Group Policy Center

Another one…? yes… Another roaming profiles group policy for this weeks setting of the week. But this is a really super cool policy I found while reading the “What’s New in Folder Redirection and User Profiles” (via @stealthpuppy ) document that Microsoft recently published. This document mainly goes through the new features with folder redirections in Windows 7 however it also mentions the new group policy/feature called “Background upload of a roaming users profile’s registry file while user is logged on”.

This setting can be found under Computer Configuration > Administrative Templates > System > User Profiles and is specific to Windows 7 or Windows Server 2008 R2.

This policy setting would be very useful as a way to ensure that at least part of a users profile is save to the network if they are they type that never like to log off their computer at night.

There are a few points about this policy which I have summarised below:

• Only synchronises the users registry profile (ntuser.dat) so things like desktop icons and favourites wont sync. (This is what folder redirection is for any way).
• There are two modes of scheduling the update
  • Run at set interval – Between 1 hour and 720 hours (30 days).
  • Run at specified time of day – useful if you only want to run this at 3am so that it only applies to users who stay logged on over night.
• The schedule will run randomly any time up to an hour after it is supposed to run so to not load the file server with a large number of concurrent requests.
• If you choose one method of scheduling then it will ignore the set value of the other schedule.

I also have a very strong suspicion that this setting is only compatible if you have Windows 2008 (or later) as the file server so that it can handle the copying of the locked file (ntuser.dat). Please ping me if you can confirm this.

This setting is another profile related setting however I think the focus is warranted as so many organisations use roaming profiles. This setting is called “Prevent Roaming Profile changes from propagating to the server” and can be found under  Computer Configuration > Policies > Administrative Templates > System > User Profiles and like the previous setting work on Windows XP / 2003 or above.

This setting would be very useful to apply to computer that have un-usual configuration that might other wise make unwanted changes to a users roaming profile. This setting would essential prevent any changes made to the users profile propagating to other workstations. One example where this could be used is when you want to test a new application with a real users account.

This week I have decided to chose “Add the Administrator security group to roaming users profiles” as the setting of the week. This setting can be found under “Computer Configuration > Policies > Administrative Templates > System > User Profiles” and applied to Windows XP / 2003 or later.

This setting adds the administrator ACL to the users roaming profile path on the server when it is first created. This greatly helps your user administrator as they don’t need to perform complicated take ownership and permission changes when they need to access a users profile to do something like a file restore or profile move.

In my experience unless the privacy of the users personal files on your companies file server needs to be guaranteed this option is normally enabled.

BUT!!!! Be very sure that you enable this option as soon as possible as this setting does NOT apply retrospectively to existing users profiles as it only applied the administrators group to the profile when the roaming profile when  it is created on the server for the first time.

(This will hopefully be the first of many Group Policy Setting of the Week (or GPSW) articles where I will showcase one policy setting and what it does.)

I just read about this cool new policy setting on the “Ask the Performance Team” blog that will help address the issues of computers hard drives filling up over time with multiple user profiles. Previously you either had the option to purge the local users profile on log off or keep a cached copy of the profile forever. Either users would have to download their profile every time they logon to the computer which could greatly slow down the logon process or their cached profiles was never deleted which resulted in the system drive running out of space. This new setting “Delete user profiles older than a specified number of days on system restart”  allows you to set a timer on the local cached profiles so that they will be purged X number of days after being used. This means users who commonly logon to a particular computer will still have their profile cached but users that logon seldomly will have their files cleaned up thus saving precious disk space.

This might sound like a great setting to implement on a Terminal Server however note the clean up wont happen until the server is rebooted. This restriction should not be so bad as Terminal Servers are probably rebooted at least once a month any way for patching (you do patch your terminal servers don’t you?).

This setting can be found under Computer Configuration \ Policies \ Administrative Templates \ System \ User Profiles

Source: http://blogs.technet.com/askperf/archive/2009/11/03/just-me-and-my-profile-part-2.aspx