick upthe slack. Having multiple DFS replicas also allows you to take a replicaoffline for maintenance without disrupting the users.
Configuring roaming profiles
The basic technique behind creating a roaming profileinvolves creating a shared folder on the server, creating the user a folderwithin the share, and then defining the user’s profile location through thegroup policy.
Begin the process by creating a folder named PROFILES on oneof your file servers. You must then share the folder. I recommend setting theshare level permissions to grant Everyone Full Control. You should then granteveryone Read permissions to the folder at the NTFS level.
At this point, you will want to create a folder for eachuser. The folder name should match the user name. For example, if you have auser with a username of Brien, you’d create a folder named \PROFILES\Brien.Once you have created a user’s folder, grant Full Control to the user who thefolder will belong to and to the domain administrator. You must then blockpermissions from being inherited from the parent object. Otherwise, everyonewill have read access to the folder. In most situations, this will take care ofthe necessary permissions. However, I have seen at least one network in whichthe backup software was unable to backup the user’s profile directories untilthe backup program’s service account was granted access to each user’s folder.That is the exception rather than the rule though.
Once you have created the necessary folders and defined theappropriate permissions, it’s time to redirect the user’s profile. To do so,open the Active Directory Users and Computers console, right click on a useraccount, and select the Properties command from the resulting shortcut menu.When you do, you will see the user’s properties sheet. Next, select theproperties sheet’s Profile tab. Enter the user’s profile path as:
For example, if you created a share named PROFILES on aserver named Tazmania, then the path to Brien’s profile should be \\Tazmania\PROFILES\Brien.Click OK and then the user’s profile will be roaming starting with the nextlogin.
After you enable roaming profiles, you will want to redirectthe more heavily used folders. You will have to create a separate share on yourfile server to handle the redirected folders. On my server, I created a foldernamed USERS (and shared the folder as USERS), but you can call the folderanything that you want. Just make sure to assign Everyone Full Control at theshare level.
Once you have created the necessary folder, open the Group PolicyEditor and navigate to User Settings | Windows Settings | Folder Redirection.The group policy requires you to redirect each of the four folders separately,but the procedure for doing so is the same for each folder. Set the folder’sSetting option to Basic–Redirect Everyone’s Folder To The Same Location.Next, select the Create A Folder For Each User Under The Root Path option fromthe Target Folder Location drop down list. Finally, enter your root path in theplace provided. For example, on my test server the root path is: \\TAZMANIA\USERSas the root path.
After you configure folder redirection, Windows willautomatically create a folder for each user beneath the USERS folder. Windowswill also assign the necessary permissions to each dynamically created folder.
As you can see, profiles are a handy way of storing data,but they can be problematic if users tend to move from machine to machine. Witha little bit of work and some help from Windows Server 2003’s FolderRedirection feature you can configure profiles to follow your users around thenetwork as they switch from machine to machine.