Hey there everyone!
Over last summer we completed a rollout of Windows 7 across our school, which went generally pretty well. As part of this rollout, we made quite a few changes to user accounts, which is one of the few things we are still struggling with.
A little bit about the current setup. We have separate DFS “User” shares for students and staff, with each user having their own directory. We use folder redirection to store Documents (inc Music, Pictures and Videos), Favourites, Desktop and Roaming AppData directories separately within these user shares, with user home folders also pointing to the Documents directory. Students and staff both have non-mandatory profiles.
In addition to folder redirection, we apply a number of Group Policy settings to configure and secure user accounts. Some of these are policies that we implemented from the start and some of these are policies that we have implemented since then. Some of the more notable polices:
• Exclude directories in Roaming Profile - Local Settings;Temporary Internet Files;History;Temp
• Do not log users on with temporary profiles (enable)
• Allow or Disallow use of the Offline Files feature (disable)
• The folder redirection polices are set to not grant users exclusive rights to directores, to not move contents to new location and to leave contents on policy removal.
Now, this set works a treat for staff. Roaming profile directories remain small, login times are fast, applications work across workstations without faults and folder redirection seems to stick with users. However, it’s far less reliable for students, who seem to experience the following issues:
• Folder redirection seems to drop and stay dropped for a small, but not insignificant number of students. The Documents/Downloads/Roaming AppData/Favourites/Desktop directors (or some combination thereof) on student accounts reset and point to the local profile. Upon logoff, these sync back to the Roaming Profile share.
• Local and LocalLow AppData directores seem to be syncing back to some student roaming profile directories, despite them being excluded from doing so in GP. In turn, this causes effected Roaming Profiles to grow considerably in size, with all sort of unwanted nonsense in the roaming profile syncing during login (temp internet files, OST files and so on). The affected users seem to have the entry “[General]ExclusionList=Local Settings;Temporary Internet Files;History;Temp” in their ntuser.ini files, with unaffected users having the entry “[General]ExclusionList=AppData\Local;AppData\LocalLow;$Recy cle.Bin;Local Settings;Temporary Internet Files;History;Temp”
• Profile resets seem to fix the issue - archiving effected users Roaming Profile and re-directed Roaming AppData directories and letting the profile recreate itself on next login. However the issue seems to resurface for a number of users. I am not sure if this users doing again whatever it was they did in the first place to cause the problem, or whether it’s because they are logging back onto PCs with “corrupt” Roaming Profiles, which copy back to the Roaming Profile share, and in turn follow users to the next PC they use.
OK, so moving forwards I have three questions:
• One of the few differences between students and staff use of IT is laptops. Students use them a lot, staff use them rarely. Our wireless network also isn’t the best, with generally pretty poor performance. After a quick look around, I found some information on Slow Link Detection GP settings. It seems that this is on by default, and that slow links could very well mean no Folder Redirection (Specifying Group Policy for Slow Link Detection: Group Policy). Could this be what is causing the reset Folder Redirection for our students? Is it the case that any such settings applied during logins over slow links can sync back to the Roaming Profile shares and follow users to other devices?
• Is it likely that profile resets to fix affected users are being undone by users logging into PCs they used before we reset their profile? If so, would it be best to look at implementing the “delete profiles older than specified number of days” GP temporarily to a low number to clear out troublesome cached profiles? Could the “Prevent Roaming Profile changes from propagating to the server” GP be a useful tool here for fixing the issue?
• Last of all, what could be causing the Local and LocalLow AppData directories to decide to copy back to the Roaming Profile share? How much of a clue are the different ntuser.ini files – could this be another cached profile problem, where fixed profiles are unfixed by users login onto devices with unwanted ntuser.ini settings?
It would be really great to get to the bottom of this, and have student accounts work as well as they do for staff. Many thanks in advance for any help and advice!