Roaming Profiles

From Wiki

Jump to:navigation, search

Please note that these instructions will not suit everyone's requirements. They are intended as a guide for those who have not set up roaming profiles with redirected folders previously. Also, it should be stressed that you should try this in a test environment before going live!

These settings were derived from tests using Windows 2003 Server and Windows XP Pro. The same settings do work on Windows 2000, but some of the exact text references may differ.

Server Infrastructure

Select server

  • Select a file server that will host the roaming profiles (and redirected folders)

Create directory and share structure

Roaming User Profiles

  • Make a directory (e.g. D:\UserProfiles)
  • Share the directory as UserProfiles$ and set the share permissions to Everyone:Full Control
  • Disable caching on the UserProfiles$ share (files/programs not available offline)
  • Modify the folder permissions on D:\UserProfiles as follows;
    • Administrators: Full Control (this folder, sub-folders and files)
    • System: Full Control (this folder, sub-folders and files)
    • CREATOR OWNER: Full Control (sub-folders and files only)
    • Everyone: Traverse Folder, List Folder, Read Attributes, Create Folder (this folder only)

Redirected Folders

  • Make a directory (e.g. D:\UserData)
  • Share the directory as UserData$ and set the share permissions to Everyone:Full Control
  • Modify the folder permissions on D:\UserData as follows;
    • Administrators: Full Control (this folder, sub-folders and files)
    • System: Full Control (this folder, sub-folders and files)
    • CREATOR OWNER: Full Control (sub-folders and files only)
    • Everyone: Traverse Folder, List Folder, Read Attributes, Create Folder (this folder only)

NB - These are kept seperate so that the offline folders feature can be used against redirected folders. Windows will generate errors in the event logs if it detects that caching is enabled on the roaming profile share.

Group Policy Settings

User Profiles - Computer Settings

  • Create a new Group Policy Object and call it 'User Profiles - Computer Settings'
  • Configure the GPO so that User Settings are disabled (only Computer settings will apply)
  • Enable the 'Add the Administrators security group to roaming user profiles' policy setting
  • Optionally, enable other policy settings for user profiles as required (e.g. Log users off when roaming profile fails)
  • Link the GPO to a suitable OU so that all PCs where users will log on with roaming profiles will be affected

User Profiles - User Settings

  • Create a new Group Policy Object and call it 'User Profiles - User Settings'
  • Configure the GPO so that Computer Settings are disabled (only User settings will apply)
  • Optionally, enable any required policy settings for user profiles as required (e.g. limit profile size)
  • Link the GPO to a suitable OU so that all user accounts that will have roaming profiles will be affected

Redirected Folders - User Settings

  • Create a new Group Policy Object and call is 'Redirected Folders - User Settings'
  • Configure the GPO so that Computer Settings are disabled (only User settings will apply)
  • Edit the GPO and navigate to User Settings, Windows Settings, Folder Redirection
  • Right click My Documents and select Properties
  • On the target tab, change the setting to 'Basic - Redirect everyone's folder to the same location'
  • Set Target Folder Location to 'Create a folder for each user under the root path'
  • In the path box, enter \\(servername)\UserData$
  • Select the settings tab and untick the 'Grant the user exclusive rights to ...' box
  • Click OK
  • If you want to redirect additional folders (e.g. Application Data, Desktop or even Start Menu), then follow the same procedure as for My Documents.

User Account Settings

Use Active Directorys Users & Computers to configure user account settings as follows;

  • (profile tab) Profile Path: \\(servername)\UserProfile$\%username%
  • If you want users to have a drive letter mapped to the same location as the redirected My Documents folder (some older software cannot cope with the concept of My Documents or UNC paths) then use the following settings;
    • (profile tab) Connect: (select required drive letter)
    • (profile tab) To: \\(servername)\UserData\%username%\My Documents