Tip: Make sure that the issue is related to the users roaming profile by testing another account with the same or similar privileges on the same computer. If the other computer account also has the same issues or if the issues seems to does not follow them to other computers then it is highly unlikely it is a roaming profile issue.

So lets assume you have troubleshoot this issue for many hours and you are at your wits end about to rip out your hair (if you have any) and have decided to reset the users profile… how do you do it?

In Windows XP days you could just delete the users local and roaming profile files and the next time the user logged on they would generate a new profile. However if you do this in Windows 7 you will find that this no longer works…

So what is the correct way to reset a roaming profile in Windows 7?

Step 1. Open Active Directory Users and Computers and to the profile tab of the user account you want to reset. Now take note of the roaming profile path….

Step 2. Reboot the users computer that is having issues and logon with an account that has local admin and is NOT the account you are tyring to fix.

Step 3. Open control panel and type “Advanced” in the search field then click on “View advanced system settings”

Step 4. Click on the “Advanced” tab and under User Profiles click the “Settings” button

Step 5. Now select the user you want to reset the profile and press the “Delete” button.

Step 6. Press “Yes”

And now the local copy of the roaming profile is deleted you also need to remove the network copy…

Note: If you have implemented folder redirection as per my Best Practice: Roaming Profiles and Folder Redirection (a.k.a. User State Virtualization) then the vast majority of the users information will not be part of the users roaming profile. This means other than a few program setting the users is unlikely to lose any work. The exception to this is the AppData folder however if you are trying to preserve this folder as well note you may be copying over the issues that are trying to fix.

WARNING: Always be careful you have everything backed up before deleting any users profile.

Step 7. Before you log off that computer go to the path you noted in step 1 and delete (or rename) the roaming profile for that users on the network.

Note: You many need to take ownership of the folder before it can be deleted.

Tip: To avoid having to take owner ship of the roaming profile be sure you have enabled the  Add the Administrator security group to roaming users profiles setting.

How to fix the “You have been logged on with a temporary profile” issue in Windows 7

So… that was the easy way… But what do you do if just deleted the users profile files and now the users is “logged on with temporary profile” like you did back in the Windows XP days….

Step 1. Reboot the computer again and logon as the local admin.

Step 2. Open Regedit and go following registry key path:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

Step 3. Find the Profile that has the ProfileImagePath of the users you are fixing and delete that entire key.

Step 4. Log off and logon as the user you are trying to fix.

TIP: If this is successful make sure you get the use to log off straight away so the new profile is save to the network which will then propagate to any other computer when then log on.

Hopefully this will have fixed your roaming profile issues and the users is now back up and running with a minimum of fuss… Of course some of the users personal settings may have been lost but hopefully a well managed SOE should allow them to run all the essential programs with little to no additional set up.

Source: I found the registry key trick from this TechNet Forum article http://social.technet.microsoft.com/Forums/en-US/w7itprogeneral/thread/5ec0b949-effa-4e30-ba09-dc948a4c7a8b

The idea is simple… a user can logon to any computer in an organisations and have all their personal files and setting apply to that computer as it was the last time they used a computer. This is really a Win/Win for Users and IT Pros as for a user this is a big time saver as they no longer need to waste time setting up their drives, printers and other personal settings when they have to use another computers. IT Pro’s also benefit when there is an un-expected failure or loss of a computer then they don’t have to go through what could be a lengthily, costly and if not impossible, process of recovering the users data.

The video below is part 1 in a 3 part series that give an overview about how Roaming Profiles and Folder Redirection give you User State Virtualisation.

Now theoretically User State Virtualization can be totally done with just a Roaming Profile, however this quickly becomes impractical as users often store a LOT of data which can make users profile impossibly large. To get around this Microsoft users folder redirection to essentially redirect parts of a users profile to a file share on a server where it is centrally access whenever they logon to a computer.

Reference: Managing Roaming User Data Deployment Guide

Folder Redirection provides a way for administrators to divide user data from profile data. This division of user data decreases user logon times, and Windows downloads less data. Windows redirects the local folder to a central location, giving the user immediate access to their data when they save it, regardless of the computer they are using. This immediate access removes the need to update the user profile.

By redirecting these folders to a server they are only access when needed and therefore very large files do not slow down the profile update process. The obvious disadvantage of doing this is that when a user cannot access the redirected folders (e.g. disconnected laptop users) they lose access to these files. However this restriction is also mitigated by ensuring that the user has a cached copy of these redirected folders.

Below I am going to go through a number of tips and tricks to make sure you get the most out of a User State Virtualization setup in your environment and to ensure that you don’t fall into some configuration traps.

Before you begin I would also recommend that you read the following articles from Microsoft about User State Virtualization.

• Choosing an Appropriate User State Virtualization Solution
• Understanding User State Virtualization Improvements In Windows 7

Note: I am going to mainly focus on Windows Vista/7 setups however most of the setting/principals I do mention below will still apply to Windows XP.

Update: Here is a really good video from Darren Mar-Elia (Fellow Group Policy MVP) from TechEd North America 2011. This session is entitled Optimizing Group Policy in Virtual Desktop (VDI) Environments however much of it covers User State Virtualization.

Setting up Folder Redirections using Group Policy

Below I will show you how to setup folder redirection for you users profiles. It is very important that you realise the impact that redirection some of these folder can have as if users have many GB’s of music of videos on their local computers you could quickly find yourself running out of disk space on the server.

Setting up file server share for User State Virtualization

When setting up the file server you need to be sure that the permission on the folder are setup so that a user can create a new folder however you also need to ensure that they can only see their own files if they start to snoop about.

Below I will go though the setup of a folder to be used for folder redirection and the roaming profiles. Combining a users redirected folders and roaming profile path to the one spot on the network is far easier to manage as it consolidates all the users information in one locations.

Note: This consolidated storage of users information can only applies to Windows Vista/7 systems. Otherwise you will need to create a separate share for roaming profiles with offline caching disabled for Windows XP systems.

Step 1. Create a folder to be used as a root folder for all the users information (e.g. Users)

Step 2. Open the properties of the folder and then go to the Security tab and then click on the Advanced button.

Step 3. Now click on the “Change Permissions” button

Step 4. Un tick “Include inheritable permission form this object’s parent.

Step 5. Click the “Add” button

Explanation: We have now setup a folder with no inheritable file permissions from the parent. We do this so we can remove the Read permission from Users for all subfolders and files in a later step.

You should now see something like this below.

Step 6. Select the Users “Special” ACL and then click the Edit Button.

Step 7. Change the Apply to: permission to “This folder only” and press “OK”

Step 8. Select the Users “Read & execute” ACL and then click the “Edit” button.

Step 9. Again select the “This folder only” option from the Apply to: section and then press “OK”

Notice how the two “This folder only” permissions for Users have now combined into one ACL.

Step 10. Then press “OK” and “OK” to get you back to the Users Properties screen.

Now we need to share the folder…

Step 11. Click on the “Sharing Tab” on the Users Properties screen and then click on the “Advanced Sharing” button.

Step 12. Tick “Share this folder” and give the type in a share name ending with a $ (e.g. Users$) then click on the “Permissions” Button.

Note: The $ symbol at the end of the share name makes it hidden to a users so they cannot browser to the folder. This is not necessary but it is good practice to help stop nosey users.

Reference: http://blogs.technet.com/b/askds/archive/2008/06/30/automatic-creation-of-user-folders-for-home-roaming-profile-and-redirected-folders.aspx

you should always hide the profile share using a dollar sign ($).

Step 13. Tick “Allow” for the Full Control permissions (change should then get automatically ticked) and then press OK then OK then Close.

(Optional) Setting up Roaming Profile Folder

If you are still using Windows XP then I would recommend configuring the roaming profile folder is the same as the Users folder for the redirected folders except that you need to disable file caching. Simple repeat the steps above for “Setting up file server share for User State Virtualization” instead use the folder name called “Profiles” and a share name called “Profiles$”.

After you configure the share permissions (see step 13 above) also click on the “Caching” button and select the “No Files or programs from the share folder are available offline” options then press OK then OK then Close.

Reference: http://blogs.technet.com/b/askds/archive/2008/06/30/automatic-creation-of-user-folders-for-home-roaming-profile-and-redirected-folders.aspx

You should disable Offline Files

Enabling Access Based Enumeration

Now we are going to enable Access Based Enumeration for the Users$ share so that any users that manually goes to \\server04.contoso.local\users$ will only see their own folder. This is optional however as it simple stops your snooping users from seeing who else is in the organisation.

Reference: http://blogs.technet.com/b/askds/archive/2008/06/30/automatic-creation-of-user-folders-for-home-roaming-profile-and-redirected-folders.aspx

This last part is for the former Novell Admins out there. Yes, you could use Access Based Enumeration (ABE) on these new shares; however if there is going to a lot of user folders on any one of these shares you could experience degradation of performance. Enabling ABE on a share does come at a price of performance.

Step 1. Open Server Manager and expand Roles > File Services > Share and Storage Management and then highlight the Users$ share

Step 2. From the menu click on Action and then Properties and then click the “Advanced” button

Step 3: Tick “Enable access-based enumeration” and then click “OK”

Step 4. Click OK

The folder on your server is now ready for your users roaming profiles (Windows Vista/7) and folder redirections.

Tip: You can also also enable a File Screen using the File Server Resource Manager to prevent your users from saving files type of a certain extension (e.g. MP3, AVI or MP4) to their redirected folders. Another option this gives you is the ability to apply an Auto Apply Quota to the users folders and have then get warning email messages whenever they consumer a lot of disk space.

How to configured Roaming Profiles for a user using Group Policy

Before we begin, take the time to watch part 2 video that shows an example of how Roaming Profiles can be used to give your users a better experience. This video also demonstrates some of the pit falls with just implementing a roaming profile for a user without Folder Redirection enabled.

Per User Roaming Profile

You have always been able to configured a users roaming profile patch by configuring the Profile Path on the users account (see image below). This method allows you to granularly configure a users roaming profile path location however it is a lot more laborious process to ensure that they are consistent with the folder redirection policy that is also applied to the users.

Below is the view of a users roaming profile configured to \\server04.contoso.local\users$\%username%\profile . If you are a Windows XP user this will translate to \\server04.contoso.local\users$\sam\profile and if you are a Windows Vista/7 users this will translate to \\server04.contoso.local\users$\sam\profile.v2 .

Explanation: I have added “\profile” onto the end of what would normally be the profile path so that when the profile is created it is placed at the same level as all the other redirected folders. You will see how this works later on in this post.

Reference: http://blogs.technet.com/b/askds/archive/2008/06/30/automatic-creation-of-user-folders-for-home-roaming-profile-and-redirected-folders.aspx

You configure the profile location on the Profile or Terminal Services Profile tab within Active Directory Users and Computers.

If you setup the optional Profiles$ share for Windows XP then you will need to make sure the share you use is profiles$ (not users$) and there is no need for the additional \Profiles folder to be specified.

Once feature that was introduced in new version of Active Directory Users and Computer in Windows Server 2003 was the ability to update user attributes with multiple users in one action (see image below). This made the whole process of configuring the users profile patch much easier especially when dealing with many users accounts.

Per Computer Roaming Profile

Before Windows Vista the only way you could configure the roaming profiles path for a users was by configuring it on the users account via Active Directory Users and Computers. While configuring the roaming profile path on the users account is now far easier with the multiple user attribute update feature this still left the setting configured for each individual users and unless you do an audit of all the user account it is possible that some path’s could be setup incorrectly.

However in ever since Windows Vista there is now a group policy setting you can apply to computers that configured the roaming profile path for anyone who logs onto that computer called “Set roaming profile path for all users logging onto this computer”.

Warning: The biggest problem with the Per Computer roaming profile configuration is that there is no way to exclude you administrator accounts from also getting this policy as it is a per computer policy. This means if any administrator logs on to a workstation with this policy applied they will be configured to use a roaming profile.

Step 1. Edit a Group Policy object that is targeted to your workstations

Step 2. Navigate to Computer Configuration > Policies > Administrative Templates > System > User Profiles and enable the “Set roaming profile path for all users logging onto this computer” and configure the path to \\PROFILESERVERNAME\Users$\%username%\profile .

Explanation: I have added “\profile” onto the end of what would normally be the profile path so that when the profile is created it is placed at the same level as all the other redirected folders. You will see how this works later on in this post.

If you are still running Windows XP this policy works very well if you have used a geographical OU structure (see Best Practice: Active Directory Structure Guidelines – Part 1 ) for your workstations as you will be able to send the users  roaming profile path for each user  to a local file server. This would allow you to point users in the local site to the closest/quickest roaming profile server to reduce the time it takes to logon and logoff. However as Windows Vista and Windows 7 now uploads the profile asynchronously loading the profile via a higher latency lower bandwidth link is not so noticeable unless the users has never logged on to that computer before.

Which do I recommend?

Amazingly I am not going to recommend the per computer Group Policy method as there is no way you can get around not having a roaming profile if you logon as an administrator. This is a real show stoper as I think it is really bad for administrator accounts should not be encumbered with “crud” in their profile when logging onto a computer.

Therefore I recommend the per user roaming profile configuration method, which is made much easier to do with the multiple user attribute update option you get with the newer version of Active Directory Users and Computers.

Other Roaming Profile Group Policy settings

In this section I will go through (in no particular order) the Group Policy settings I recommend you configure for setting up roaming profiles.

Computer Configuration > Policies > Administrative Templates > System

• Verbose vs normal status messages

Reference: Managing Roaming User Data Deployment Guide

Windows Vista provides little information about the status of loading or unloading roaming profiles during user logon and logoff. This lack of information is misleading and may give a user the impression Windows Vista is unresponsive.

Computer Configuration > Policies > Administrative Templates > Systems > User Profiles

• Add the Administrator security group to roaming users profiles (HIGHLY RECOMMEND)
• Background upload of a roaming user profile’s registry file while user is logged on
• Delete use profiles older than a specified number of days on system restart

Users Configuration > Policies > Administrative Templates > Systems > User Profiles

• Do not check for users ownership of Roaming Profile Folders

Usefully if you are doing a cross domain/forest migration of user accounts. Also reduces logon issues caused by incorrectly set permissions on the folders.

• Limit profile size (NOT RECOMMENDED)

Reference: Managing Roaming User Data Deployment Guide

Vista still respects this policy setting; however, no longer prevents the user from logging off the computer. Windows does not synchronize the user’s profile to the profile server when it exceeds the policy enabled limit.

• Exclude directories in roaming profile

Handy to exclude applications that incorrectly write very large caches from the users Application Data folder if you do not have folder redirection enabled.

Trusted Sites

• As you are redirecting the Desktop and Start Menu to a network location you will need to add the file server into the trusted sites list otherwise Windows will warn you are trying to run a program form an un-trusted location (see below).

Tip: To avoid having to enter in the name of every file server in your organisation simple added the Domain name portion of the server name so that all servers will be Intranet Zone (e.g. file://*.contoso.local ). See my other blog post How to use Group Policy to configure Internet Explorer security zone sites on how to do this…

Error Message you will get if you do not add you file servers into the Intranet Zone.

Updates: Roaming Profile Improvement in Windows 7

Background Synchronisation

The most significant improvement to Roaming Profiles with Windows 7 is the introduction of a new feature called Background upload of a roaming user profile’s registry file while user is logged on this enables the IT administrator to schedule a background upload of the users NTUSER.dat file if they don’t log off their computer. Even if your users are in the habit of logging off at the end of the day this is a setting you should consider turning on to ensure that the users settings are always being backed up as failures can happen at any time.

How to configure Folder Redirection via Group Policy

Now lets take a look at how to setup folder redirection for a user so that the files stored in their personal folders (e.g. Documents, Music & Videos) are stored on the file server an not on the local computer. By default all folders that are redirected are automatically made available offline which is done so that users can still access their personal files if they are disconnected from the file server. On a Windows XP system this can add substantial time to the logon/logoff process as the user has to wait for the files to be synced however in Windows Vista/7 this is done in the background therefore it is a much more seamless process.

Part 3 of this video series also goes though an example that explains how Folder Redirection can help your roaming user access their files from various desktops and laptops.

Step 1. Edit a Group Policy Object that is targeted to your users and navigate to User Configuration > Policies > Windows Settings > Folder Redirection > Documents

Now we are going to setup folder redirections for the Documents (a.k.a. My Documents) folder as this is the most commonly redirected folder however you will need to repeat the same instructions for each of the other folders (if required).

Step 2. From the menu click on Action and then Properties

Step 3. Select the “Basic – Redirect everyone’s folder to the same location” option

For the purpose of this demo I am only going to show you how to setup a “Basic” redirection. However if you want to spread out the users amongst multiple locations you can use the advanced options and apply a different folder redirection based on the users security group membership (see image below). This option is useful if you want to distribute the load across multiple server but it can start to get complicated as the users roaming profile may then be stored in a different locations to their redirected folders. Also be careful with the order you apply these advanced settings as if the users is a member of multiple groups it will pick up the top entry in the list and there is no way to reorder the list after the entries are created. For these reasons unless you REALLY want to you should try and avoid using the Advanced option.

Advanced redirection (just for your FYI)

Step 4. Select the “Create a folder for each user under the root path” option under the “Target folder location” and then type the full UNC path in the root path that we created before (e.g. \\server04.contoso.local\users$ ) then click on the “Settings” Tab.

Step 5. Un tick “Grant the user exclusive rights to Documents”

Explanation: If leave “Grant the user exclusive rights to Documents” ticked then when the folder is initially setup Windows will block inheritance on the folder and grant exclusive access to the users on these files. This will lockout even administrators to the files which makes administration of these folders very difficult. If an administrator did need to access these files they will need to take ownership which in turn removes access from the users to their files. The admin will then need to ensure that they need to re-setup the permission on the folder to ensure that they users can still access the files….. very messy…  The only scenario I see you wanting to keep this ticked is if you have a VERY strict privacy policy in your organisation but as I said before its not as if a determined administrator cannot get access to these files if they really wanted to.

Reference: http://blogs.technet.com/b/askds/archive/2008/06/30/automatic-creation-of-user-folders-for-home-roaming-profile-and-redirected-folders.aspx

By default, Administrators do not have permissions to users’ redirected folders. If you require the ability to go into the users folders you will want to go to the “Settings” Tab, and uncheck: “Grant the user exclusive rights to” on each folder that is redirected. This allows Administrators to enter the users redirected folder locations without taking ownership of the folder and files.

Note: If this is also one of the support folder redirection types in Windows XP you will have the option to also apply this policy to Windows XP computers. I would strongly recommend that you think hard before ticking this option however as I am a strong believer in not crossing the streams when it comes to running dual SOE’s.

“Also apply…” option greyed out as its not a down level (a.k.a. Windows XP) supported setting.

Note2: The other option you may want to consider it the “Redirect the folder back to the local userprofile location when policy is removed”. What this means is that if a users is not longer subject to that Group Policy setting the the contents of the redirected folder are moved back to the local computer. This sounds good until this actually happens to a users and then it takes them about 2 hours to copy all their file down to the local computers. I recommend that you leave this at the default setting.

Step 6. As we did not tick the “Also apply redirection policy to Windows 2000, Windows 2000 Server, Windows XP and Windows Server 2003 operating systems” setting… phew… then you will need to press the “Yes” button.

Now repeat the setups above to configured all the other redirected folders (as shown below).

Note: You will see on the Pictures, Music or Video options you will have the option to select the “Follow the Documents folder” option. However I have found that selecting this option can cause the Video and Music libraries in Windows 7 to disappear so i recommend that you do n so that they will automatically inherit the Documents settings.

Warning (Pre Windows 7): When enabling folder redirection for existing users for the first time expect the logon to be very slow. Not only are you copying the contents of all the user’s personal folders across the network to the server you are doing this for multiple users at the same time when the login. This means that it is highly likely that your file server will be the bottle neck. To mitigate this you might want to security filter the policy and only enable it for a few users at a time working you way up to all your users.

Folder Redirection Improvements in Windows 7

Fast First Logon

One of the new feature with Windows 7 is called Fast First Logon which allows users to logon to their computer without having to wait for the folder to be moved first. This means if your are enabling folder redirection for users already running Windows 7 the performance impact will be greatly reduced.

Reference: What’s New in Offline Files

the user must wait only for Windows to move the files into the local Offline Files cache. After the files are moved, the user logs on and is free to perform other tasks while Windows synchronizes the locally cached data over the network as a background task

Background Synchronisation

As all redirected folder are also made available offline it allows users to work on their files when in offline mode but still have them periodically sync in the background when connected via a low link. This is very useful for roaming users connected via a VPN or even when the file server might be experiencing heavy load.

Reference: What’s New in Folder Redirection and User Profiles

When the network connection is slow or unavailable, Offline Files routes requests for the user folders that are stored on the server to the local computer cache. Users read and write from their local cache. Offline Files synchronizes new and changed files and folders from the local computer cache to the server when the network becomes available or in the background when the connection is slow.

The difference between Local, LocalLow and Roaming Applications Data

One of the most confusing aspect of folder redirection is all the type of Application Data folders there are and what they do. Below is my attempt at trying to explain the difference between the Applications Data folders and how they will affect your computers.

Reference: Managing Roaming User Data Deployment Guide

Local and LocalLow folders for application data that does not roam with the user.

Local AppData & AppData

The “LocalAppData” and “AppData” folder’s for a user that does not have folder redirection enabled is one and the same and will be located at “C:\Users\USERNAME\AppData\Local”. The most commonly saved files in this path would be very large cache files that would be impractical to constantly send and receive across the network. As the files are only cache’s then there would be no issues if they were lost as they information would simple need to be re-cached. A good example of this is the TEMP and TMP path variable that is configured where most applications are configured to save temporary files.

That being said when folder redirection is enabled the “AppData” environment variable will point to the network path that it is configured in the Group Policy (see image below). This then splits you AppData folder into two locations with any application configured to use the “AppData” variable will be pointed the path on the network and any application that is configured to use the “LocalAppData” variable will still be pointed to the local hard drive.

Enabling folder redirection for AppData is far more practical to do with Windows Vista/7 than Windows XP as the offline file cache can seamless transition form offline to online mode if the network latency goes above a threshold.

Warning: If you are running Windows XP and the users is connected via a slow link then the affect of having this folder redirected could be devastating to the users performance. In my experience even the simple act of scrolling a word document requires constant writing to this “Local” application data folder.

To identify if a user has application data folder redirection enabled by simple running “set” from the command prompt and the look at the value of the  “APPDATA” variable (see image below). The below image also illustrates that the “LOCALAPPDATA” variable will always point to the local hard drive even when folder redirection is enabled.

LocalLow AppData

The “LocalLow” folder for all users is “C:\Users\USERNAME\AppData\LocalLow”.  This BIG difference of “Local” to “LocalLow” is that it is specifically intended as a place for “Low Integrity” applications to write files such as Internet Explorer add-on like Google Gears, Google Earth, Adobe Acrobat, Apple QuickTime and Microsoft Silverlight. It also appears that this folder is neither redirected nor part of the roaming profile therefore all information stored into this folder is local to the computer and will not roaming with the user.

Reference: The difference between Local and LocalLow Folders

Updated: Should you enabled Local AppData Folder Redirection?

Should AppData Local be redirected? No… Because you Can’t… Hence the name “LOCAL”. In Windows XP days a users would either have their AppData folder online or offline and not matter how slow your connection was to the server so long as your still got a response you would stay online thus bringing your entire computer to a grinding halt. But if the Administrator did not enable folder redirection for the users this normally resulted in them having a MASSIVE roaming profile that would take forever to sync during the logon and logoff process. The work around to this was to exclude the entire AppData folder from the roaming profile but this meant you risked losing some of the users personal data.

As Aaron mentioned in the comments the decision to enable Application Data folder redirection is one that should not be taken lightly and can have real negative consequences for the performance of your users. As I mentioned above having AppData folder redirection enabled to a location that is performing slow will have very noticeable performance impact for your users especially if you are running Windows XP. However not having AppData redirection could mean that you are likely to lose some of the users settings and data if their computer’s hard drive fails. A good article to read on the the matter is Should AppData be Redirected or Left in the User Profile? which discuses the Pro’s and Con’s of enabling AppData Redirection.

However now with Windows 7 (and to a lesser extent Vista) the decision to enable folder redirection for Local AppData is tricky at best. Not made any easier by Microsoft on one hand by providing a specific Roaming\AppData folder for persistent information but on the other making improvements to the OS that makes it a far more practical option to enable.

The new Windows 7 features called Transparent Caching and Background Sync for offline files the issues with redirecting the Local AppData folder are now largely mitigated as the users will automatically work on the local copy of the file whenever network performance is poor. Thus making it far more practical to enable Local AppData folder redirection while still not something that you really should do…

Updated: Roaming AppData

The “Roaming” AppData folder is located on the user local hard drive at “C:\Users\USERNAME\AppData\Roaming” this is the folder where applications should store all the users persistent information.

AppData\Roaming is part of the users roaming profile so when a user log’s off their computer the files are location are copied up to “\\PROFILESERVER\Users$\USERNAME\Profile.v2\AppData\Roaming”. Any well written application for Windows Vista or later should be aware of the Roaming Application Data folder and should use this folder to save persistent information. A good example of something that should be saved to this location is a users custom dictionary or a browsers internet cookies.

Reference Managing Roaming User Data Deployment Guide

Roaming folder for application specific data, such as custom dictionaries, which are machine independent and should roam with the user profile.

Below is a screen shot of a users AppData\Roaming folder as stored on the local computer and the same location stored on the server.

Note: Unlike the users Registry information in the ntuser.dat file on Windows 7 the AppData\Roaming folder cannot be synchronised using the Background upload of a roaming user profile’s registry file while user is logged on setting.

AppData\Roaming on the local computer	AppData\Roaming store on the Server

So Should you enable this “AppData(Roaming)” folder redirection option? Probably not…. Why? You should ensure that your computers it is always using the local HDD which should give MAXIMUM performance (unless you driver is REALLY slow). This with all the improvements in Roaming Profiles Syncing such as Background Synchronisation (See What’s New in Folder Redirection and User Profiles) then the user AppData(Roaming) will still be saved to the network to reduce chance of any data loss for the user.

Updates: Excluding AppData Folders

Some applications may not be well written (SHOCKER) and as such save a numerous or large files to this location to the AppData\Roaming folder. This significantly adds to the logon and logoff with all the extra it takes to transfer all the excess files. Therefore you should fully understand where applications save the applications specific configuration and look at excluding these folders from the users roaming profile so they are not copied up to the network thus saving a lot of time during logoff and logon.

For a good starting point of a list of common applications that save large amount of information into the AppData\Roaming folder check out Stealthpuppy: Reduce logon times by excluding the bloat .

User State Virtualization Folder Structure Explained

Now that we have configured the user roaming profile and folder redirections the next time a users logon they will automatically create the required folders on the network for them to enable User State Virtualization.

As you can see below in the image below a user personal folders are part of their roaming profile. The files in these folders (e.g. documents and music) are saved locally and are synchronised asynchronously in the background with the server. Having no folder redirection also means that a users will take some time to logon to a computer for the first time as you will need to download a copy of the entire profile.

User State Virtualization Folder Structure before Folder Redirection is Applied

After folder redirection is applied to the user you can see that all the user folders (excluding AppData) have been moved up a folder out of the profile and into the root folder for the users data.

User State Virtualization Folder Structure after Folder Redirection is Applied

Summary

Hopefully you now have a good idea as to how to setup User State Virtualization in your environment. Just remember that this is not a product but more a combination of roaming profiles and folder redirection to enable a users to use any computer in your organisation while maintaining a consistent experience.

The other part of User State Virtualization that I did not go into on this post was the ability to have all your users applications also follow them no matter which computer they are log into however to do this you need to use Microsoft App-V and for that i would refer you to Aaron Parker’s Stealthpuppy web site.

Other Resources

This is just a list of other related articles that I have found since writing this post.

• Best Practices for User Profiles (Windows XP)

This setting can be found under Computer Configuration > Policies > Administrative Templates > System > User Profiles but as its a computer based setting this also means that you need to be careful how you apply this setting. Applying this setting to laptop could be undesired as they may try to log into a remote location with a slow WAN link to the profile server. So if you do apply this to the laptop you might want to configured it to point to a DFS namespace path or a DNS alias (if you have subnet masking filtering enabled) which can help point them to a faster more local path. This of course means it would be really useful to have a OU structure that separate your laptops from your desktop computer.

But I would definitely recommend use this setting if you are using Windows Vista or Windows 7 in your SOE.

This setting can be found under Computer Configuration > Administrative Templates > System > User Profiles and is specific to Windows 7 or Windows Server 2008 R2.

This policy setting would be very useful as a way to ensure that at least part of a users profile is save to the network if they are they type that never like to log off their computer at night.

There are a few points about this policy which I have summarised below:

• Only synchronises the users registry profile (ntuser.dat) so things like desktop icons and favourites wont sync. (This is what folder redirection is for any way).
• There are two modes of scheduling the update
  • Run at set interval – Between 1 hour and 720 hours (30 days).
  • Run at specified time of day – useful if you only want to run this at 3am so that it only applies to users who stay logged on over night.
• The schedule will run randomly any time up to an hour after it is supposed to run so to not load the file server with a large number of concurrent requests.
• If you choose one method of scheduling then it will ignore the set value of the other schedule.

I also have a very strong suspicion that this setting is only compatible if you have Windows 2008 (or later) as the file server so that it can handle the copying of the locked file (ntuser.dat). Please ping me if you can confirm this.

One of the problems that occur when you map printers with Group Policy Preferences is that if the user has a roaming profile configured and they then logon to a computer that is located in another area they will have all also have their old printers from the previous area. Now user might not really notice these printer mapping building up over time but they can soon amass a large number of mappings that makes their computer run slow to logon.

Question? So how do you map all the printers in one location but not have them follow you to another location if you are using a roaming profile?

Answer? Is a two step solution which I will go through below. There is also an optional third step that address the problem maintaining default printer mappings once a user gets back to their normal location.

Step 1. The first part is just to create a simple printer mapping that maps the printer targeted by the IP address of the users current computer.

Figure1. Create New Shared Printer

The images belo shows the printer “\\server\printer1” being mapped for the users that logon to a computer that is in the 10.1.1.0/24 subnet. It is important to note that we are talking about the IP address range of the computer that you want to map the printer not the IP address range of the printer server or the printer NIC itself.

Figure 2. Target setting to only be mapped for computers between 10.1.1.0 to 10.1.1.255

Figure 3. Resulting printer mapping

Step 2. The second step is to delete the printer mapping if the IP address of the printer does not fall within the IP address range that you want the printer to be mapped. To do this we start by copying the existing printer mapping that we made in step 1. This avoids making any typo’s in either the printer queue name of the IP addresses.

Figure 4. Copying the existing printer mapping made in step 1.

Figure 5. Paste the setting into an unused part of the pane

Figure 6. Both printer mapping entries

Now we make the changes to the action on the second printer mapping targeting so that it will remove the printer mapping when the user logs onto a computer in another area.

Figure 7. Open the properties of the second printer

Figure 8. Change the Action to “Delete”

Figure 9. Go back to the targeting and change it to an “Is Not” between “10.1.1.0” and “10.1.1.255”

Figure 10. New target rule

Figure 11. Two printer entries to map and then clean up the printer queues for a user based on their location.

Step 3. Maintaining Default Printer Mappings

You have now configured dynamic printer mapping for your user based on location of the user. However this solution does have one problem/annoyance, user normally like to set a default printer. If a user was to logon to a workstation in another location then return to their normal desk their default printer will have been reset as it will have been removed. To get around this problem we have to add another rult to the targeting on the Delete printer option so it does NOT delete if the printer is configured as the default printer. To do this we check the registry location that the default printer is saved and test to see if the printer we are deleting is the default printer.

So go back to the targeting option for the Delete printer action and add another test that will check to see if the printer is the default printer.

Figure 12. Add a new Item of type “Registry Match”

Figure 13. Configured Registry Match Setting

Change the Match Type to “Match value data” and the Value data match type to “Substring match” as the value we are looking for will contain other information as well that we don’t care about. Make sure the Hive is set to “HKEY_CURRENT_USER” and the Key Path is set to “Software\Microsoft\Windows NT\CurrentVersion\Windows”. The Value name “Device” is where in the registry the default printer information is saved. We then set the Substring to “\\server\printer1” which is the UNC path to the printer queue. Note: The substring value has to be exactly the same as the value set in the Path for the printer mapping.

There, now you know how to use Group Policy Preferences to map and remove network for users based on their physical location while avoiding the build up of mapping if your user have roaming profiles while still preserving their default printer.