How to use group policy to manage user profiles and home directories

Recently, it has come to my attention that some of my customers are wanting to have an automated way to set their profiles stored on a server so they can roam around and get their profile where ever they go. I decided to write an article on how to do just that.

Configuring a Roaming User Profile
You can configure a roaming profile by using the following procedure.
To configure a roaming profile for users:
1. Create a folder on the server where user profiles will be stored. This will be the top-level folder that contains all the individual user profiles.
2. Configure the folder as a shared folder, and give all users Full Control permissions.
3. Open the Active Directory Users and Computers snap-in and navigate to the individual’s User object.
4. Right-click the user's name and click Properties on the shortcut menu.
5. Click the Profile tab.
6. For the Profile Path, type the path to the network share where the user profile is to be stored. For example, for a user whose network name is JDoe, the following path, \\NetworkShare\Profiles\%username%, would create a directory called JDoe in the Profiles share on the server used to store user profiles.

Best Practices for User Profiles

To get the best experience possible from roaming user profiles, it is important that you read all the documentation and plan your implementation thoroughly. This section presents best practices for using roaming user profiles.

Let the system create profile folders for each user.

To ensure that Roaming user profiles work optimally, create only the root profile share on the server, and let the system create the folders for each user. If you must create folders for the users, ensure that you have the correct permissions set. For details on the required permissions see Security Considerations when Configuring Roaming User Profiles.

Redirect the Location of the My Documents Folder Outside of the User’s Roaming Profile.
To decrease initial logon time to a new computer, it is recommended that you redirect the location of the My Documents folder outside of the user’s roaming profile. By far, the best way to do this is with Folder Redirection. If you don’t have Active Directory enabled, you can do this with a logon script or instruct the user to do so manually.

Do not use Encrypted File System (EFS) with Roaming User Profiles, Offline Folders, or the File Replication Service (FRS).

The Encrypted File System is not compatible with Roaming User Profiles, Offline Folders, or FRS. If you enable EFS on profile folders or files, the users profile will not roam.

Don’t Set Disk Quotas Too Low for Users with Roaming Profiles.

If a user’s disk quotas are set too low, roaming profile synchronization may fail. Make sure enough disk space is allocated to allow the system to create a temporary duplicate copy of a user’s profile. The temporary profile is created in the user’s context as part of the synchronization process, so it debits his or her quota.

Don’t use Offline Folders on Roaming Profile Shares.

Make sure that you turn off Offline Folders for shares where roaming user profiles are stored. If you do not turn off Offline Folders for a user’s profile, you may experience synchronization problems as both Offline Folders and roaming profiles try to synchronize the files in a user’s profile.

Note: This does not affect using Offline Folders with redirected folders such as My Documents.

If Storing Roaming Profiles on the Same Server as redirected folders that have caching enabled, Ensure that Offline Folders are Set to Synchronize at Logon and Logoff.

When a share is unavailable, Offline Folders considers the whole server to be unavailable until the offline cache is manually synchronized. Roaming profiles are not synchronized with the server while Offline Folders considers the server to be unavailable. If you are using Offline Folders in conjunction with Folder Redirection and roaming user profiles, for the best experience you should ensure that you leave the default setting of synchronizing Offline Files at logoff enabled.

Windows 2000 Roaming Profiles Require Full Control Share Permissions on the Profile Share.

If you are using Windows 2000 Professional in an environment where you previously used Windows NT 4.0 roaming profiles, it is important to ensure that users are given Full Control share permissions for the shared folder on the server containing the user profiles. You can still restrict access to the share by using NTFS discretionary access control lists (DACLs).
Not having the share permissions set to Full Control results in Windows 2000 profiles not synchronizing. This problem occurs because Change permission does not allow WRITE_DAC access, so the system can't copy DACLs. Windows 2000 roaming profiles copy file and folder DACLs, whereas Windows NT 4.0 profiles do not.

Use Group Policy loopback policy processing sparingly if you use roaming profiles.
Group Policy loopback processing enables a different set of user type Group Policies to be applied based on the computer being logged onto. This policy is useful when you need to have user type policies applied to users of specific computers. There are two methods for doing this. One allows for the policies applied to the user to be processed, but to also apply user policies based on the computer that the user has logged onto. The second method does not apply the user’s settings based on where the user object is, but only processes the policies based on the computer’s list of GPOs.

Use caution when using loopback policy processing and roaming profiles—especially when users may roam between Windows 2000 based computers and Windows NT 4.0-based computers. You may see some “tattooing”— applications can store policy settings in HKCU\Software\Policies regardless of operating system version. Windows NT 4.0 also stored some explorer policy settings in HKCU\Software\Microsoft\windows\currentversion\explorer\policies. Windows 2000 clears these keys each time before re-applying current policy, but because Windows NT 4.0 does not clear them, you will get settings left if you roam from a Windows 2000-based machine..

Roaming between different operating system versions
Although roaming between Windows 2000 and Windows NT 4.0 should be a reasonably smooth process, there are some precautions you can take to minimize possible issues:

• If you can avoid roaming between versions of the operating system, then do so. There's nothing inherent in roaming that will cause problems, but the data that applications put in the profile may have unintended side effects on other versions of the operating system.

• Make sure that you have the same application versions installed.

• Make sure that applications are installed to the same path and drive.

• Make sure that the different versions of the operating system are installed on the same %systemdrive% and in the same %windir%.

• If Users roam between Windows NT 4.0-based clients and Windows 2000-based clients, consider setting the Profile Path during install on Windows 2000. Differences in the default profile path (%windir%\Profiles vs. %systemdrive%\Documents and Settings) may cause problems for users roaming between Windows NT 4.0-based clients and Windows 2000-based clients. To minimize the chance of problems, make sure the path to the profile is the same on both clients.

Folder Redirection Overview

Folder redirection is a feature of Windows 2000 that allows users and administrators to redirect the path of a folder to a new location. The new location can be a folder on the local computer or a directory on a network share. Users have the ability to work with documents on a server as if the documents were based on the local drive. For example, you can redirect the My Documents folder, which is usually stored on the computer's local hard disk, to a network location. The documents in the folder are available to the user from any computer on the network. The My Documents folder is the location on the Windows 2000 desktop where the user can save documents and graphic files.
Previously, administrators who wanted to redirect folders to the network had to use logon scripts to change registry values. In Windows 2000, the same task can be accomplished by using Group Policy.

Advantages of Using Folder Redirection
Folder redirection provides a number of advantages. Some of the following benefits relate to redirecting any folder, but redirecting My Documents can be particularly advantageous.

• Even if a user logs on to various computers on the network, the user’s documents are always available.

• The system administrator can use Group Policy to set disk quotas, limiting the amount of space taken up by users' special folders.

• Data specific to a user can be redirected to a different hard disk on the user's local computer from the hard disk holding the operating system files. This protects the user's data if the operating system needs to be reinstalled.

• Data stored on a shared network server can be backed up as part of routine system administration. This is safer and it requires no action on the part of the user.
You can also combine Folder Redirection and roaming user profiles to decrease logon and logoff times for roaming and mobile users. Besides the improved availability and backup benefits of having the data on the network, users also have performance gains with low-speed network connections and subsequent logon sessions. Because only some of their documents are copied, performance is improved when the users’ profiles are copied from the server. Not all of the data in the user profile is transferred to the desktop each time the user logs on — only the data that user requires.

When you combine the use of Folder Redirection and roaming user profiles, you can provide fast computer replacement. If a user's computer needs to be replaced, the data that a user requires can quickly be re-established on a replacement computer. By using Folder Redirection to redirect the My Documents and Application Data folders, in conjunction with roaming user profiles and Group Policy-based deployment of applications, an organization can move the key user state to a network location. This means the user’s documents, settings, and applications follow them, regardless of which Windows 2000 computer the user logs on to.