Setting up staff laptops - domain access/profiles/offline files

[OXP]

(First post here - I usually just read, but could do with some guidance! )

Hi all,

Looking for some advice/support with regards to staff laptops. Currently, staff have college issued laptops that do not connect to the domain. They log in using a local account (they aren't set up as local administrators thank God!) and a script maps their network drive for them when they're at work using their domain credentials. When they're at home, they save everything to the local My Documents - transferring files and stuff has been down to them previously/currently, with no automatic syncing or anything. This has led to a bit of a disaster situation. Most staff accounts on the domain are near empty, with hardly any documents etc. as all their junk is stored locally. Also staff are used to using their local log on details so very rarely log on to a domain machine. When they need to log on there's usually a lot of hassle with regards to forgotten user names and passwords and "oh, I forgot, I saved that file on my laptop...". As well as files not being backed up anywhere near enough!

What I am looking to do is to simplify the whole deal by imaging the laptops and adding them to the domain. Then allow staff to log on using their domain credentials only, no local accounts (allowing cached credentials for when they use them at home). I'll transfer all their current "My Documents" to their network U: drive and hopefully enable offline files so they can work on documents off and on-site and have them automatically synced (assuming this works as I understand it, copies will be made locally and then synced back to U: when next connected to the domain?)

Now my main question/issue - profiles. On the domain all users use mandatory profiles. I would like the staff laptops to use local mandatory profiles if possible to help with log on speeds and so we don't add too much extra network traffic. So can I specify the profile path in Active Directory to C:\StaffProfile rather than using a network share? I did try it earlier briefly, and when I logged in it told me that it couldn't find the profile and was going to use a temp local profile... it is possible I made a typo or something though as I was checking on the off-chance and not paying too much attention...

Anyway thanks for any help/advice, just wanting to know if this setup sounds alright... I know this post is long but ah well. I am pretty much a novice with actually setting these things up as 98% of things were already set up when I got here.

In short my plan is:

• add laptops to domain, get staff to log on using domain credentials (and cached credentials from home)
• have staff profiles redirected using AD to a local mandatory profile (e.g. C:\StaffProfile)
• redirect My Documents to U: drive, enable offline files for home use
• lock down laptops using similar GPOs to other domain machines
• profit???

Cheers! (using Windows Server 2003 and XP Pro clients if it helps).

[maestromasada]

ey OXP!

All the luck in the world for you my friend, this is tedious stuff. Did you allow exclusive access to C:\StaffProfile to your users when configuring the GPO in the server? They should have exclusive access to their local profile...I think.

And i said I think because I had a similar problem ages ago with the staff laptops and implemented a similar solution to yours, and in the long run it didn't work. Staff could not wait for sync of their files on the servers, and at the end they end up having the same situation, files not being backup on the laptops and files here and there.

Believe or not, my salvation was a Terminal Server, I enable RDP over the internet and advise staff to access their work from home using RDP. At first we deny access to their local C:\ but with the time I've been a bit more relax and they can now have files on their laptops itself. But they all are full aware that we are not responsible for this data, they should we using RDP all the times on their laptops at home.

I hope some of the members of this forum will give you a better advise.

[maniac]

I would recommend using roaming profiles for Staff, purely so it stores things like favourites and various program settings for staff. When logged on off-line, it will use the cached version of the profile, when logged on in school it will merge the network version and local version so changes made offline are updated to the network.

If you wanted to use a mandatory profile however, you can quite easily re-direct the profile path to a locally stored mandatory profile by doing what your described above. I tested this out with our student machines, but found the time it saved loading it locally as oppose to from the network was quite small, so we opted to keep ours networked so making changes to it was easier.

Mike.

[OXP]

Thanks for both replies so far. @maestromasada, I didn't try altering permissions to allow exclusive rights to the profile folder but it's something I'll try again tomorrow... I used the default Windows tool to "Copy To..." the profile over to the C: drive and set it for use by "Everyone". Maybe it's a permissions thing I need to look at! As for files syncing, I've had a poke about at offline files settings and I think it would be best to have them sync every X amount of minutes and finally at log off. I know if I set them to sync at log on there would be an utter outcry and huge log on times...! This way hopefully the majority of things can be synced "in background" and then everything else at log off. They only really log off at the end of the working day so longer log off times shouldn't be an issue for most of 'em Also going to send out an e-mail about what files should be kept and to delete unnecessary or extremely large files before the move over.

@maniac: the reason I would prefer mandatory profiles is because that's what's currently in use for staff on current domain machines - not that the majority would notice because they're so glued to "their" laptops. This way things would be more consistent across site. If wanting to keep favourites etc. becomes an issue I might have to look into a reg hack or script for redirecting them in to a subfolder in the users home. Also whilst I know roaming profiles have benefits and can be set up quite well I do feel like it'd be a sort of step back rather than step forward... at least at the moment only the laptops are full of crud, rather than it going back and forth over the network. With regards to network resources etc. the profile itself may have a pretty small footprint but as this system is going to rely on syncing off offline files to and from the network to laptops I'd like to try and keep everything else as minimal as possible just so they don't become bogged down

Also another quickie: if a staff member logs in using this new system using cached credentials at home, will GPOs still take effect? I've read that they're not cached completely and will not apply if away from the network, but surely if the profile was located locally and cached credentials were used...? I've no experience with this, but I hope they are otherwise it's going to mean local GPOs which is always a pain

I would recommend using roaming profiles for Staff, purely so it stores things like favourites and various program settings for staff. When logged on off-line, it will use the cached version of the profile, when logged on in school it will merge the network version and local version so changes made offline are updated to the network.

If you wanted to use a mandatory profile however, you can quite easily re-direct the profile path to a locally stored mandatory profile by doing what your described above. I tested this out with our student machines, but found the time it saved loading it locally as oppose to from the network was quite small, so we opted to keep ours networked so making changes to it was easier.

Mike.

[OXP]

OK... I'm back. Sorry for the "double post" but I don't think this is worthy of a new thread all by itself!

After doing some tests yesterday I've decided that adding staff laptops to our domain is probably not the best idea. I put the laptops in a different OU, and made sure to turn GPO inheritance off, then created a new GPO with only the most basic settings. They still took quite a while to log in, not too sure why, despite being connected and with folder redirection enabled. Tested them at home/away from the domain and it was even worse. I think offline file sync was a big part of it...!

So I'm thinking of a new solution. Reimaging the laptops to a new "standard" XP Pro install with no domain and locking staff down by making them local restricted users and using Local GPOs. For the issue with documents been all over the place I'm considering creating two partitions or so, one for the main Windows XP install (C and then creating a local "user" partition (U where they can save their files. I can then use either a sync program or script of sorts to manually backup the content of the local U: to the server periodically, once a day or at log off. It's still better than having no backups whatsoever!

Here's a quick question though. I know I can redirect My Documents/My Pictures/My Music to the new U: partition, however, would it be possible to to redirect the entire local profile so it's not stored in Documents and Settings? I know the option for profile redirection certainly exists in the local users snap-in but I've not tried it. Would it be possible to put the entirety of their profile on U: so that if the laptop is reimaged on C: they will still have all documents/pictures/music and some of their profile settings? Not sure if it's best just to redirect specific folders to a different partition or the entire Windows profile. Help and advice would be nice

[witch]

Personally I would try and find out why logon times are so slow - my laptops are on the domain, and the logon time, whilst not super fast, isnt an issue. We have mandatory profiles here just for the reasons that you mention and it all works well. It was changed over last summer and TBH I have had very few issues with the staff.

[OXP]

Personally I would try and find out why logon times are so slow - my laptops are on the domain, and the logon time, whilst not super fast, isnt an issue. We have mandatory profiles here just for the reasons that you mention and it all works well. It was changed over last summer and TBH I have had very few issues with the staff.

Well the log on times weren't excruciatingly bad, it's just that because we use mandatory profiles on all domain computers apart from these staff laptops (locally stored too) and because they're wired, GPOs applying/settings being applied/folder redirection is all pretty fast. The log on times for staff laptops on the domain were not dreadfully long but were more than I would have liked/expected. Like I said previously, I think it has to do with offline file syncing (after log in the computers were still sort of unusable for a short while). I did complete the tests by using offline files and making changes/saving new files etc. offline. I don't know... it all just seems a little messy. The main thought behind adding them to the domain was so users files were backed up regularly and for single accounts. I'd still prefer it if users were restricted to one account but I think the backup solution would work just as well with a script.