How to configure Roaming Profiles and Folder Redirection

Read Me First: If you are using Folder Redirection with Windows 7 in your organisation then I would definitely recommend that you check my other blog post about a pretty nasty Folder redirection bug and how to fix it at  Disappearing Folder Redirection Issues with Windows 7

Update: I have new blog post that describes the new “Primary Computer” feature in Windows 8 for folder redirection at How to configure a “Primary Computer” (a.k.a. msDS-PrimaryComputer property) in Windows 8 I also talk about this feature in a TechNet Edge video at EdgeShow 55

Roaming Profiles and Folder redirection is what allows a user to logon onto any computer in an organisations and have all their personal files and setting apply to that computer as it was the last time they used a computer. This is really a Win/Win for Users and IT Pros as for a user this is a big time saver as they no longer need to waste time setting up their drives, printers and other personal settings when they have to use another computers. IT Pro’s also benefit when there is an un-expected failure or loss of a computer then they don’t have to go through what could be a lengthily, costly and if not impossible, process of recovering the users data.

Now theoretically User State Virtualization can be totally done with just a Roaming Profile, however this quickly becomes impractical as users often store a LOT of data which can make users profile impossibly large. To get around this Microsoft users folder redirection to essentially redirect parts of a users profile to a file share on a server where it is centrally access whenever they logon to a computer.

In case you still wondering what User State Virtualization is then check out the overview video from Microsoft below:

Reference: Managing Roaming User Data Deployment Guide

Folder Redirection provides a way for administrators to divide user data from profile data. This division of user data decreases user logon times, and Windows downloads less data. Windows redirects the local folder to a central location, giving the user immediate access to their data when they save it, regardless of the computer they are using. This immediate access removes the need to update the user profile.

By redirecting these folders to a server they are only access when needed and therefore very large files do not slow down the profile update process. The obvious disadvantage of doing this is that when a user cannot access the redirected folders (e.g. disconnected laptop users) they lose access to these files. However this restriction is also mitigated by ensuring that the user has a cached copy of these redirected folders.

Below I am going to go through a number of tips and tricks to make sure you get the most out of a User State Virtualization setup in your environment and to ensure that you don’t fall into some configuration traps.

Before you begin I would also recommend that you read the following articles from Microsoft about User State Virtualization.

Note: I am going to mainly focus on Windows Vista/7 setups however most of the setting/principals I do mention below will still apply to Windows XP.

Update: Here is a really good video from Darren Mar-Elia (Fellow Group Policy MVP) from TechEd North America 2011. This session is entitled Optimizing Group Policy in Virtual Desktop (VDI) Environments however much of it covers User State Virtualization.

Setting up Folder Redirections using Group Policy

Below I will show you how to setup folder redirection for you users profiles. It is very important that you realise the impact that redirection some of these folder can have as if users have many GB’s of music of videos on their local computers you could quickly find yourself running out of disk space on the server.

For another good overview of Redirected Folder take a look at the video below:

Setting up file server share for User State Virtualization

When setting up the file server you need to be sure that the permission on the folder are setup so that a user can create a new folder however you also need to ensure that they can only see their own files if they start to snoop about.

Below I will go though the setup of a folder to be used for folder redirection and the roaming profiles. Combining a users redirected folders and roaming profile path to the one spot on the network is far easier to manage as it consolidates all the users information in one locations.

Note: This consolidated storage of users information can only applies to Windows Vista/7 systems. Otherwise you will need to create a separate share for roaming profiles with offline caching disabled for Windows XP systems.

Step 1. Create a folder to be used as a root folder for all the users information (e.g. Users)

Step 2. Open the properties of the folder and then go to the Security tab and then click on the Advanced button.

image

Step 3. Now click on the “Change Permissions” button

image

Step 4. Un tick “Include inheritable permission form this object’s parent.

image

Step 5. Click the “Add” button

image

Explanation: We have now setup a folder with no inheritable file permissions from the parent. We do this so we can remove the Read permission from Users for all subfolders and files in a later step.

You should now see something like this below.

image

Step 6. Select the Users “Special” ACL and then click the Edit Button.

image

Step 7. Change the Apply to: permission to “This folder only” and press “OK”

image

Step 8. Select the Users “Read & execute” ACL and then click the “Edit” button.

image

Step 9. Again select the “This folder only” option from the Apply to: section and then press “OK”

image

Notice how the two “This folder only” permissions for Users have now combined into one ACL.

Step 10. Then press “OK” and “OK” to get you back to the Users Properties screen.

image

Now we need to share the folder…

Step 11. Click on the “Sharing Tab” on the Users Properties screen and then click on the “Advanced Sharing” button.

image

Step 12. Tick “Share this folder” and give the type in a share name ending with a $ (e.g. Users$) then click on the “Permissions” Button.

Note: The $ symbol at the end of the share name makes it hidden to a users so they cannot browser to the folder. This is not necessary but it is good practice to help stop nosey users.

Reference: http://blogs.technet.com/b/askds/archive/2008/06/30/automatic-creation-of-user-folders-for-home-roaming-profile-and-redirected-folders.aspx

you should always hide the profile share using a dollar sign ($).

image

Step 13. Tick “Allow” for the Full Control permissions (change should then get automatically ticked) and then press OK then OK then Close.

image

(Optional) Setting up Roaming Profile Folder

If you are still using Windows XP then I would recommend configuring the roaming profile folder is the same as the Users folder for the redirected folders except that you need to disable file caching. Simple repeat the steps above for “Setting up file server share for User State Virtualization” instead use the folder name called “Profiles” and a share name called “Profiles$”.

After you configure the share permissions (see step 13 above) also click on the “Caching” button and select the “No Files or programs from the share folder are available offline” options then press OK then OK then Close.

Reference: http://blogs.technet.com/b/askds/archive/2008/06/30/automatic-creation-of-user-folders-for-home-roaming-profile-and-redirected-folders.aspx

You should disable Offline Files

image

Enabling Access Based Enumeration

Now we are going to enable Access Based Enumeration for the Users$ share so that any users that manually goes to \server04.contoso.local\users$ will only see their own folder. This is optional however as it simple stops your snooping users from seeing who else is in the organisation.

Reference: http://blogs.technet.com/b/askds/archive/2008/06/30/automatic-creation-of-user-folders-for-home-roaming-profile-and-redirected-folders.aspx

This last part is for the former Novell Admins out there. Yes, you could use Access Based Enumeration (ABE) on these new shares; however if there is going to a lot of user folders on any one of these shares you could experience degradation of performance. Enabling ABE on a share does come at a price of performance.

Step 1. Open Server Manager and expand Roles > File Services > Share and Storage Management and then highlight the Users$ share

image

Step 2. From the menu click on Action and then Properties and then click the “Advanced” button

image

Step 3: Tick “Enable access-based enumeration” and then click “OK”

image

Step 4. Click OK

image

The folder on your server is now ready for your users roaming profiles (Windows Vista/7) and folder redirections.

Tip: You can also also enable a File Screen using the File Server Resource Manager to prevent your users from saving files type of a certain extension (e.g. MP3, AVI or MP4) to their redirected folders. Another option this gives you is the ability to apply an Auto Apply Quota to the users folders and have then get warning email messages whenever they consumer a lot of disk space.

How to configured Roaming Profiles for a user using Group Policy

Before we begin, take the time to watch part 2 video that shows an example of how Roaming Profiles can be used to give your users a better experience. This video also demonstrates some of the pit falls with just implementing a roaming profile for a user without Folder Redirection enabled.

 

Per User Roaming Profile

You have always been able to configured a users roaming profile patch by configuring the Profile Path on the users account (see image below). This method allows you to granularly configure a users roaming profile path location however it is a lot more laborious process to ensure that they are consistent with the folder redirection policy that is also applied to the users.

Windows 8.1 V3 Roaming Profiles

Windows 8 and 8.1  now has another version of roaming profiles which are incompatible with the Windows Vista/7 versions  (http://support.microsoft.com/kb/2887239). As of the November 2013 Windows 8.1 update there is now a registry key you can set to spawn a .v3 profile to avoid conflicts with older versions of the profile. This registry key is a DWORD Value  called “UseProfilePathExtensionVersion” with a value of “1” and needs to be created under HKEY_LOCAL_MACHINE\System\CurrentControlset\Services\ProfSvc\Parameters key. This can be then be deployed using the Group Policy Preferences Registry Extension that is targeted to the Windows 8.1 Computers.

Roaming Profile Examples

Below is the view of a users roaming profile configured to \server04.contoso.local\users$\%username%\profile . If you are a Windows XP user this will translate to \server04.contoso.local\users$\sam\profile and if you are a Windows Vista/7 users this will translate to \server04.contoso.local\users$\sam\profile.v2 and if you are a Windows 8.1 with the “UseProfilePathExtensionVersion” registrey key enabled it will be \server04.contoso.local\users$\sam\profile.v3

Explanation: I have added “\profile” onto the end of what would normally be the profile path so that when the profile is created it is placed at the same level as all the other redirected folders. You will see how this works later on in this post.

Reference: http://blogs.technet.com/b/askds/archive/2008/06/30/automatic-creation-of-user-folders-for-home-roaming-profile-and-redirected-folders.aspx

You configure the profile location on the Profile or Terminal Services Profile tab within Active Directory Users and Computers.

image

 

If you setup the optional Profiles$ share for Windows XP then you will need to make sure the share you use is profiles$ (not users$) and there is no need for the additional \Profiles folder to be specified.

image

 

Once feature that was introduced in new version of Active Directory Users and Computer in Windows Server 2003 was the ability to update user attributes with multiple users in one action (see image below). This made the whole process of configuring the users profile patch much easier especially when dealing with many users accounts.

image

Per Computer Roaming Profile

Before Windows Vista the only way you could configure the roaming profiles path for a users was by configuring it on the users account via Active Directory Users and Computers. While configuring the roaming profile path on the users account is now far easier with the multiple user attribute update feature this still left the setting configured for each individual users and unless you do an audit of all the user account it is possible that some path’s could be setup incorrectly.

However in ever since Windows Vista there is now a group policy setting you can apply to computers that configured the roaming profile path for anyone who logs onto that computer called “Set roaming profile path for all users logging onto this computer”.

Warning: The biggest problem with the Per Computer roaming profile configuration is that there is no way to exclude you administrator accounts from also getting this policy as it is a per computer policy. This means if any administrator logs on to a workstation with this policy applied they will be configured to use a roaming profile.

Step 1. Edit a Group Policy object that is targeted to your workstations

Step 2. Navigate to Computer Configuration > Policies > Administrative Templates > System > User Profiles and enable the “Set roaming profile path for all users logging onto this computer” and configure the path to \PROFILESERVERNAME\Users$\%username%\profile .

Explanation: I have added “\profile” onto the end of what would normally be the profile path so that when the profile is created it is placed at the same level as all the other redirected folders. You will see how this works later on in this post.

image

If you are still running Windows XP this policy works very well if you have used a geographical OU structure (see Best Practice: Active Directory Structure Guidelines – Part 1 ) for your workstations as you will be able to send the users  roaming profile path for each user  to a local file server. This would allow you to point users in the local site to the closest/quickest roaming profile server to reduce the time it takes to logon and logoff. However as Windows Vista and Windows 7 now uploads the profile asynchronously loading the profile via a higher latency lower bandwidth link is not so noticeable unless the users has never logged on to that computer before.

Which do I recommend?

Amazingly I am not going to recommend the per computer Group Policy method as there is no way you can get around not having a roaming profile if you logon as an administrator. This is a real show stopper as I think it is really bad for administrator accounts should not be encumbered with “crud” in their profile when logging onto a computer.

Therefore I recommend the per user roaming profile configuration method, which is made much easier to do with the multiple user attribute update option you get with the newer version of Active Directory Users and Computers.

Other Roaming Profile Group Policy settings

In this section I will go through (in no particular order) the Group Policy settings I recommend you configure for setting up roaming profiles.

Computer Configuration > Policies > Administrative Templates > System

Reference: Managing Roaming User Data Deployment Guide

Windows Vista provides little information about the status of loading or unloading roaming profiles during user logon and logoff. This lack of information is misleading and may give a user the impression Windows Vista is unresponsive.

Computer Configuration > Policies > Administrative Templates > Systems > User Profiles

Users Configuration > Policies > Administrative Templates > Systems > User Profiles

  • Do not check for users ownership of Roaming Profile Folders

Usefully if you are doing a cross domain/forest migration of user accounts. Also reduces logon issues caused by incorrectly set permissions on the folders.

  • Limit profile size (NOT RECOMMENDED)

Reference: Managing Roaming User Data Deployment Guide

Vista still respects this policy setting; however, no longer prevents the user from logging off the computer. Windows does not synchronize the user’s profile to the profile server when it exceeds the policy enabled limit.

  • Exclude directories in roaming profile

Handy to exclude applications that incorrectly write very large caches from the users Application Data folder if you do not have folder redirection enabled.

Trusted Sites

  • As you are redirecting the Desktop and Start Menu to a network location you will need to add the file server into the trusted sites list otherwise Windows will warn you are trying to run a program form an un-trusted location (see below).

Tip: To avoid having to enter in the name of every file server in your organisation simple added the Domain name portion of the server name so that all servers will be Intranet Zone (e.g. file://*.contoso.local ). See my other blog post How to use Group Policy to configure Internet Explorer security zone sites on how to do this…

Error Message you will get if you do not add you file servers into the Intranet Zone.

image

Updates: Roaming Profile Improvement in Windows 7

Background Synchronisation

The most significant improvement to Roaming Profiles with Windows 7 is the introduction of a new feature called Background upload of a roaming user profile’s registry file while user is logged on this enables the IT administrator to schedule a background upload of the users NTUSER.dat file if they don’t log off their computer. Even if your users are in the habit of logging off at the end of the day this is a setting you should consider turning on to ensure that the users settings are always being backed up as failures can happen at any time.

How to configure Folder Redirection via Group Policy

Now lets take a look at how to set up folder redirection for a user so that the files stored in their personal folders (e.g. Documents, Music & Videos) are stored on the file server and not on the local computer. By default all folders that are redirected are automatically made available offline which is done so that users can still access their personal files if they are disconnected from the file server. On a Windows XP system this can add substantial time to the logon/logoff process as the user has to wait for the files to be synced however in Windows Vista/7 this is done in the background therefore it is a much more seamless process.

Step 1. Edit a Group Policy Object that is targeted to your users and navigate to User Configuration > Policies > Windows Settings > Folder Redirection > Documents

image

Now we are going to set up folder redirections for the Documents (a.k.a. My Documents) folder as this is the most commonly redirected folder however you will need to repeat the same instructions for each of the other folders (if required).

Step 2. From the menu click on Action and then Properties

Step 3. Select the “Basic – Redirect everyone’s folder to the same location” option

image

For the purpose of this demo I am only going to show you how to set up a “Basic” redirection. However if you want to spread out the users amongst multiple locations you can use the advanced options and apply a different folder redirection based on the user’s security group membership (see image below). This option is useful if you want to distribute the load across multiple server but it can start to get complicated as the users roaming profile may then be stored in a different locations to their redirected folders. Also be careful with the order you apply these advanced settings as if the users is a member of multiple groups it will pick up the top entry in the list and there is no way to reorder the list after the entries are created. For these reasons unless you REALLY want to you should try to avoid using the Advanced option.

Advanced redirection (just for your FYI)

image

Step 4. Select the “Create a folder for each user under the root path” option under the “Target folder location” and then type the full UNC path in the root path that we created before (e.g. \server04.contoso.local\users$ ) then click on the “Settings” Tab.

image

Step 5. Un tick “Grant the user exclusive rights to Documents”

image

Explanation: If leave “Grant the user exclusive rights to Documents” ticked then when the folder is initially setup Windows will block inheritance on the folder and grant exclusive access to the users on these files. This will lockout even administrators to the files which makes administration of these folders very difficult. If an administrator did need to access these files they will need to take ownership which in turn removes access from the users to their files. The admin will then need to ensure that they need to re-setup the permission on the folder to ensure that they users can still access the files….. very messy…  The only scenario I see you wanting to keep this ticked is if you have a VERY strict privacy policy in your organisation but as I said before it’s not as if a determined administrator cannot get access to these files if they really wanted to.

Reference: http://blogs.technet.com/b/askds/archive/2008/06/30/automatic-creation-of-user-folders-for-home-roaming-profile-and-redirected-folders.aspx

By default, Administrators do not have permissions to users’ redirected folders. If you require the ability to go into the users folders you will want to go to the “Settings” Tab, and uncheck: “Grant the user exclusive rights to” on each folder that is redirected. This allows Administrators to enter the users redirected folder locations without taking ownership of the folder and files.

Note: If this is also one of the support folder redirection types in Windows XP you will have the option to also apply this policy to Windows XP computers. I would strongly recommend that you think hard before ticking this option however as I am a strong believer in not crossing the streams when it comes to running dual SOE’s.

“Also apply…” option greyed out as its not a down level (a.k.a. Windows XP) supported setting.

image

Note2: The other option you may want to consider it the “Redirect the folder back to the local userprofile location when policy is removed”. What this means is that if a users is not longer subject to that Group Policy setting the contents of the redirected folder are moved back to the local computer. This sounds good until this actually happens to a users and then it takes them about 2 hours to copy all their file down to the local computers. I recommend that you leave this at the default setting.

Step 6. As we did not tick the “Also apply redirection policy to Windows 2000, Windows 2000 Server, Windows XP and Windows Server 2003 operating systems” setting… phew… then you will need to press the “Yes” button.

image

Now repeat the setups above to configured all the other redirected folders (as shown below).

image

Note: You will see on the Pictures, Music or Video options you will have the option to select the “Follow the Documents folder” option. However I have found that selecting this option can cause the Video and Music libraries in Windows 7 to disappear so i recommend that you do n so that they will automatically inherit the Documents settings.

image

Warning (Pre Windows 7): When enabling folder redirection for existing users for the first time expect the logon to be very slow. Not only are you copying the contents of all the user’s personal folders across the network to the server you are doing this for multiple users at the same time when the login. This means that it is highly likely that your file server will be the bottle neck. To mitigate this you might want to security filter the policy and only enable it for a few users at a time working you way up to all your users.

Folder Redirection Improvements in Windows 7

Fast First Logon

One of the new feature with Windows 7 is called Fast First Logon which allows users to logon to their computer without having to wait for the folder to be moved first. This means if your are enabling folder redirection for users already running Windows 7 the performance impact will be greatly reduced.

Reference: What’s New in Offline Files

the user must wait only for Windows to move the files into the local Offline Files cache. After the files are moved, the user logs on and is free to perform other tasks while Windows synchronizes the locally cached data over the network as a background task

Background Synchronisation

As all redirected folder are also made available offline it allows users to work on their files when in offline mode but still have them periodically sync in the background when connected via a low link. This is very useful for roaming users connected via a VPN or even when the file server might be experiencing heavy load.

Reference: What’s New in Folder Redirection and User Profiles

When the network connection is slow or unavailable, Offline Files routes requests for the user folders that are stored on the server to the local computer cache. Users read and write from their local cache. Offline Files synchronizes new and changed files and folders from the local computer cache to the server when the network becomes available or in the background when the connection is slow.

The difference between Local, LocalLow and Roaming Applications Data

One of the most confusing aspect of folder redirection is all the type of Application Data folders there are and what they do. Below is my attempt at trying to explain the difference between the Applications Data folders and how they will affect your computers.

Reference: Managing Roaming User Data Deployment Guide

Local and LocalLow folders for application data that does not roam with the user.

Local AppData & AppData

The “LocalAppData” and “AppData” folder’s for a user that does not have folder redirection enabled is one and the same and will be located at “C:\Users\USERNAME\AppData\Local”. The most commonly saved files in this path would be very large cache files that would be impractical to constantly send and receive across the network. As the files are only cache’s then there would be no issues if they were lost as they information would simple need to be re-cached. A good example of this is the TEMP and TMP path variable that is configured where most applications are configured to save temporary files.

That being said when folder redirection is enabled the “AppData” environment variable will point to the network path that it is configured in the Group Policy (see image below). This then splits you AppData folder into two locations with any application configured to use the “AppData” variable will be pointed the path on the network and any application that is configured to use the “LocalAppData” variable will still be pointed to the local hard drive.

image

Enabling folder redirection for AppData is far more practical to do with Windows Vista/7 than Windows XP as the offline file cache can seamless transition form offline to online mode if the network latency goes above a threshold.

Warning: If you are running Windows XP and the users is connected via a slow link then the affect of having this folder redirected could be devastating to the users performance. In my experience even the simple act of scrolling a word document requires constant writing to this “Local” application data folder.

To identify if a user has application data folder redirection enabled by simple running “set” from the command prompt and the look at the value of the  “APPDATA” variable (see image below). The below image also illustrates that the “LOCALAPPDATA” variable will always point to the local hard drive even when folder redirection is enabled.

image

LocalLow AppData

The “LocalLow” folder for all users is “C:\Users\USERNAME\AppData\LocalLow”.  This BIG difference of “Local” to “LocalLow” is that it is specifically intended as a place for “Low Integrity” applications to write files such as Internet Explorer add-on like Google Gears, Google Earth, Adobe Acrobat, Apple QuickTime and Microsoft Silverlight. It also appears that this folder is neither redirected nor part of the roaming profile therefore all information stored into this folder is local to the computer and will not roaming with the user.

Reference: The difference between Local and LocalLow Folders

Updated: Should you enabled Local AppData Folder Redirection?

Should AppData Local be redirected? No… Because you Can’t… Hence the name “LOCAL”. In Windows XP days a users would either have their AppData folder online or offline and not matter how slow your connection was to the server so long as your still got a response you would stay online thus bringing your entire computer to a grinding halt. But if the Administrator did not enable folder redirection for the users this normally resulted in them having a MASSIVE roaming profile that would take forever to sync during the logon and logoff process. The work around to this was to exclude the entire AppData folder from the roaming profile but this meant you risked losing some of the users personal data.

As Aaron mentioned in the comments the decision to enable Application Data folder redirection is one that should not be taken lightly and can have real negative consequences for the performance of your users. As I mentioned above having AppData folder redirection enabled to a location that is performing slow will have very noticeable performance impact for your users especially if you are running Windows XP. However not having AppData redirection could mean that you are likely to lose some of the users settings and data if their computer’s hard drive fails. A good article to read on the the matter is Should AppData be Redirected or Left in the User Profile? which discuses the Pro’s and Con’s of enabling AppData Redirection.

However now with Windows 7 (and to a lesser extent Vista) the decision to enable folder redirection for Local AppData is tricky at best. Not made any easier by Microsoft on one hand by providing a specific Roaming\AppData folder for persistent information but on the other making improvements to the OS that makes it a far more practical option to enable.

The new Windows 7 features called Transparent Caching and Background Sync for offline files the issues with redirecting the Local AppData folder are now largely mitigated as the users will automatically work on the local copy of the file whenever network performance is poor. Thus making it far more practical to enable Local AppData folder redirection while still not something that you really should do…

Updated: Roaming AppData

The “Roaming” AppData folder is located on the user local hard drive at “C:\Users\USERNAME\AppData\Roaming” this is the folder where applications should store all the users persistent information.

image

AppData\Roaming is part of the users roaming profile so when a user log’s off their computer the files are location are copied up to “\PROFILESERVER\Users$\USERNAME\Profile.v2\AppData\Roaming”. Any well written application for Windows Vista or later should be aware of the Roaming Application Data folder and should use this folder to save persistent information. A good example of something that should be saved to this location is a users custom dictionary or a browsers internet cookies.

Reference Managing Roaming User Data Deployment Guide

Roaming folder for application specific data, such as custom dictionaries, which are machine independent and should roam with the user profile.

Below is a screen shot of a users AppData\Roaming folder as stored on the local computer and the same location stored on the server.

Note: Unlike the users Registry information in the ntuser.dat file on Windows 7 the AppData\Roaming folder cannot be synchronised using the Background upload of a roaming user profile’s registry file while user is logged on setting.

AppData\Roaming on the local computer AppData\Roaming store on the Server
image image

 

So Should you enable this “AppData(Roaming)” folder redirection option? Probably not…. Why? You should ensure that your computers it is always using the local HDD which should give MAXIMUM performance (unless you driver is REALLY slow). This with all the improvements in Roaming Profiles Syncing such as Background Synchronisation (See What’s New in Folder Redirection and User Profiles) then the user AppData(Roaming) will still be saved to the network to reduce chance of any data loss for the user.

Updates: Excluding AppData Folders

Some applications may not be well written (SHOCKER) and as such save a numerous or large files to this location to the AppData\Roaming folder. This significantly adds to the logon and logoff with all the extra it takes to transfer all the excess files. Therefore you should fully understand where applications save the applications specific configuration and look at excluding these folders from the users roaming profile so they are not copied up to the network thus saving a lot of time during logoff and logon.

For a good starting point of a list of common applications that save large amount of information into the AppData\Roaming folder check out Stealthpuppy: Reduce logon times by excluding the bloat .

User State Virtualization Folder Structure Explained

Now that we have configured the user roaming profile and folder redirections the next time a users logon they will automatically create the required folders on the network for them to enable User State Virtualization.

As you can see below in the image below a user personal folders are part of their roaming profile. The files in these folders (e.g. documents and music) are saved locally and are synchronised asynchronously in the background with the server. Having no folder redirection also means that a users will take some time to logon to a computer for the first time as you will need to download a copy of the entire profile.

User State Virtualization Folder Structure before Folder Redirection is Applied

image

After folder redirection is applied to the user you can see that all the user folders (excluding AppData) have been moved up a folder out of the profile and into the root folder for the users data.

User State Virtualization Folder Structure after Folder Redirection is Applied

image

Summary

Hopefully you now have a good idea as to how to setup User State Virtualization in your environment. Just remember that this is not a product but more a combination of roaming profiles and folder redirection to enable a users to use any computer in your organisation while maintaining a consistent experience.

The other part of User State Virtualization that I did not go into on this post was the ability to have all your users applications also follow them no matter which computer they are log into however to do this you need to use Microsoft App-V and for that i would refer you to Aaron Parker’s Stealthpuppy web site.

Other Resources

This is just a list of other related articles that I have found since writing this post.

Folder Redirection Related Hotfixes

The following is a list of hotfixes that are specific to Folder Redirection and Roaming Profiles

Author: Alan Burchill

Microsoft MVP (Group Policy)

136 thoughts on “How to configure Roaming Profiles and Folder Redirection

  1. Great article Al, except for the AppData roaming part. Redirecting AppData should be considered very carefully as there are many caveats and drawbacks. See this article and comments for a discussion on AppData: http://www.sepago.de/d/helge/2010/05/31/should-appdata-be-redirected-or-left-in-the-user-profile. Rather than redirecting AppData, exclude folders instead: http://blog.stealthpuppy.com/virtualisation/reduce-logon-times-by-excluding-the-bloat

    Also in regards to “User Virtualisation” – we’re not really virtualising the user are we? Microsoft call it User State Virtualization, which is also a stretch, there’s no virtualisation going on here.

    1. Hello Allan,

      Thank you for such a wonderful article, well explained!

      However, I would like to refer to your wording: “I would say NEVER put your roaming profiles or folders on a Domain Controller… The server is a DC… NOT a file server…. This would just be BAD BAD BAD…” I’ve got a situation where my company is moving to a new server (32GB RAM and an Intel Xeon E5 family CPU), which will be a DC. About 35 users will be hooked up to it, as well as a data storage (RAID 10). Would configuring roaming profiles & folder redirection be a good idea on the storage that is hooked up to a DC, or shall I go with a separate file server for roaming profiles and folder redirection? Would it be advisable to hook the storage to a separate server (serving as a file server) and not meddle with it being hooked up to a DC?

      Else, how do I configure to ONLY roam roam desktop (users want their desktop backgrounds to roam with them wherever they move)? Everything else (Documents, Pictures, Music, Video) will redirected via folder redirection.

      I would greatly appreciate any response.

      Cheers,
      Tanel

    2. The server will have the power to do what you want… but the issue with having UserProfiles on your DC’s is that your DC should be dedicated to the task of authenticating users. Making it do anything else but that can affect its stability… If that is the ONLY computer you have then you don’t have a choice… But if you have a file server then I would defenitly host the roaming profiles and redirected folder on that server.

  2. Excellent information. I’ve been using Roaming Profiles and manual ‘My Documents’ redirection for a long time now with WinXP. This will definitely help eliminate some of the mistakes that can happen and resolve some of my notebook user problems.

    One question, do you have any recommendations on how to migrate users to this methodology? I can see how it works really well for new users.

    1. The jump from WinXp to Windows 7 is a big one… the profiles are not compatable. Best to use something like the User State Migration Tool from Microsoft to migrate the setting you want to copy across.

  3. Hi Alan

    Thanks for a terrific website. The question I have has to do with Working offline/Libraries/Folder Redirection/Offline Files/Indexing.

    I have a Windows Server 2008 R2 domain (and Windows 7 x64 clients) with My Documents redirected to \\ws2008r2\userfolders\%username%\Documents. No problems there getting Offline Files caching the entire folder.

    The problem comes when I disconnect from the network (I use a laptop), the My Documents folder from the Documents Library, the folder disappears and the Library then contains files from only 1 location: the local Public Documents folder!

    When I navigate the offline folder by typing \\ws2008r2\userfolders….. the files are all there and usable. However the fact that it has disappeared from the Documents library is extremely annoying!

    Also at the same time searching My Documents is extremely slow and the whole folder does not seem to be indexed at all.

    Is this your experience with laptops/offline files and redirected My Documents?

    Lastly my tip for using Domain user profiles is to get rid of “Launch folder windows in a separate process” — either through Group Policy Preferences or setting it on your own computer. This is apparently a bug in Windows 7 and will fail to launch explorer.exe and its associated windows if ticked whilst offline!

  4. Great article. However, I would suggest changing for security practices is the permissions on the users$ share. Instead of the “Everyone” group, it is recommended to use “Domain Users” or “Authenticated Users” (which includes domain computers).

    1. Thanks for the reply… I see why you would do it that way but I traditionally use everyone incase And rely upon file and folder permission…. Just a preference but your suggestion is still very valid…

  5. Very good article, thanks! Now my trouble is trying to use DFS with “User State Virtualization” in windows 7. It seams that DFS is not supported with the indexing service or something.

    1. Correct. however you can still replicat the file using DFSR and you “CAN” rely upon DNS subnet masking filtering to use a simple DNS alias… But this is a little tricky… Thats partly why i dont use DFS namespaces for Folder Redirection

  6. 2 Questions hopefully you can answer. I have multiple sites with many “roaming” users. Some users travel between sites, but most stay at one site. Do you reccomend redirecting users files & folders to one central file share, or (as I currently have it set) to a user share on a DC server at their main location? I did this way as I figured it was less traffic over the WAN.

    I also am having a little difficulty adding new windows 7 machines as the Files & Folders (desktop, My Documents etc) do not move to Windows 7. I can see the files under a drive that I initated with a batch file, but does not update the desktop or Libraries folder. (users were all on XP pro previously.)

    Thanks in advance!

    1. If you are running Win7 then I would use a central profile… Performance should still be good… Not sure on second. Have you tried a new user with a clean profile?

  7. Hi,
    Very informative. Pls help me with questions i have. I have 2 windows 2003 R2 Servers & configured as terminal servers (i can install 2008 R2 Std also). I also have DC. i use 2X load balancer so users are divide on the both the servers depending on the available resources. I use 2X application server to publish applications. My main problem is with MS office. In case of standard applications, you just have to load the application & provide data path. It does not modify user’s profile. In case of MS office it is different. MS office is installed on each terminal server. When a user logs to terminal server & starts any office application first time, it ask you few questions like name & settings are stored in Profile. Settings like document path, auto recovery etc. In case of Outlook, PST path. BY default all the path points to local C drive. But in my scenario data is stored on a different server. Hence i change all the paths pointing to that server for each user. This is done on one server. Since i have 2 servers & load balancer, same user can log from 2nd server & when he does & starts any MS office applications, paths will be local since profile is local & path setting for same user is not done on the 2nd server. To avoid all this confusion, roaming profile is the answer. I created a shared folder on a different server (not terminal)& all users roaming profiles are stored in that folder.Now whenever user logs & start ms application, he gets the same profile & hence same setting of paths. In this situation, roaming profile s copied every time from a server to the terminal server. It takes time & slows my login. To avoid this i must have folder redirection also. I am confused here. Confusion is which folders i should redirect? As i have understood, redirected folders are not copied while profile is loaded. That means i should not redirect apps data folder as it contains information about path. I should redirect my documents, video etc. Pls tell me which other folders i should not redirect & what i have understood is correct. My goal is to have common data path irrespective from which terminal sever user logs
    gds,
    Sanjay

    1. If you implement folder redirection and a roaming profile most of the performance issues should be mitigated. I am asuming you are using Windows Server 2008/R2… Folder redirection will give you the common data paths…. If you do use this option then also look at the clean up roaming profile after X days setting.

  8. Quote – Amazingly I am not going to recommend the per computer Group Policy method as there is no way you can get around not having a roaming profile if you logon as an administrator

    Actually its best practice to edit the security of the GPO itself and deny the domain admins (or whatever relavent security group) from apply GPO’s when logging into the servers. Open the GPo, right click and select properties and edit the security from there.

    then you can use computer policies without worrying about admin accounts.

    1. AH… yes… if this was a USER policy i would totally agree OR if this was a user setting applied via Loopback to the computer object…. BUT!!!

      As i said “per computer Group Policy” method. This means that the policy is being applied to no matter who logs onto the computer and if you configured a “Deny” “Apply Group Policy” setting for Domain Admins Groups then this will have not affect as it is NOT a users setting. I originally thought the same but when i went to test it i had a…. “*FACEPALM* Of Course Moment”…

      But yes… Generally i do agreed that is is Good Practice to exclude the Domain Adminis from the policy…

  9. “*FACEPALM* Of Course Moment” – you are right…I had a not enough diet coke in my system before posting moment I see

  10. Alan, this is great, very comprehensive, and even for those that have been dealing with roaming profiles, folder redirection since w2k, there’s much added value in this article.
    Thanks !

  11. Thanks!
    It’s very very helpfull article.

    minor fixe:
    “Users Configuration > Policies > Administrative Templates > Systems > User Profiles
    •Do not check for users ownership of Roaming Profile Folders”
    That option is in Computer Configuration.

    I was searching for this guide for several hours, couse once I accidentally came upon this article and I knew it was somewhere on the Internet.
    Again thanks.

  12. Problem with Appdata a running a Session host server farm though: If you are caching exchange profiles the .ost stays on one of the inital session hosts when you login. When you logoff and/or you are redirected to another session host because in the server farm because of load balancing or the session host you were only previously is downed, the .ost is missing and outlook loses all of its profile information and the user is left without Outlook/Exchange. Ideas?

  13. I loved the artical; however, when I tried to redirect the profile folders I could not find the User Configuration > Windows Settings > Folder Redirection node. I am using Windows Server 2008 R2. What am I missing?

  14. Thanks for this excellent article Alan! Keep up the good work for the community, we really appreciate it!

  15. Hi Alan,
    Thanks for all this information.
    I’ve implemented (Test W7/W2008R2 Environment) Roaming Profile and Folder Redirection within one GPO and the Romaing Profile is Computer based.
    Is there really no way to “exclude” users from this GPO..? I’ve tried to set a deny.. but those users have still some RoamingProfile or FolderRedirection settings applied.
    Also I’ve tried with a filter (Group with user accounts)…. no success…?

    Thanks in advance

  16. Roaming Profile cannot be excluded for users as it is a Computer Based policy…

    See “Warning: The biggest problem with the Per Computer roaming profile configuration is that there is no way to exclude your administrator accounts from also getting this policy as it is a per computer policy.” under the “Per Computer Roaming Profile” section…

    Put simply you need to enable roaming profiles on each user account… But this can be done one mass see the “Per User Roamin Profile” section.

  17. Hello, this post answered a bunch of question except for one I’m aware of.
    consider the following scenario, my scenario
    1 – existing vista users with tons of icons and documents on their desktops
    2 – each user has their own desktop/physical perhaps moving to VDI soon
    3 – created a roaming profile and redirected folders (different folders on share)
    4 – users who log in now get a brand new profile i.e. profile data is not copied/preserved

    question is how do i get the existing profile info i.e. desktop, icons etc to be moved from the physical desktop to the roaming profile data.
    thanks

  18. @Mark. I would implement folder redirection for the desktop so they users shortcuts will follow them even if they do not have roaming profiles enabled.

  19. This article solved a lot of problems for me and my company.

    Now these new strategies are more and more undersandable. I hade used folderredirection and roaming in Windwos-XP with great success. But I faced troubes in WIN-7. I think I understand now why and I’m looking forward in a good mood now.

    Thanks a lot

  20. Hi Alan,

    Really enjoyed your article – thanks!

    So, if I can put it into really simplistic terms, the best way to configure USV is:

    – Configure Roaming Profiles for the AppData only (exclude all profile based directories except AppData)
    This would allow the users registry and AppData\Roaming to be redirected and the users settings will roam.
    – Configure Folder Redirection for all folders except AppData(Roaming)
    This would allow the users files and folder to be stored on a central server.

    Would this be the most sensible way to configure RUP and FR assuming there is reliable network & users roaming online/offline?

    Thanks again.

    Matt.

    1. Close…. If you redirect all the folders (except AppData) there would not be a need to exclude any folders for your roaming profiles as they would all be redirected to the network.

      Put simply… enable RUP and FR except for the AppData folder….

  21. OK, I have been doing folder redirection for over a year now on my company workstations/users and we all have roaming profiles (Windows 7 everywhere). One of our recurring issues is that the sync center complains that it can’t synchronize the sercurity.config.cch.###### files due to “Access Denied” in the path appdata\Microsoft\CLR Security Config\v2\… etc. I see this mentioned online in other locations but I don’t see a solution. What advice can you give me or what other information do you need?

    Thanks,

    Mark Ringo

  22. This is by far the best article on how to create a structure for Home directories for users. However, I ran into problems at one customer (Win 2008 R2 server, Win 7 clients) where the Offline Files didn’t work properly. It simply didn’t sync the data and Offline Files got stuck at “Waiting for synchronization”! Can’t remember exactly what it was but I think I had to add the NETWORK user to give FULL CONTROL. I think it had something to do with UAC. Any comments?

  23. Reviewing this article, I’ve found a lot of good information. However, we are running a Windows 2003 network, with sadly no budget to upgrade the servers to ones that will handle Windows 2008, and are working on upgrading our workstations to Windows 7 (from Windows XP). One of our biggest problems is not knowing how much data each current workstation contains which is critical to the company. When we tried to do use roaming profiles under the XP environment, we purchased 2 NAS units to hold their profile information and set up a couple people up to use roaming profiles where I was included in this group. Everything seemed to work great until I logged into a new machine. This brought the entire network down to a crawl for almost 6 hours as the new machine I logged into tried to cache the 64 GB of data in my profile down to the workstation. Though I do have a lot of information within my profile, there are a few others that contain even more. This caused the project to be put on hold. Later I found a “Hack” which would allow the XP machines to see the network share for the user profiles to be the same location for the local cache, thus keeping the machine from downloading all the user’s data to the machine. During this time, a secondary server burned out and the NAS units were reallocated for the storage space for this server. The “Hack” did seem to work, when it was later tested, but now we had to wait until the the NAS units could be freed up again, which they are now. Our plan is to use roaming profiles to store the user’s information on a NAS unit. As we upgrade selected machines to Windows 7, the user’s information from their XP workstation will be moved into the profile data on the NAS unit. I’ve tried to replicate the Windows XP “Hack” on the Windows 7 machine, but does not appear to be working correctly. The system creates the profile on the NAS, but then the workstation reports “The User Profile Service service failed the logon. User profile cannot be loaded.”

    Bottom line, is there any way to set-up a Windows 2003 server/Windows 7 workstation environment to have all user information to be stored on a network share without having to have the local workstation cache the data?

    Thanks for any comments.

  24. this is a great article ! thanks for posting it.

    My folder redirection, redirects into the Home folder for the users.

    so i would have a HOMES drive on the server and all the redirected stuff goes there.

    The question i have is the instruction you give for locking down the permissions does the same instruction still apply if my redirection goes into the home folder ??

  25. Which do I recommend?
    Amazingly I am not going to recommend the per computer Group Policy method as there is no way you can get around not having a roaming profile if you logon as an administrator. This is a real show stoper as I think it is really bad for administrator accounts should not be encumbered with “crud” in their profile when logging onto a computer.

    –> You’re wrong. Afterwards, you can change the type of profile to local f.i. for the administrator accountin the ‘computer properties’-window on the computer/server that receives the policy. this takes precedence over the policy.

  26. This is really BS.. Amazingly, like Klaas said, this is a show stopper. I have few hosted citrix environments and for the life of me, I have not been able to get around this limitation. The per Computer GPO will apply to EVERYONE including the administrator. I have groups of admis and this GPO MUST not apply however there is nothing no one can do. We opened up a case with Microsoft, talked to 3 different techs and no goal. Finally, once we got a 4th tech, which I believe he was straight from Redmon, he told us that this is “by design”…. this is what I call BS… F…K this.

    How can you NOT get around that?

    Building the GPOs to get roaming profiles working is an ordeal on its own, but once you get it working, those GPOs work… BUT again those GPOs apply to everyone because they are per computer and NOT per user… so even if you deny the administrator that will not do anything….

    We are tried tracerat, ressoftware, citrix profile manager and few other tools and NONE of them do this. They are actually so complex that we continue to throw them out of the window. There is another one, called AppSense, which based on some reviews, we’ve heard that it may do that trick however we haven’t tested it yet.

    But for the life of me, we have been researching for a third party tool that can concentrate ONLY on roaming profiles… this tool is to GRAB the users logging in to the terminal server servers (citrix boxes) and capture them during login and automatically redirect their profile to a central location we choose….. NO single software does this… they all focus on user settings, registry settings and bunch of other things but NONE… NO ONE, can focus on only grabbing the user profiles and make them roaming profiles… we want a tool like this so we can easily say “dont apply it to the admin groups…. or to any other group we do not want the tool to apply to”….. we basically want to do roaming profiles so all our user’s profiles are kept at a centralized location….. we want to make this easy as doing this way, we can easily centralize all user settings since there is obviously more than one server that they connect to…. so keeping their settings at one single location makes a lot more sense.. .obviously….

    if anyone has gotten around this HUGGEEEE obstacle… please I beg you to help us.

    HZ

  27. Thanks for all the posts, i have one issue??
    i have implemented the folder redirection to a network share and enabled the “Delete cached copies of roaming profiles” option
    now when the user is logging in every time the profile loding is taking arrount 4-5 minutes, and the profile size is about 5GB and all the data from the network share is copied to the newly loaded profile for that user.
    This is happening where ever he logsin, can i get a solution so that when user login he should get the default profile and there should not be any data copy on this local profile instead he should have the links to his data on the network share.

    1. @Bhargava are you using Windows 7 or Windows XP? and have you implement folder redirection? If you users have roaming profile sizes of 5gb then you are doing something wrong and you need to either exclude the folder that is causing the issues of make sure it is being redirected to the server.

  28. Hi Author,

    very good and informative article , i have setup a similar environment in my office but i wanted to know how do i exclude music,pictures and videos from getting saved on the server. i know that file screening can be used but it can only block new files being stored in my documents , my worry is about user whom i will be migrating to the folder redirection share and who already have these file types. what will happen if i implement this policy with file screening will folder redirection happen successfully on the client or not.

    regards
    abubakar

  29. Hi,
    It works well as per your instruction. Now i want to create redundancy so server which is storing the profiles & redirected folder is down, users should be able to use profiles & redirected folders stored at different location. In short how do i make copy of profiles & redirected folders. I also have DFS configured & we use windows 2008r2.

  30. Now I have Windows Server 2008 R2 and I have clients useing Windows 7 and Ubuntu 10.4 now the folder redirection policy will this work as well as for Lunix enviorment to a windows enviorment?

    1. @Richard No. Group Policy is a Windows only configuration tool. There are some thirdparty tools for non Windows Platforms but i have no idea what they are.

  31. The only problem i have now is when the user clicks their name there is nothing there, but when you go to my computer can clive home drive it is all there.

  32. Hi Alan. Great post. I am looking to start implementing some of these measures in our domain as our roaming profiles are getting out of hand. I am a bit confused about the optional profiles$ share for Windows XP. Is this instead of the Users$ share or in addition? If it is in addition would I set the profile path to Profiles$ but redirect the folders to Users$?

    Thanks for any help

  33. As others have said, great article and I have referenced this many times in my planning of Folder Redirection and Romaming Profiles which I am in the final stages of.

    One piece that I think was missed is the fact that while enabling Folder Redirection for all the “Shell” folders lightens up the Roaming Profile considerably, there are still some applications that write to the root of a Users profile, i.e C:\Users\%username%. Users also are allowed to create files and folders here as well. These new files and folders then become part of ones Roaming Profile which only syncs at log on/log off.

    The implimentation of the Background Sync helps alot, however the lack of a synchronization method periodically for this data is the one gaping hole I still see.

    Does anyone have any suggestions on mitigating Users creating large amounts of data here which would inevitably slow down their log off process until all the new data is sync’d?

  34. Hi, thank you for the nice tutorials.. but I’m having this weird error.. i follow all the steps and its working fine but only this weird stuff like each the second user i create i wont be able to get in into their folder… only the second one.. like if create 5 users then i will be able to get in into the 1 3 and 5.

  35. Hi Alan Burchill, its really a nice and complete walkthrough for Folder Redirection GPO.
    But I have some difficulties in deploying the Folder Redirection.
    I already set the share folder and the security sharing policy and set the GPO for the folder Redirection.
    But my computer is still can’t sync the folder redirection.

    When I check my EventViewer, I get

    Failed to apply policy and redirect folder “Documents” to “\\Sphere01\Foresight$\dony\Documents”.
    Redirection options=0x1001.
    The following error occurred: “Failed to redirect because the destination directory “\\SPHERE01\Docs\dony” is offline”.
    Error details: “The network path was not found.
    “.

    I already check the setting for GPO and there is no mistake.
    The folder redirection is \\Sphere01\Foresight$
    I’m really confuse with this error 🙁

    Hope this problem can be solve

  36. Hello,

    Isn’t it better to separate the Profile and the Folders (Folder redirection)?
    I thought to place the profile on the DC in a fileshare and the folders on a fileserver would be the best…

    robert

    1. @Robert

      The decision to put the roaming profile and redirected folder together can be a tricky one… The share requirements are different in a Windows XP environment but if you are exclusivly a Windows 7 environment having them together is much more practical.

      I would say NEVER put your roaming profiles or folders on a Domain Controller… The server is a DC… NOT a file server…. This would just be BAD BAD BAD…

      Alan Burchill

  37. I love the work you did. I cannot find the links to part 1, 2 and 3 of the videos.
    Can you send me the links. I think they are missing from the article.

  38. I have desktop and folder redirection enabled and working. My issue, is that when I try to download and install software it is trying to run it c:\users\mark\documents the thing is that doesn’t exist because my documents is actually located on the server. How do I fix this?

  39. Hello

    May I ask a question ?

    If we configure roaming profile/folder redirection on a win 2008R2 by GPO, do we need
    to specify the profile path in the user properties, Profile tab (active directory users
    and computers) ?
    And this for each and every user ?

    Best regards

  40. Great tutorial.

    I do have a question though.

    Redirection and Roaming profiles are working great. I am redirecting all folders except for downloads, for we do not have much space on our file server. It is easier to just keep items in the downloads folder on the machine itself.

    The problem is that the downloads folder seems to be “roaming.” It shows up on every machine in our domain. It’s path is local (C:/Users/user/Downloads) and the Downloads are not appearing in the users profiles on our file server.

    How do I prevent the Downloads on one users account from migrating from one machine to another?

  41. Best tutorial yet! Many thanks.

    I’m still slightly confused, i’m in a pure 2008r2/Win7 environment and it seems that putting profiles and redirected folder in the same location is good. However I thought you had to remove offlining on the profiles folder share? Does this not conflict with the advice to make the RoamingFolders share offlinable?

    Please someone help, this is the last piece in the puzzle and I can get this done.

    Thanks.

  42. Thanks for writing this excellent tutorial it’s been really useful.

    Got a query that i’d like to ask though.

    Been looking at setting Quotas as we don’t have a ton of money to keep on upping users storage.
    When a user is on the network file screening and quotas work a treat, but if they are working from home say and not connected to the network they have free reign to save whatever they like, when they then connect to the network we get a ton of exceeded quota warnings etc. but at that point it’s really too late as there is now a difference between the data that has been synced on the server and that which is on the laptop.
    Is there anyway to get the quotas and maybe even the file screening to apply when they are not connected to the network?!

    Thanks

    David

  43. I have a business app that install itself to a user’s redirected appdata folder. In our case that’s \\server\redirects\%username%\appdata\roaming\blahappname. The RDP box itself is Windows Serevr 2008 R2. This needless to say causes issues with the app’s DLLs. We have to manually install them locally into the windows\assembly folder. Is it really good practice to install apps at that location?

    — Paul

    1. For clarifcation: Installing an app and using DLLs over a network path is no longer possible in Windows Serevr 2008 (for security purposes)…thus given the app’s installation is on the redirected, network-based appdata path, it mkaes it a pain to manage the app, as we then have to manually copy all the DLLs to the local C: drive to get it work properly.

  44. I’ve found in a RDS enviroment that if you don’t use Roaming profile that some application specific files won’t get copied over to the users home drive even though you’ve enabled file redirection for ‘APPDATA’. This was particularly true with Outlook 2010 and Wordperfect. I couldn’t get the data to save to a remote home drive without using “roaming profiles”, upon logout.

  45. hello
    i have a question:
    i want to know what is the difference between profile.v2 and profile without extension v2?
    best regard

  46. I’d never set “Full Control” (step 13) for share permissions on any group other than an administrator’s group… I would use “Change” permission for the everyone group. Just a good practice to only use “Change” for both file/folder permissions as well as share permissions. I don’t want my users editing permissions which “Full Control” could allow.

  47. Should this:

    Users Configuration > Policies > Administrative Templates > Systems > User Profiles
    •Do not check for users ownership of Roaming Profile Folders

    Not be changed to:

    Computer Configuration > Policies > Administrative Templates > Systems > User Profiles
    •Do not check for users ownership of Roaming Profile Folders

    Excellent article, thank you.

  48. Thanks very much for writing such a useful document. It has given me a lot of the answers I need regarding setting up offline/ redirection and roaming profiles for Vista clients to a NetApp NAS.

    There is one area I need more help. We have an issue whereby the synchonisation of the cache areas at Vista client user login time is causing a very high anti-virus scan load on the NetApp servers, the implication being that the enumeration done by the Windows client is somehow triggering a read open of every file that is in the offline cache area, whereas I would expect this enumeration just to access file metadata such as last modified date, and only open files for reading if the metadata shows the cache is out of date. The system has file redirection, offline cache and roaming setup for each user.

    This appears to happen not just the first time a user logs in when redirection has been applied, but every time they login.

    Is there a detailed definition of the synchonisation process when a user logs in that would explain what happens under different conditions i.e. when is file metadata access, when are files read from the server, when are they read from the client.

  49. Awesome compendium of critical info to better comprehend how this thing works.
    I have a little question if you can. I have a scenario on where I dont have access to AD user, and there are some with TS Profile Home Folder set. For those having that, log on time increases. I have tested the same on my lab and it behave exactly the same. If I disable TS Profile on the user account, log on time improves.
    Thank you!

  50. Why, when AppData(Roaming) is redirected to a network location, is there still a local Roaming folder in the AppData folder in Windows 7?

  51. Hi Alan, thanks for the great article.
    I have one query can you please advise or point me in proper direction.
    I have a existing XP environment with folder redirection and the offline share permissions are set to no offline caching. Now I am configuring folder redirection for windows 7 to same share with offline caching enabled. what will be the implications on on XP users if i do it.

  52. Good article. May I ask a question please? I am coming up to speed on WIN Server 2012 R2 out of an NT back ground. I am building a pure WIN 8.1 network. I got some advice to use folder redirection over roaming profiles, and up to now I have been pleased with that choice up until the first time I logged on as an existing user (with redirected folders) on a new computer. When the user first logs in they pull down a copy of the local default profile. Their folders get redirected back to the existing locations on the server, but naturally some settings are overwritten by the default profile.

    Yours is the first article I’ve come across that combines redirection with roaming. I was hoping that Windows would detect that the user profile already existed, but, no (I am re-directing all folders listed in GP). Do I need to enable roaming as well in order to address my issue? I don’t want to, but I will if that is the only/best way to allow the user to “roam”.

    thanx
    Dana

  53. Allen,
    When doing this I’m noticing that when a user goes from one computer to another computer everything carries with them except for there Outlook Profile and Archives. Do you have any ideas to get this to work?

  54. We ran into a couple issues that we finally were able to resolve.
    1. To resolve the issue with Trusted Sites NOT being grayed out but also not allowing any added sites to stick, we had to change everything under User Settings -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page to Disabled. This allows the user to add their own sites. To add specific sites, we did that under Registry. Mostly following this post http://blog.thesysadmins.co.uk/group-policy-internet-explorer-security-zones.html

    2. To resolve the issue with IE printing blank pages due to missing Local folders, we used a logon script with the following:
    Mkdir %TEMP%\Low
    Icacls %TEMP%\Low /setintegritylevel Low

  55. Hmm is anyone else having problems with the pictures on this blog loading?
    I’m trying to determine if its a problem on my end or if
    it’s the blog. Any feedback would be greatly appreciated.

    my web-site – quotes

  56. It will also increase the ranking of your website on search engines and will drive more traffic to your website.
    It has the highest ROI (Return of Invesment) in all advertisement channels.
    Besides placing advertisers ads on your Blog, you
    can also make money Blogging by placing Google Adsense into your Blog.

  57. Nice article. However, there are some issues not mentioned here in my opinion.
    First, when you redirect the start menu to a network share, the “Search Program/Files” in the start menu won’t work (at least not in my case – I suppose because my dfs is not indexed). Second, the redirected folder can’t be added to the library anymore, again due to missing indexing. The only option would probably be to make the network share available offline but I don’t want to do this for my whole dfs share.

    1. A small Addition to my previous post – DFS can’t be indexed

      http://technet.microsoft.com/en-us/libr … 32275.aspx
      Quote:
      Redirecting to a DFS location
      When choosing a network location, some of the folders like music, video, pictures need to be indexed on the server share unless you enable offline storage on the client machine. DFS share is not indexed since it can’t be associated to a machine, therefore you cannot select a DFS location as a folder redirection unless offline storage is enabled on the client.

  58. I was glad to find your well written article and followed it to a “T:. I have a server 2008 R2/Windows7 environment. After setting things up and logging in the users to one computer, logging them off and then into another computer I then I look at the path for the redirected folder on the server (logged in as administrator). I am able to view the Users$ folder, each user and each of the users sub folders. For each user I can view the redirected folders (which worked exactly as expected) and see a listing for the users profile.v2. However when I click on the profile.v2 folder I get a popup that says that “you currently do not have permission to view this folder. Click continue to permanently access this folder.” When I click continue I then get a box with “You have been denied access to this folder. To gain access you need to use the security tab.” I set up two test users and changed the permissions for one of them. I can now see the subfolders and files under the joe.v2 folder. There is a ntuser.dat file. However the profile settings do not follow the uesr to the second computer. The redirected folders do but not the roaming profile. Is this due to permissions and if so what should I change them to? If not then what should I check or change to make this work?
    Thank you for your efforts on the excellent article and for your reply to this inquiry.

  59. This is an excellent article. I had an issue with the Home folders. I was receiving permission error when trying to launch Document folder as an administrator inside the user’s home folder in the file server. I was playing around with the security permissions i.e changing the owner to administrators on the documents folder itself but I was receiving the same error. To solve this problem I had to launch GPO Documents folder redirection and in the setting tab, I had to unchecked “Grant users exclusive rights to the documents. After running gpupdate/force on the server, I was able to browse the Documents folder.

    Thank you for posting this excellent guide.

  60. Please comment
    ” You should disable Offline Files”
    with
    Slow performance when using the creating, “saving as” with MS Office Word docs and the Desktop or the My Documents folder redirected to a network location

  61. Your article is amazing. I like how you explained the difference between local, locallow and roaming app data, which I thought was brilliant. I really like storing profile on the server because you can back up the entire profile easily and manage each profile centrally.

  62. “Note: You will see on the Pictures, Music or Video options you will have the option to select the “Follow the Documents folder” option. However I have found that selecting this option can cause the Video and Music libraries in Windows 7 to disappear so i recommend that you do n so that they will automatically inherit the Documents settings.”

    Think this missed the proofreading a bit, I can’t decipher this. If I read it as written, I basically get “this option may break stuff so I recommend doing it”

    Alan, can you fix that up and clarify?

  63. Those seeking psychology essay writing services have an advantage of hiring the best psychology writing service company that is familiar with psychology assignment help services for their Psychology Research Writing Services.

Leave a Reply