If you have are one of the many people who have checked out my Best Practice: Roaming Profiles and Folder Redirection (a.k.a. User State Virtualization) post you probably know that roaming profiles can be super useful feature to implement. However over the years roaming profiles have got a bit of a bad wrap as sometime things can and do go wrong. In these case the IT administrator is usually left with no other option than to reset the users profile to solve a issue with their account.
Tip: Make sure that the issue is related to the users roaming profile by testing another account with the same or similar privileges on the same computer. If the other computer account also has the same issues or if the issues seems to does not follow them to other computers then it is highly unlikely it is a roaming profile issue.
So lets assume you have troubleshoot this issue for many hours and you are at your wits end about to rip out your hair (if you have any) and have decided to reset the users profile… how do you do it?
In Windows XP days you could just delete the users local and roaming profile files and the next time the user logged on they would generate a new profile. However if you do this in Windows 7 you will find that this no longer works…
So what is the correct way to reset a roaming profile in Windows 7?
Step 1. Open Active Directory Users and Computers and to the profile tab of the user account you want to reset. Now take note of the roaming profile path….
Step 2. Reboot the users computer that is having issues and logon with an account that has local admin and is NOT the account you are tyring to fix.
Step 3. Open control panel and type “Advanced” in the search field then click on “View advanced system settings”
Step 4. Click on the “Advanced” tab and under User Profiles click the “Settings” button
Step 5. Now select the user you want to reset the profile and press the “Delete” button.
Step 6. Press “Yes”
And now the local copy of the roaming profile is deleted you also need to remove the network copy…
Note: If you have implemented folder redirection as per my Best Practice: Roaming Profiles and Folder Redirection (a.k.a. User State Virtualization) then the vast majority of the users information will not be part of the users roaming profile. This means other than a few program setting the users is unlikely to lose any work. The exception to this is the AppData folder however if you are trying to preserve this folder as well note you may be copying over the issues that are trying to fix.
WARNING: Always be careful you have everything backed up before deleting any users profile.
Step 7. Before you log off that computer go to the path you noted in step 1 and delete (or rename) the roaming profile for that users on the network.
Note: You many need to take ownership of the folder before it can be deleted.
Step 3. Find the Profile that has the ProfileImagePath of the users you are fixing and delete that entire key.
Step 4. Log off and logon as the user you are trying to fix.
TIP: If this is successful make sure you get the use to log off straight away so the new profile is save to the network which will then propagate to any other computer when then log on.
Hopefully this will have fixed your roaming profile issues and the users is now back up and running with a minimum of fuss… Of course some of the users personal settings may have been lost but hopefully a well managed SOE should allow them to run all the essential programs with little to no additional set up.
Read Me First: If you are using Folder Redirection with Windows 7 in your organisation then I would definitely recommend that you check my other blog post about a pretty nasty Folder redirection bug and how to fix it at Disappearing Folder Redirection Issues with Windows 7
Roaming Profiles and Folder redirection is what allows a user to logon onto any computer in an organisations and have all their personal files and setting apply to that computer as it was the last time they used a computer. This is really a Win/Win for Users and IT Pros as for a user this is a big time saver as they no longer need to waste time setting up their drives, printers and other personal settings when they have to use another computers. IT Pro’s also benefit when there is an un-expected failure or loss of a computer then they don’t have to go through what could be a lengthily, costly and if not impossible, process of recovering the users data.
Now theoretically User State Virtualization can be totally done with just a Roaming Profile, however this quickly becomes impractical as users often store a LOT of data which can make users profile impossibly large. To get around this Microsoft users folder redirection to essentially redirect parts of a users profile to a file share on a server where it is centrally access whenever they logon to a computer.
In case you still woundering what User State Virtualization is then check out the overview video from Microsoft below:
Folder Redirection provides a way for administrators to divide user data from profile data. This division of user data decreases user logon times, and Windows downloads less data. Windows redirects the local folder to a central location, giving the user immediate access to their data when they save it, regardless of the computer they are using. This immediate access removes the need to update the user profile.
By redirecting these folders to a server they are only access when needed and therefore very large files do not slow down the profile update process. The obvious disadvantage of doing this is that when a user cannot access the redirected folders (e.g. disconnected laptop users) they lose access to these files. However this restriction is also mitigated by ensuring that the user has a cached copy of these redirected folders.
Below I am going to go through a number of tips and tricks to make sure you get the most out of a User State Virtualization setup in your environment and to ensure that you don’t fall into some configuration traps.
Before you begin I would also recommend that you read the following articles from Microsoft about User State Virtualization.
Below I will show you how to setup folder redirection for you users profiles. It is very important that you realise the impact that redirection some of these folder can have as if users have many GB’s of music of videos on their local computers you could quickly find yourself running out of disk space on the server.
For another good overview of Redirected Folder take a look at the video below:
Setting up file server share for User State Virtualization
When setting up the file server you need to be sure that the permission on the folder are setup so that a user can create a new folder however you also need to ensure that they can only see their own files if they start to snoop about.
Below I will go though the setup of a folder to be used for folder redirection and the roaming profiles. Combining a users redirected folders and roaming profile path to the one spot on the network is far easier to manage as it consolidates all the users information in one locations.
Note: This consolidated storage of users information can only applies to Windows Vista/7 systems. Otherwise you will need to create a separate share for roaming profiles with offline caching disabled for Windows XP systems.
Step 1. Create a folder to be used as a root folder for all the users information (e.g. Users)
Step 2. Open the properties of the folder and then go to the Security tab and then click on the Advanced button.
Step 3. Now click on the “Change Permissions” button
Step 4. Un tick “Include inheritable permission form this object’s parent.
Step 5. Click the “Add” button
Explanation: We have now setup a folder with no inheritable file permissions from the parent. We do this so we can remove the Read permission from Users for all subfolders and files in a later step.
You should now see something like this below.
Step 6. Select the Users “Special” ACL and then click the Edit Button.
Step 7. Change the Apply to: permission to “This folder only” and press “OK”
Step 8. Select the Users “Read & execute” ACL and then click the “Edit” button.
Step 9. Again select the “This folder only” option from the Apply to: section and then press “OK”
Notice how the two “This folder only” permissions for Users have now combined into one ACL.
Step 10. Then press “OK” and “OK” to get you back to the Users Properties screen.
Now we need to share the folder…
Step 11. Click on the “Sharing Tab” on the Users Properties screen and then click on the “Advanced Sharing” button.
Step 12. Tick “Share this folder” and give the type in a share name ending with a $ (e.g. Users$) then click on the “Permissions” Button.
Note: The $ symbol at the end of the share name makes it hidden to a users so they cannot browser to the folder. This is not necessary but it is good practice to help stop nosey users.
you should always hide the profile share using a dollar sign ($).
Step 13. Tick “Allow” for the Full Control permissions (change should then get automatically ticked) and then press OK then OK then Close.
(Optional) Setting up Roaming Profile Folder
If you are still using Windows XP then I would recommend configuring the roaming profile folder is the same as the Users folder for the redirected folders except that you need to disable file caching. Simple repeat the steps above for “Setting up file server share for User State Virtualization” instead use the folder name called “Profiles” and a share name called “Profiles$”.
After you configure the share permissions (see step 13 above) also click on the “Caching” button and select the “No Files or programs from the share folder are available offline” options then press OK then OK then Close.
Now we are going to enable Access Based Enumeration for the Users$ share so that any users that manually goes to \\server04.contoso.local\users$ will only see their own folder. This is optional however as it simple stops your snooping users from seeing who else is in the organisation.
This last part is for the former Novell Admins out there. Yes, you could use Access Based Enumeration (ABE) on these new shares; however if there is going to a lot of user folders on any one of these shares you could experience degradation of performance. Enabling ABE on a share does come at a price of performance.
Step 1. Open Server Manager and expand Roles > File Services > Share and Storage Management and then highlight the Users$ share
Step 2. From the menu click on Action and then Properties and then click the “Advanced” button
Step 3: Tick “Enable access-based enumeration” and then click “OK”
Step 4. Click OK
The folder on your server is now ready for your users roaming profiles (Windows Vista/7) and folder redirections.
Tip: You can also also enable a File Screen using the File Server Resource Manager to prevent your users from saving files type of a certain extension (e.g. MP3, AVI or MP4) to their redirected folders. Another option this gives you is the ability to apply an Auto Apply Quota to the users folders and have then get warning email messages whenever they consumer a lot of disk space.
How to configured Roaming Profiles for a user using Group Policy
Before we begin, take the time to watch part 2 video that shows an example of how Roaming Profiles can be used to give your users a better experience. This video also demonstrates some of the pit falls with just implementing a roaming profile for a user without Folder Redirection enabled.
Per User Roaming Profile
You have always been able to configured a users roaming profile patch by configuring the Profile Path on the users account (see image below). This method allows you to granularly configure a users roaming profile path location however it is a lot more laborious process to ensure that they are consistent with the folder redirection policy that is also applied to the users.
Explanation: I have added “\profile” onto the end of what would normally be the profile path so that when the profile is created it is placed at the same level as all the other redirected folders. You will see how this works later on in this post.
You configure the profile location on the Profile or Terminal Services Profile tab within Active Directory Users and Computers.
If you setup the optional Profiles$ share for Windows XP then you will need to make sure the share you use is profiles$ (not users$) and there is no need for the additional \Profiles folder to be specified.
Once feature that was introduced in new version of Active Directory Users and Computer in Windows Server 2003 was the ability to update user attributes with multiple users in one action (see image below). This made the whole process of configuring the users profile patch much easier especially when dealing with many users accounts.
Per Computer Roaming Profile
Before Windows Vista the only way you could configure the roaming profiles path for a users was by configuring it on the users account via Active Directory Users and Computers. While configuring the roaming profile path on the users account is now far easier with the multiple user attribute update feature this still left the setting configured for each individual users and unless you do an audit of all the user account it is possible that some path’s could be setup incorrectly.
Warning: The biggest problem with the Per Computer roaming profile configuration is that there is no way to exclude you administrator accounts from also getting this policy as it is a per computer policy. This means if any administrator logs on to a workstation with this policy applied they will be configured to use a roaming profile.
Step 1. Edit a Group Policy object that is targeted to your workstations
Step 2. Navigate to Computer Configuration > Policies > Administrative Templates > System > User Profiles and enable the “Set roaming profile path for all users logging onto this computer” and configure the path to \\PROFILESERVERNAME\Users$\%username%\profile .
Explanation: I have added “\profile” onto the end of what would normally be the profile path so that when the profile is created it is placed at the same level as all the other redirected folders. You will see how this works later on in this post.
If you are still running Windows XP this policy works very well if you have used a geographical OU structure (see Best Practice: Active Directory Structure Guidelines – Part 1 ) for your workstations as you will be able to send the users roaming profile path for each user to a local file server. This would allow you to point users in the local site to the closest/quickest roaming profile server to reduce the time it takes to logon and logoff. However as Windows Vista and Windows 7 now uploads the profile asynchronously loading the profile via a higher latency lower bandwidth link is not so noticeable unless the users has never logged on to that computer before.
Which do I recommend?
Amazingly I am not going to recommend the per computer Group Policy method as there is no way you can get around not having a roaming profile if you logon as an administrator. This is a real show stoper as I think it is really bad for administrator accounts should not be encumbered with “crud” in their profile when logging onto a computer.
Therefore I recommend the per user roaming profile configuration method, which is made much easier to do with the multiple user attribute update option you get with the newer version of Active Directory Users and Computers.
Other Roaming Profile Group Policy settings
In this section I will go through (in no particular order) the Group Policy settings I recommend you configure for setting up roaming profiles.
Computer Configuration > Policies > Administrative Templates > System
Windows Vista provides little information about the status of loading or unloading roaming profiles during user logon and logoff. This lack of information is misleading and may give a user the impression Windows Vista is unresponsive.
Computer Configuration > Policies > Administrative Templates > Systems > User Profiles
Vista still respects this policy setting; however, no longer prevents the user from logging off the computer. Windows does not synchronize the user’s profile to the profile server when it exceeds the policy enabled limit.
Exclude directories in roaming profile
Handy to exclude applications that incorrectly write very large caches from the users Application Data folder if you do not have folder redirection enabled.
As you are redirecting the Desktop and Start Menu to a network location you will need to add the file server into the trusted sites list otherwise Windows will warn you are trying to run a program form an un-trusted location (see below).
Error Message you will get if you do not add you file servers into the Intranet Zone.
Updates: Roaming Profile Improvement in Windows 7
The most significant improvement to Roaming Profiles with Windows 7 is the introduction of a new feature called Background upload of a roaming user profile’s registry file while user is logged on this enables the IT administrator to schedule a background upload of the users NTUSER.dat file if they don’t log off their computer. Even if your users are in the habit of logging off at the end of the day this is a setting you should consider turning on to ensure that the users settings are always being backed up as failures can happen at any time.
How to configure Folder Redirection via Group Policy
Now lets take a look at how to setup folder redirection for a user so that the files stored in their personal folders (e.g. Documents, Music & Videos) are stored on the file server an not on the local computer. By default all folders that are redirected are automatically made available offline which is done so that users can still access their personal files if they are disconnected from the file server. On a Windows XP system this can add substantial time to the logon/logoff process as the user has to wait for the files to be synced however in Windows Vista/7 this is done in the background therefore it is a much more seamless process.
Step 1. Edit a Group Policy Object that is targeted to your users and navigate to User Configuration > Policies > Windows Settings > Folder Redirection > Documents
Now we are going to setup folder redirections for the Documents (a.k.a. My Documents) folder as this is the most commonly redirected folder however you will need to repeat the same instructions for each of the other folders (if required).
Step 2. From the menu click on Action and then Properties
Step 3. Select the “Basic – Redirect everyone’s folder to the same location” option
For the purpose of this demo I am only going to show you how to setup a “Basic” redirection. However if you want to spread out the users amongst multiple locations you can use the advanced options and apply a different folder redirection based on the users security group membership (see image below). This option is useful if you want to distribute the load across multiple server but it can start to get complicated as the users roaming profile may then be stored in a different locations to their redirected folders. Also be careful with the order you apply these advanced settings as if the users is a member of multiple groups it will pick up the top entry in the list and there is no way to reorder the list after the entries are created. For these reasons unless you REALLY want to you should try and avoid using the Advanced option.
Advanced redirection (just for your FYI)
Step 4. Select the “Create a folder for each user under the root path” option under the “Target folder location” and then type the full UNC path in the root path that we created before (e.g. \\server04.contoso.local\users$ ) then click on the “Settings” Tab.
Step 5. Un tick “Grant the user exclusive rights to Documents”
By default, Administrators do not have permissions to users’ redirected folders. If you require the ability to go into the users folders you will want to go to the “Settings” Tab, and uncheck: “Grant the user exclusive rights to” on each folder that is redirected. This allows Administrators to enter the users redirected folder locations without taking ownership of the folder and files.
Note: If this is also one of the support folder redirection types in Windows XP you will have the option to also apply this policy to Windows XP computers. I would strongly recommend that you think hard before ticking this option however as I am a strong believer in not crossing the streams when it comes to running dual SOE’s.
“Also apply…” option greyed out as its not a down level (a.k.a. Windows XP) supported setting.
Note2: The other option you may want to consider it the “Redirect the folder back to the local userprofile location when policy is removed”. What this means is that if a users is not longer subject to that Group Policy setting the the contents of the redirected folder are moved back to the local computer. This sounds good until this actually happens to a users and then it takes them about 2 hours to copy all their file down to the local computers. I recommend that you leave this at the default setting.
Step 6. As we did not tick the “Also apply redirection policy to Windows 2000, Windows 2000 Server, Windows XP and Windows Server 2003 operating systems” setting… phew… then you will need to press the “Yes” button.
Now repeat the setups above to configured all the other redirected folders (as shown below).
Note: You will see on the Pictures, Music or Video options you will have the option to select the “Follow the Documents folder” option. However I have found that selecting this option can cause the Video and Music libraries in Windows 7 to disappear so i recommend that you do n so that they will automatically inherit the Documents settings.
Warning (Pre Windows 7): When enabling folder redirection for existing users for the first time expect the logon to be very slow. Not only are you copying the contents of all the user’s personal folders across the network to the server you are doing this for multiple users at the same time when the login. This means that it is highly likely that your file server will be the bottle neck. To mitigate this you might want to security filter the policy and only enable it for a few users at a time working you way up to all your users.
Folder Redirection Improvements in Windows 7
Fast First Logon
One of the new feature with Windows 7 is called Fast First Logon which allows users to logon to their computer without having to wait for the folder to be moved first. This means if your are enabling folder redirection for users already running Windows 7 the performance impact will be greatly reduced.
the user must wait only for Windows to move the files into the local Offline Files cache. After the files are moved, the user logs on and is free to perform other tasks while Windows synchronizes the locally cached data over the network as a background task
As all redirected folder are also made available offline it allows users to work on their files when in offline mode but still have them periodically sync in the background when connected via a low link. This is very useful for roaming users connected via a VPN or even when the file server might be experiencing heavy load.
When the network connection is slow or unavailable, Offline Files routes requests for the user folders that are stored on the server to the local computer cache. Users read and write from their local cache. Offline Files synchronizes new and changed files and folders from the local computer cache to the server when the network becomes available or in the background when the connection is slow.
The difference between Local, LocalLow and Roaming Applications Data
One of the most confusing aspect of folder redirection is all the type of Application Data folders there are and what they do. Below is my attempt at trying to explain the difference between the Applications Data folders and how they will affect your computers.
Local and LocalLow folders for application data that does not roam with the user.
Local AppData & AppData
The “LocalAppData” and “AppData” folder’s for a user that does not have folder redirection enabled is one and the same and will be located at “C:\Users\USERNAME\AppData\Local”. The most commonly saved files in this path would be very large cache files that would be impractical to constantly send and receive across the network. As the files are only cache’s then there would be no issues if they were lost as they information would simple need to be re-cached. A good example of this is the TEMP and TMP path variable that is configured where most applications are configured to save temporary files.
That being said when folder redirection is enabled the “AppData” environment variable will point to the network path that it is configured in the Group Policy (see image below). This then splits you AppData folder into two locations with any application configured to use the “AppData” variable will be pointed the path on the network and any application that is configured to use the “LocalAppData” variable will still be pointed to the local hard drive.
Enabling folder redirection for AppData is far more practical to do with Windows Vista/7 than Windows XP as the offline file cache can seamless transition form offline to online mode if the network latency goes above a threshold.
Warning: If you are running Windows XP and the users is connected via a slow link then the affect of having this folder redirected could be devastating to the users performance. In my experience even the simple act of scrolling a word document requires constant writing to this “Local” application data folder.
To identify if a user has application data folder redirection enabled by simple running “set” from the command prompt and the look at the value of the “APPDATA” variable (see image below). The below image also illustrates that the “LOCALAPPDATA” variable will always point to the local hard drive even when folder redirection is enabled.
The “LocalLow” folder for all users is “C:\Users\USERNAME\AppData\LocalLow”. This BIG difference of “Local” to “LocalLow” is that it is specifically intended as a place for “Low Integrity” applications to write files such as Internet Explorer add-on like Google Gears, Google Earth, Adobe Acrobat, Apple QuickTime and Microsoft Silverlight. It also appears that this folder is neither redirected nor part of the roaming profile therefore all information stored into this folder is local to the computer and will not roaming with the user.
Updated: Should you enabled Local AppData Folder Redirection?
Should AppData Local be redirected? No… Because you Can’t… Hence the name “LOCAL”. In Windows XP days a users would either have their AppData folder online or offline and not matter how slow your connection was to the server so long as your still got a response you would stay online thus bringing your entire computer to a grinding halt. But if the Administrator did not enable folder redirection for the users this normally resulted in them having a MASSIVE roaming profile that would take forever to sync during the logon and logoff process. The work around to this was to exclude the entire AppData folder from the roaming profile but this meant you risked losing some of the users personal data.
As Aaron mentioned in the comments the decision to enable Application Data folder redirection is one that should not be taken lightly and can have real negative consequences for the performance of your users. As I mentioned above having AppData folder redirection enabled to a location that is performing slow will have very noticeable performance impact for your users especially if you are running Windows XP. However not having AppData redirection could mean that you are likely to lose some of the users settings and data if their computer’s hard drive fails. A good article to read on the the matter is Should AppData be Redirected or Left in the User Profile? which discuses the Pro’s and Con’s of enabling AppData Redirection.
However now with Windows 7 (and to a lesser extent Vista) the decision to enable folder redirection for Local AppData is tricky at best. Not made any easier by Microsoft on one hand by providing a specific Roaming\AppData folder for persistent information but on the other making improvements to the OS that makes it a far more practical option to enable.
The new Windows 7 features called Transparent Caching and Background Sync for offline files the issues with redirecting the Local AppData folder are now largely mitigated as the users will automatically work on the local copy of the file whenever network performance is poor. Thus making it far more practical to enable Local AppData folder redirection while still not something that you really should do…
Updated: Roaming AppData
The “Roaming” AppData folder is located on the user local hard drive at “C:\Users\USERNAME\AppData\Roaming” this is the folder where applications should store all the users persistent information.
AppData\Roaming is part of the users roaming profile so when a user log’s off their computer the files are location are copied up to “\\PROFILESERVER\Users$\USERNAME\Profile.v2\AppData\Roaming”. Any well written application for Windows Vista or later should be aware of the Roaming Application Data folder and should use this folder to save persistent information. A good example of something that should be saved to this location is a users custom dictionary or a browsers internet cookies.
So Should you enable this “AppData(Roaming)” folder redirection option? Probably not…. Why? You should ensure that your computers it is always using the local HDD which should give MAXIMUM performance (unless you driver is REALLY slow). This with all the improvements in Roaming Profiles Syncing such as Background Synchronisation (See What’s New in Folder Redirection and User Profiles) then the user AppData(Roaming) will still be saved to the network to reduce chance of any data loss for the user.
Updates: Excluding AppData Folders
Some applications may not be well written (SHOCKER) and as such save a numerous or large files to this location to the AppData\Roaming folder. This significantly adds to the logon and logoff with all the extra it takes to transfer all the excess files. Therefore you should fully understand where applications save the applications specific configuration and look at excluding these folders from the users roaming profile so they are not copied up to the network thus saving a lot of time during logoff and logon.
User State Virtualization Folder Structure Explained
Now that we have configured the user roaming profile and folder redirections the next time a users logon they will automatically create the required folders on the network for them to enable User State Virtualization.
As you can see below in the image below a user personal folders are part of their roaming profile. The files in these folders (e.g. documents and music) are saved locally and are synchronised asynchronously in the background with the server. Having no folder redirection also means that a users will take some time to logon to a computer for the first time as you will need to download a copy of the entire profile.
User State Virtualization Folder Structure before Folder Redirection is Applied
After folder redirection is applied to the user you can see that all the user folders (excluding AppData) have been moved up a folder out of the profile and into the root folder for the users data.
User State Virtualization Folder Structure after Folder Redirection is Applied
Hopefully you now have a good idea as to how to setup User State Virtualization in your environment. Just remember that this is not a product but more a combination of roaming profiles and folder redirection to enable a users to use any computer in your organisation while maintaining a consistent experience.
The other part of User State Virtualization that I did not go into on this post was the ability to have all your users applications also follow them no matter which computer they are log into however to do this you need to use Microsoft App-V and for that i would refer you to Aaron Parker’s Stealthpuppy web site.
This is just a list of other related articles that I have found since writing this post.
Back to another profile setting this week and this one can save any organisation using Windows Vista or greater a lot of time if you manual provision your accounts. The setting is called “Set roaming profile path for all users logging onto this computer” and it configures the users roaming profile path that is normally configured on a per account basis in Active Directory Users and Computers (see below). Being able to apply this setting via Group Policy means it is one more user attribute that you no longer need to configure on the users account. This of course makes provisioning users account just that little bit simple which should save both time and the possibility for human errors.
This setting can be found under Computer Configuration > Policies > Administrative Templates > System > User Profiles but as its a computer based setting this also means that you need to be careful how you apply this setting. Applying this setting to laptop could be undesired as they may try to log into a remote location with a slow WAN link to the profile server. So if you do apply this to the laptop you might want to configured it to point to a DFS namespace path or a DNS alias (if you have subnet masking filtering enabled) which can help point them to a faster more local path. This of course means it would be really useful to have a OU structure that separate your laptops from your desktop computer.
But I would definitely recommend use this setting if you are using Windows Vista or Windows 7 in your SOE.
Another one…? yes… Another roaming profiles group policy for this weeks setting of the week. But this is a really super cool policy I found while reading the “What’s New in Folder Redirection and User Profiles” (via @stealthpuppy ) document that Microsoft recently published. This document mainly goes through the new features with folder redirections in Windows 7 however it also mentions the new group policy/feature called “Background upload of a roaming users profile’s registry file while user is logged on”.
This setting can be found under Computer Configuration > Administrative Templates > System > User Profiles and is specific to Windows 7 or Windows Server 2008 R2.
This policy setting would be very useful as a way to ensure that at least part of a users profile is save to the network if they are they type that never like to log off their computer at night.
There are a few points about this policy which I have summarised below:
Only synchronises the users registry profile (ntuser.dat) so things like desktop icons and favourites wont sync. (This is what folder redirection is for any way).
There are two modes of scheduling the update
Run at set interval – Between 1 hour and 720 hours (30 days).
Run at specified time of day – useful if you only want to run this at 3am so that it only applies to users who stay logged on over night.
The schedule will run randomly any time up to an hour after it is supposed to run so to not load the file server with a large number of concurrent requests.
If you choose one method of scheduling then it will ignore the set value of the other schedule.
I also have a very strong suspicion that this setting is only compatible if you have Windows 2008 (or later) as the file server so that it can handle the copying of the locked file (ntuser.dat). Please ping me if you can confirm this.
One of the great new feature with Group Policy Preferences is the ability to map printers based on a various number of criteria such as group membership, AD Site or even IP Address range to name a few. This allows for some powerful senarios such as being able to map all the printers physically near a user based on the computers IP address. Note: This assumes that the networking team allocates the same subnets to certain computers near each other (e.g. a building or floor) but I have found this is often the case.
One of the problems that occur when you map printers with Group Policy Preferences is that if the user has a roaming profile configured and they then logon to a computer that is located in another area they will have all also have their old printers from the previous area. Now user might not really notice these printer mapping building up over time but they can soon amass a large number of mappings that makes their computer run slow to logon.
Question? So how do you map all the printers in one location but not have them follow you to another location if you are using a roaming profile?
Answer? Is a two step solution which I will go through below. There is also an optional third step that address the problem maintaining default printer mappings once a user gets back to their normal location.
Step 1. The first part is just to create a simple printer mapping that maps the printer targeted by the IP address of the users current computer.
Figure1. Create New Shared Printer
The images belo shows the printer “\\server\printer1” being mapped for the users that logon to a computer that is in the 10.1.1.0/24 subnet. It is important to note that we are talking about the IP address range of the computer that you want to map the printer not the IP address range of the printer server or the printer NIC itself.
Figure 2. Target setting to only be mapped for computers between 10.1.1.0 to 10.1.1.255
Figure 3. Resulting printer mapping
Step 2. The second step is to delete the printer mapping if the IP address of the printer does not fall within the IP address range that you want the printer to be mapped. To do this we start by copying the existing printer mapping that we made in step 1. This avoids making any typo’s in either the printer queue name of the IP addresses.
Figure 4. Copying the existing printer mapping made in step 1.
Figure 5. Paste the setting into an unused part of the pane
Figure 6. Both printer mapping entries
Now we make the changes to the action on the second printer mapping targeting so that it will remove the printer mapping when the user logs onto a computer in another area.
Figure 7. Open the properties of the second printer
Figure 8. Change the Action to “Delete”
Figure 9. Go back to the targeting and change it to an “Is Not” between “10.1.1.0” and “10.1.1.255”
Figure 10. New target rule
Figure 11. Two printer entries to map and then clean up the printer queues for a user based on their location.
Step 3. Maintaining Default Printer Mappings
You have now configured dynamic printer mapping for your user based on location of the user. However this solution does have one problem/annoyance, user normally like to set a default printer. If a user was to logon to a workstation in another location then return to their normal desk their default printer will have been reset as it will have been removed. To get around this problem we have to add another rult to the targeting on the Delete printer option so it does NOT delete if the printer is configured as the default printer. To do this we check the registry location that the default printer is saved and test to see if the printer we are deleting is the default printer.
So go back to the targeting option for the Delete printer action and add another test that will check to see if the printer is the default printer.
Figure 12. Add a new Item of type “Registry Match”
Figure 13. Configured Registry Match Setting
Change the Match Type to “Match value data” and the Value data match type to “Substring match” as the value we are looking for will contain other information as well that we don’t care about. Make sure the Hive is set to “HKEY_CURRENT_USER” and the Key Path is set to “Software\Microsoft\Windows NT\CurrentVersion\Windows”. The Value name “Device” is where in the registry the default printer information is saved. We then set the Substring to “\\server\printer1” which is the UNC path to the printer queue. Note: The substring value has to be exactly the same as the value set in the Path for the printer mapping.
There, now you know how to use Group Policy Preferences to map and remove network for users based on their physical location while avoiding the build up of mapping if your user have roaming profiles while still preserving their default printer.