Group Policy Central

Virtualization is currently a buzz word and it seems that Microsoft is falling over itself to brand as many products as possible with the “V” word (e.g. Hyper-V, App-V & Med-V). So “User State Virtualization” is the term that Microsoft now uses to describe what used to be call Roaming Profiles and/or Folder Redirection.

The idea is simple… a user can logon to any computer in an organisations and have all their personal files and setting apply to that computer as it was the last time they used a computer. This is really a Win/Win for Users and IT Pros as for a user this is a big time saver as they no longer need to waste time setting up their drives, printers and other personal settings when they have to use another computers. IT Pro’s also benefit when there is an un-expected failure or loss of a computer then they don’t have to go through what could be a lengthily, costly and if not impossible, process of recovering the users data.

The video below is part 1 in a 3 part series that give an overview about how Roaming Profiles and Folder Redirection give you User State Virtualisation.

Now theoretically User State Virtualization can be totally done with just a Roaming Profile, however this quickly becomes impractical as users often store a LOT of data which can make users profile impossibly large. To get around this Microsoft users folder redirection to essentially redirect parts of a users profile to a file share on a server where it is centrally access whenever they logon to a computer.

Reference: Managing Roaming User Data Deployment Guide

Folder Redirection provides a way for administrators to divide user data from profile data. This division of user data decreases user logon times, and Windows downloads less data. Windows redirects the local folder to a central location, giving the user immediate access to their data when they save it, regardless of the computer they are using. This immediate access removes the need to update the user profile.

By redirecting these folders to a server they are only access when needed and therefore very large files do not slow down the profile update process. The obvious disadvantage of doing this is that when a user cannot access the redirected folders (e.g. disconnected laptop users) they lose access to these files. However this restriction is also mitigated by ensuring that the user has a cached copy of these redirected folders.

Below I am going to go through a number of tips and tricks to make sure you get the most out of a User State Virtualization setup in your environment and to ensure that you don’t fall into some configuration traps.

Before you begin I would also recommend that you read the following articles from Microsoft about User State Virtualization.

• Choosing an Appropriate User State Virtualization Solution
• Understanding User State Virtualization Improvements In Windows 7

Continue reading ‘Best Practice: Roaming Profiles and Folder Redirection (a.k.a. User State Virtualization)’ »

Microsoft recently released KB978098 which explains an issues with folder redirection when using the Advanced folder redirection setting (see image below). The advanced setting of this policy is used when you want to redirect users to different locations based on security group location. This is a very helpful if you have a large number of users in the same site and you don’t want to store all their redirected folder to the same location similar to how Exchange Administrator distribute users amongst multiple mailbox databases.

Issue:

This issues is not with the size of the data in the redirection folder ( as the name might suggest ) but the actual number of security groups you have used in the policy. The good news is that the number of groups you need to have configured before this becomes an issues is A LOT so this is likely only going to affect the large organisations.

Depending on the OS that you are editing the policy on it can change the number of groups you can use to configured before this issues occurs.

Windows Vista or Later =  670 (approx) Security Groups

Windows Server 2003 = 230 (approx) Security Groups

Problem

The problem occurs when the the fdeploy(?).ini file under Policies\GUID\User\Documents & Settings folder in the SYSVOL exceeds 32,767 characters due to the large number of GUID’s listed in the file (see below).

Workaround

Option 1: The workaround in the KB is to split the Group Policy Object up so that each policy has fewer groups/redirected folders.

Option 2: If you have only edited the policy in Windows XP / 2003 then you can open then Group Policy Object with Windows Vista (or greater) as it will be “converted to a newer … .ini file format” that “lets you redirect more folders”.

Disclaimer

This information is to be used at your own risk and make sure you read the KB yourself and you test any changes in thoroughly before making changes in your environment.

Source: Errors when you have a large "Folder Redirection" policy settings file in Windows Vista, in Windows 7, in Windows Server 2008, or in Windows Server 2008 R2