Group Policy Center

Virtualization is currently a buzz word and it seems that Microsoft is falling over itself to brand as many products as possible with the “V” word (e.g. Hyper-V, App-V & Med-V). So “User State Virtualization” is the term that Microsoft now uses to describe what used to be call Roaming Profiles and/or Folder Redirection.

The idea is simple… a user can logon to any computer in an organisations and have all their personal files and setting apply to that computer as it was the last time they used a computer. This is really a Win/Win for Users and IT Pros as for a user this is a big time saver as they no longer need to waste time setting up their drives, printers and other personal settings when they have to use another computers. IT Pro’s also benefit when there is an un-expected failure or loss of a computer then they don’t have to go through what could be a lengthily, costly and if not impossible, process of recovering the users data.

Now theoretically User State Virtualization can be totally done with just a Roaming Profile, however this quickly becomes impractical as users often store a LOT of data which can make users profile impossibly large. To get around this Microsoft users folder redirection to essentially redirect parts of a users profile to a file share on a server where it is centrally access whenever they logon to a computer.

Reference: Managing Roaming User Data Deployment Guide

Folder Redirection provides a way for administrators to divide user data from profile data. This division of user data decreases user logon times, and Windows downloads less data. Windows redirects the local folder to a central location, giving the user immediate access to their data when they save it, regardless of the computer they are using. This immediate access removes the need to update the user profile.

By redirecting these folders to a server they are only access when needed and therefore very large files do not slow down the profile update process. The obvious disadvantage of doing this is that when a user cannot access the redirected folders (e.g. disconnected laptop users) they lose access to these files. However this restriction is also mitigated by ensuring that the user has a cached copy of these redirected folders.

Below I am going to go through a number of tips and tricks to make sure you get the most out of a User State Virtualization setup in your environment and to ensure that you don’t fall into some configuration traps.

Continue reading ‘Best Practice: Roaming Profiles and Folder Redirection (a.k.a. User State Virtualization)’ »

Back to another profile setting this week and this one can save any organisation using Windows Vista or greater a lot of time if you manual provision your accounts. The setting is called “Set roaming profile path for all users logging onto this computer” and it configures the users roaming profile path that is normally configured on a per account basis in Active Directory Users and Computers (see below). Being able to apply this setting via Group Policy means it is one more user attribute that you no longer need to configure on the users account. This of course makes provisioning users account just that little bit simple which should save both time and the possibility for human errors.

This setting can be found under Computer Configuration > Policies > Administrative Templates > System > User Profiles but as its a computer based setting this also means that you need to be careful how you apply this setting. Applying this setting to laptop could be undesired as they may try to log into a remote location with a slow WAN link to the profile server. So if you do apply this to the laptop you might want to configured it to point to a DFS namespace path or a DNS alias (if you have subnet masking filtering enabled) which can help point them to a faster more local path. This of course means it would be really useful to have a OU structure that separate your laptops from your desktop computer.

But I would definitely recommend use this setting if you are using Windows Vista or Windows 7 in your SOE.

Another one…? yes… Another roaming profiles group policy for this weeks setting of the week. But this is a really super cool policy I found while reading the “What’s New in Folder Redirection and User Profiles” (via @stealthpuppy ) document that Microsoft recently published. This document mainly goes through the new features with folder redirections in Windows 7 however it also mentions the new group policy/feature called “Background upload of a roaming users profile’s registry file while user is logged on”.

This setting can be found under Computer Configuration > Administrative Templates > System > User Profiles and is specific to Windows 7 or Windows Server 2008 R2.

This policy setting would be very useful as a way to ensure that at least part of a users profile is save to the network if they are they type that never like to log off their computer at night.

There are a few points about this policy which I have summarised below:

• Only synchronises the users registry profile (ntuser.dat) so things like desktop icons and favourites wont sync. (This is what folder redirection is for any way).
• There are two modes of scheduling the update
  • Run at set interval – Between 1 hour and 720 hours (30 days).
  • Run at specified time of day – useful if you only want to run this at 3am so that it only applies to users who stay logged on over night.
• The schedule will run randomly any time up to an hour after it is supposed to run so to not load the file server with a large number of concurrent requests.
• If you choose one method of scheduling then it will ignore the set value of the other schedule.

I also have a very strong suspicion that this setting is only compatible if you have Windows 2008 (or later) as the file server so that it can handle the copying of the locked file (ntuser.dat). Please ping me if you can confirm this.

One of the great new feature with Group Policy Preferences is the ability to map printers based on a various number of criteria such as group membership, AD Site or even IP Address range to name a few. This allows for some powerful senarios such as being able to map all the printers physically near a user based on the computers IP address. Note: This assumes that the networking team allocates the same subnets to certain computers near each other (e.g. a building or floor) but I have found this is often the case.

One of the problems that occur when you map printers with Group Policy Preferences is that if the user has a roaming profile configured and they then logon to a computer that is located in another area they will have all also have their old printers from the previous area. Now user might not really notice these printer mapping building up over time but they can soon amass a large number of mappings that makes their computer run slow to logon.

Question? So how do you map all the printers in one location but not have them follow you to another location if you are using a roaming profile?

Answer? Is a two step solution which I will go through below. There is also an optional third step that address the problem maintaining default printer mappings once a user gets back to their normal location.

Step 1. The first part is just to create a simple printer mapping that maps the printer targeted by the IP address of the users current computer.

Figure1. Create New Shared Printer

The images belo shows the printer “\\server\printer1” being mapped for the users that logon to a computer that is in the 10.1.1.0/24 subnet. It is important to note that we are talking about the IP address range of the computer that you want to map the printer not the IP address range of the printer server or the printer NIC itself.

Figure 2. Target setting to only be mapped for computers between 10.1.1.0 to 10.1.1.255

Figure 3. Resulting printer mapping

Step 2. The second step is to delete the printer mapping if the IP address of the printer does not fall within the IP address range that you want the printer to be mapped. To do this we start by copying the existing printer mapping that we made in step 1. This avoids making any typo’s in either the printer queue name of the IP addresses.

Figure 4. Copying the existing printer mapping made in step 1.

Figure 5. Paste the setting into an unused part of the pane

Figure 6. Both printer mapping entries

Now we make the changes to the action on the second printer mapping targeting so that it will remove the printer mapping when the user logs onto a computer in another area.

Figure 7. Open the properties of the second printer

Figure 8. Change the Action to “Delete”

Figure 9. Go back to the targeting and change it to an “Is Not” between “10.1.1.0” and “10.1.1.255”

Figure 10. New target rule

Figure 11. Two printer entries to map and then clean up the printer queues for a user based on their location.

Step 3. Maintaining Default Printer Mappings

You have now configured dynamic printer mapping for your user based on location of the user. However this solution does have one problem/annoyance, user normally like to set a default printer. If a user was to logon to a workstation in another location then return to their normal desk their default printer will have been reset as it will have been removed. To get around this problem we have to add another rult to the targeting on the Delete printer option so it does NOT delete if the printer is configured as the default printer. To do this we check the registry location that the default printer is saved and test to see if the printer we are deleting is the default printer.

So go back to the targeting option for the Delete printer action and add another test that will check to see if the printer is the default printer.

Figure 12. Add a new Item of type “Registry Match”

Figure 13. Configured Registry Match Setting

Change the Match Type to “Match value data” and the Value data match type to “Substring match” as the value we are looking for will contain other information as well that we don’t care about. Make sure the Hive is set to “HKEY_CURRENT_USER” and the Key Path is set to “Software\Microsoft\Windows NT\CurrentVersion\Windows”. The Value name “Device” is where in the registry the default printer information is saved. We then set the Substring to “\\server\printer1” which is the UNC path to the printer queue. Note: The substring value has to be exactly the same as the value set in the Path for the printer mapping.

There, now you know how to use Group Policy Preferences to map and remove network for users based on their physical location while avoiding the build up of mapping if your user have roaming profiles while still preserving their default printer.