Using Roaming User Profiles

You configure roaming user profiles on the server, so the user must be a member of and log on to the domain to use a roaming user profile. Both Microsoft Windows NT Server 4.0 and Microsoft Windows 2000 Server support roaming user profiles, as does Microsoft Windows .NET Server. The following instructions show you how to configure roaming user profiles in Active Directory on Windows 2000 Server:

1. Create a folder on the server where you want to store user profiles. This is the top-level folder that will contain individual user profile folders.

2. Share the folder, giving all users full control. (I sometimes reduce users' permissions to read and execute in this folder, and then give them full control of their individual profile folders.

3. In Active Directory Users and Computer, double-click the account that you want to configure to use a roaming user profile.

4. On the Profile tab of the Name Properties dialog box, shown in Figure 10-4, type the path where you want to store the user's profile in the Profile Path box. The path is \\ Server \ Share \ Username, where Server is the name of the server, Share is the share you created in step 1, and Username is the name of the account. Optionally, use %USERNAME% for Username, and Active Directory substitutes the current account's name for it.

   
   Figure 10-4: Typing a path in the Profile Path box is all it takes to enable roaming user profiles.

If you want to configure a lot of accounts to use roaming user profiles, doing the job by hand is a monumental task. Instead, use a third-party tool or write an Active Directory Scripting Interface (ADSI) script to do the job. You access ADSI through Windows Script Host using VBScript or JScript. This subject is beyond the scope of this book, but you can find more information about it on Microsoft's Web site: http://www.microsoft.com.

Folder Redirection is a great complement to user profiles, particularly the roaming variety. It enables an IT professional to redirect the location of some profile folders to the network. There's nothing magical about Folder Redirection. Group Policy simply changes the folder's location in the User Shell Folders key so that applications automatically look for the folder on the network. From users' perspectives, redirected folders are similar to roaming user profiles because their documents follow them from computer to computer. Unlike roaming user profiles, however, redirected folders always remain in the same place. You can use redirected folders with or without roaming user profiles. If you use them with roaming user profiles, you can reduce the amount of data that Windows XP transfers when users log on to and off of the operating system. Furthermore, redirected folders are often useful even when you don't intend to use roaming user profiles; you can allow users' documents to follow them without the complexity and sometimes difficulty of using roaming user profiles. You learn about roaming user profiles in the earlier section "Getting User Profiles."

The following are best practices for roaming user profiles:

• Redirect the My Documents folder outside of roaming user profiles. Doing so decreases logon time. Folder Redirection is the best way to do this, but you can redirect the My Documents folder manually, as Chapter 15, "Working Around IT Problems," describes.

• Don't use Encrypted File System (EFS) on files in a roaming user profile. EFS is not compatible with roaming user profiles. Encrypting a roaming user profile prevents the user profile from roaming.

• Don't make disk quotas for roaming user profiles too restrictive. If they're too low, roaming user profile synchronization might fail. The server debits the user's quota for temporary files that Windows XP creates during the synchronization process, so ensure that enough disk space is available on the server. Also, make sure enough disk space is available on the workstation to create temporary duplicate copies of the profile.

• Don't make folders in roaming user profiles available offline. If you use Offline Folders with roaming user profile folders, synchronization problems occur because both Offline Folders and roaming user profiles try to synchronize at the same time. However, you can use Offline Folders with folders you redirect, such as My Documents.

• Use Group Policy loopback policy processing in moderation if you're also using roaming user profiles. Loopback processing enables you to apply different per-user Group Policy settings to users based on the computer they're using.

• When redirecting the My Documents folder outside of a roaming user profile, set the home folder to the redirected My Documents folder for compatibility with applications that aren't compatible with folder redirection.

• Disable fast network logon using Group Policy if you're using roaming user profiles. This prevents conflicts that occur when user profiles change from local to roaming. For more information, see "Understanding Fast Network Logon," later in this chapter.

Managing Roaming User Profiles

Group Policy provides a number of policies that you can use to manage how Windows XP handles user profiles. You can configure these policies in a local Group Policy Object (GPO) or in a network GPO. Chapter 6, "Using Registry-Based Policy," gives more information. For now, here's a description of policies for user profiles:

• Connect home directory to root of the share. This policy restores the definitions of the %HOMESHARE% and %HOMEPATH% environment variables to those used in Windows NT 4.0 and earlier.

• Limit profile size. This policy sets the maximum size of each roaming user profile and determines the system's response when a roaming user profile reaches the maximum size. If user profiles become excessively large, consider redirecting the My Documents folder to a location outside of the profile.

• Exclude directories in a roaming profile. This policy enables you to add to the list of folders excluded from the user's roaming profile.

• Delete cached copies of roaming profiles. This policy determines whether the system saves a copy of a user's roaming profile on the local computer's hard disk when the user logs off.

• Do not detect slow network connections. This policy disables the slow link detection feature.

• Slow network connection timeout for user profiles. This policy defines a slow connection for roaming user profiles.

• Wait for remote user profile. This policy directs the system to wait for the remote copy of the roaming user profile to load, even when loading is slow. Also, the system waits for the remote copy when the user is notified about a slow connection but does not respond in the time allowed.

• Prompt user when slow link is detected. This policy notifies users when their roaming profile is slow to load. Users can then decide whether to use a local copy or to wait for the roaming user profile.

• Timeout for dialog boxes. This policy determines how long the system waits for a user response before it uses a default value.

• Log users off when roaming profile fails. This policy logs a user off automatically when the system cannot load the user's roaming user profile.

• Maximum retries to unload and update user profile. This policy determines how many times the system will try to unload and update the profile hive. When the number of trials specified by this setting is exhausted, the system stops trying. As a result, the user profile might not be current, and local and roaming user profiles might not match.

• Add the Administrators security group to roaming user profiles. This policy adds the Administrator security group to the roaming user profile share. The default behavior prevents administrators from managing individual profile folders without taking ownership of them.

• Prevent Roaming Profile changes from propagating to the server. This policy determines if the changes a user makes to his or her roaming profile are merged with the server copy of their profile. This is a policy-based method for implementing mandatory user profiles.

• Only allow local user profiles. This policy determines if roaming user profiles are available on a particular computer. By default, when roaming-profile users log on to a computer, their roaming profile is copied to the local computer. If they have already logged on to this computer in the past, the roaming profile is merged with the local profile. Similarly, when the users logs off this computer, the local copy of their profile, including any changes they have made, is merged with the server copy of their profile.

The first three policies in this list are per-user and the remaining are per-computer policies; Figure 10-5 shows them in Group Policy editor. All of them are administrative policies in System\User Profiles under User Configuration and Computer Configuration.

Figure 10-5: These policies give you management control of how Windows XP uses profiles.

Understanding Fast Network Logon

Windows XP doesn't wait for the network to start before displaying the Logon To Windows dialog box. This substantially improves start time over Windows 2000. Users who've previously logged on to the computer get to their desktops faster because the operating system uses cached credentials and loads Group Policy in the background after the network becomes available. Although fast network logon improves perceived performance, it has effects you should understand. The most important thing to take away from this section is that Windows XP doesn't use fast network logon if you use roaming user profiles.

Because background refresh is the default behavior, users might have to log on to Windows XP up to three times for Group Policy extensions like Software Installation and Folder Redirection to take effect. Windows XP must process these types of extensions in the background without any users logged on to it. Also, because advanced Folder Redirection is based on group membership, users must log on to Windows XP three times: once to update the cached user object and group membership, a second time to detect the change in group membership and require a foreground policy application, and a third time to apply folder redirection policy in the foreground. The operating system might require users to log on two times to update the properties of other Group Policy objects.

Another thing to keep in mind is the effect that fast network logon has on Windows XP when users' profiles change from local to roaming. When the operating system uses fast network logon, it always uses the locally cached copy of the profile. By the time the operating system detects that the user has a roaming user profile, it's already loaded the local profile hive and changed its timestamp. The result is that if users log on to multiple computers, the operating system can replace newer profile hives with older ones. To handle this scenario, Windows XP treats the change from local to roaming as a special case. First the operating system checks the following conditions:

• Is the user changing from a local to a roaming profile?

• Is a copy of the user profile on the server?

If both these conditions are true, Windows XP merges the contents of the local user profile with the server copy, without the profile hive Ntuser.dat. Then the operating system copies the server copy of the profile to the local copy, regardless of the profile hives' timestamps. After the user's profile becomes a roaming profile, Windows XP always waits for the network so it can download the user profile. In other words, fast network logon and roaming user profiles don't work together.

Understanding the New Merge

Many IT professionals are shy about using roaming user profiles because they have experience with the merge algorithm that Windows NT 4.0 uses. That algorithm assumes that there is a single, master copy of the user profile. When the user logs on to the computer, the operating system assumes that the master profile is on the local computer, and when the user logs off of the computer, it assumes that the master profile is on the server. It mirrors the entire profile from the local computer to the server and visa versa, completely replacing the profile at the target location. This works perfectly well when people use a single computer, but it creates havoc when they use multiple computers.

The merge algorithm in Windows XP is more advanced; it merges user profiles at the file level. In other words, it's a real merge, not a wipe-and-load. The merged profile then becomes a superset of the files in the local and server copies of the user profile, and when a file exists in both copies, the operating system uses the most recent version of the file. New files don't turn up missing, and updated files are not replaced—both of which are symptoms that occur with the merge algorithm in Windows NT 4.0. In the case of the Windows NT 4.0 merge, if a profile changes on two computers, only the last one copied to the network persists.

Behind the new and improved merge algorithm is the timestamp that Windows XP saves in the ProfileList key. When a user logs on to the computer, the operating system saves the current time in ProfileList. When the user logs off of the computer, the operating system uses the timestamp to determine which files have been added or removed from the server's copy of the user profile. For example, if a file called Example.doc is in the server copy of the user profile but not in the local copy, the timestamp helps Windows XP determine whether the file was added to the server copy or removed from the local copy. If the timestamp of the file is later than the timestamp of the local user profile, the file was added to the server copy. The result is that Windows XP doesn't touch the file when it merges the local profile into the server copy. If the timestamp of the file is earlier than the timestamp of the local user profile, the file was removed from the local user profile. The result is that Windows XP removes the file from the server copy of the profile when the operating system merges the local copy into it. With Windows XP, if a profile changes on two computers, both of them are merged file by file into the server copy.