Friday, September 6, 2013

How to configure Roaming Profiles and Folder Redirection

Read Me First: If you are using Folder Redirection with Windows 7 in your organisation then I would definitely recommend that you check my other blog post about a pretty nasty Folder redirection bug and how to fix it at  Disappearing Folder Redirection Issues with Windows 7

Update: I have new blog post that describes the new “Primary Computer” feature in Windows 8 for folder redirection at How to configure a “Primary Computer” (a.k.a. msDS-PrimaryComputer property) in Windows 8 I also talk about this feature in a TechNet Edge video at EdgeShow 55
Roaming Profiles and Folder redirection is what allows a user to logon onto any computer in an organisations and have all their personal files and setting apply to that computer as it was the last time they used a computer. This is really a Win/Win for Users and IT Pros as for a user this is a big time saver as they no longer need to waste time setting up their drives, printers and other personal settings when they have to use another computers. IT Pro’s also benefit when there is an un-expected failure or loss of a computer then they don’t have to go through what could be a lengthily, costly and if not impossible, process of recovering the users data.
Now theoretically User State Virtualization can be totally done with just a Roaming Profile, however this quickly becomes impractical as users often store a LOT of data which can make users profile impossibly large. To get around this Microsoft users folder redirection to essentially redirect parts of a users profile to a file share on a server where it is centrally access whenever they logon to a computer.
In case you still woundering what User State Virtualization is then check out the overview video from Microsoft below:

Reference: Managing Roaming User Data Deployment Guide
Folder Redirection provides a way for administrators to divide user data from profile data. This division of user data decreases user logon times, and Windows downloads less data. Windows redirects the local folder to a central location, giving the user immediate access to their data when they save it, regardless of the computer they are using. This immediate access removes the need to update the user profile.
By redirecting these folders to a server they are only access when needed and therefore very large files do not slow down the profile update process. The obvious disadvantage of doing this is that when a user cannot access the redirected folders (e.g. disconnected laptop users) they lose access to these files. However this restriction is also mitigated by ensuring that the user has a cached copy of these redirected folders.
Below I am going to go through a number of tips and tricks to make sure you get the most out of a User State Virtualization setup in your environment and to ensure that you don’t fall into some configuration traps.
Before you begin I would also recommend that you read the following articles from Microsoft about User State Virtualization.

Note: I am going to mainly focus on Windows Vista/7 setups however most of the setting/principals I do mention below will still apply to Windows XP.
Update: Here is a really good video from Darren Mar-Elia (Fellow Group Policy MVP) from TechEd North America 2011. This session is entitled Optimizing Group Policy in Virtual Desktop (VDI) Environments however much of it covers User State Virtualization.

Setting up Folder Redirections using Group Policy

Below I will show you how to setup folder redirection for you users profiles. It is very important that you realise the impact that redirection some of these folder can have as if users have many GB’s of music of videos on their local computers you could quickly find yourself running out of disk space on the server.
For another good overview of Redirected Folder take a look at the video below:

Setting up file server share for User State Virtualization

When setting up the file server you need to be sure that the permission on the folder are setup so that a user can create a new folder however you also need to ensure that they can only see their own files if they start to snoop about.
Below I will go though the setup of a folder to be used for folder redirection and the roaming profiles. Combining a users redirected folders and roaming profile path to the one spot on the network is far easier to manage as it consolidates all the users information in one locations.
Note: This consolidated storage of users information can only applies to Windows Vista/7 systems. Otherwise you will need to create a separate share for roaming profiles with offline caching disabled for Windows XP systems.
Step 1. Create a folder to be used as a root folder for all the users information (e.g. Users)
Step 2. Open the properties of the folder and then go to the Security tab and then click on the Advanced button.
Step 3. Now click on the “Change Permissions” button
Step 4. Un tick “Include inheritable permission form this object’s parent.
Step 5. Click the “Add” button
Explanation: We have now setup a folder with no inheritable file permissions from the parent. We do this so we can remove the Read permission from Users for all subfolders and files in a later step.
You should now see something like this below.
Step 6. Select the Users “Special” ACL and then click the Edit Button.
Step 7. Change the Apply to: permission to “This folder only” and press “OK”
Step 8. Select the Users “Read & execute” ACL and then click the “Edit” button.
Step 9. Again select the “This folder only” option from the Apply to: section and then press “OK”
Notice how the two “This folder only” permissions for Users have now combined into one ACL.
Step 10. Then press “OK” and “OK” to get you back to the Users Properties screen.
Now we need to share the folder…
Step 11. Click on the “Sharing Tab” on the Users Properties screen and then click on the “Advanced Sharing” button.
Step 12. Tick “Share this folder” and give the type in a share name ending with a $ (e.g. Users$) then click on the “Permissions” Button.
Note: The $ symbol at the end of the share name makes it hidden to a users so they cannot browser to the folder. This is not necessary but it is good practice to help stop nosey users.
you should always hide the profile share using a dollar sign ($).
Step 13. Tick “Allow” for the Full Control permissions (change should then get automatically ticked) and then press OK then OK then Close.

(Optional) Setting up Roaming Profile Folder

If you are still using Windows XP then I would recommend configuring the roaming profile folder is the same as the Users folder for the redirected folders except that you need to disable file caching. Simple repeat the steps above for “Setting up file server share for User State Virtualization” instead use the folder name called “Profiles” and a share name called “Profiles$”.
After you configure the share permissions (see step 13 above) also click on the “Caching” button and select the “No Files or programs from the share folder are available offline” options then press OK then OK then Close.
You should disable Offline Files

Enabling Access Based Enumeration

Now we are going to enable Access Based Enumeration for the Users$ share so that any users that manually goes to \\server04.contoso.local\users$ will only see their own folder. This is optional however as it simple stops your snooping users from seeing who else is in the organisation.
This last part is for the former Novell Admins out there. Yes, you could use Access Based Enumeration (ABE) on these new shares; however if there is going to a lot of user folders on any one of these shares you could experience degradation of performance. Enabling ABE on a share does come at a price of performance.
Step 1. Open Server Manager and expand Roles > File Services > Share and Storage Management and then highlight the Users$ share
Step 2. From the menu click on Action and then Properties and then click the “Advanced” button
Step 3: Tick “Enable access-based enumeration” and then click “OK”
Step 4. Click OK
The folder on your server is now ready for your users roaming profiles (Windows Vista/7) and folder redirections.
Tip: You can also also enable a File Screen using the File Server Resource Manager to prevent your users from saving files type of a certain extension (e.g. MP3, AVI or MP4) to their redirected folders. Another option this gives you is the ability to apply an Auto Apply Quota to the users folders and have then get warning email messages whenever they consumer a lot of disk space.

How to configured Roaming Profiles for a user using Group Policy

Before we begin, take the time to watch part 2 video that shows an example of how Roaming Profiles can be used to give your users a better experience. This video also demonstrates some of the pit falls with just implementing a roaming profile for a user without Folder Redirection enabled.

Per User Roaming Profile

You have always been able to configured a users roaming profile patch by configuring the Profile Path on the users account (see image below). This method allows you to granularly configure a users roaming profile path location however it is a lot more laborious process to ensure that they are consistent with the folder redirection policy that is also applied to the users.
Below is the view of a users roaming profile configured to \\server04.contoso.local\users$\%username%\profile . If you are a Windows XP user this will translate to \\server04.contoso.local\users$\sam\profile and if you are a Windows Vista/7 users this will translate to \\server04.contoso.local\users$\sam\profile.v2 .
Explanation: I have added “\profile” onto the end of what would normally be the profile path so that when the profile is created it is placed at the same level as all the other redirected folders. You will see how this works later on in this post.
You configure the profile location on the Profile or Terminal Services Profile tab within Active Directory Users and Computers.


If you setup the optional Profiles$ share for Windows XP then you will need to make sure the share you use is profiles$ (not users$) and there is no need for the additional \Profiles folder to be specified.

Once feature that was introduced in new version of Active Directory Users and Computer in Windows Server 2003 was the ability to update user attributes with multiple users in one action (see image below). This made the whole process of configuring the users profile patch much easier especially when dealing with many users accounts.

Per Computer Roaming Profile

Before Windows Vista the only way you could configure the roaming profiles path for a users was by configuring it on the users account via Active Directory Users and Computers. While configuring the roaming profile path on the users account is now far easier with the multiple user attribute update feature this still left the setting configured for each individual users and unless you do an audit of all the user account it is possible that some path’s could be setup incorrectly.
However in ever since Windows Vista there is now a group policy setting you can apply to computers that configured the roaming profile path for anyone who logs onto that computer called “Set roaming profile path for all users logging onto this computer”.
Warning: The biggest problem with the Per Computer roaming profile configuration is that there is no way to exclude you administrator accounts from also getting this policy as it is a per computer policy. This means if any administrator logs on to a workstation with this policy applied they will be configured to use a roaming profile.
Step 1. Edit a Group Policy object that is targeted to your workstations
Step 2. Navigate to Computer Configuration > Policies > Administrative Templates > System > User Profiles and enable the “Set roaming profile path for all users logging onto this computer” and configure the path to \\PROFILESERVERNAME\Users$\%username%\profile .
Explanation: I have added “\profile” onto the end of what would normally be the profile path so that when the profile is created it is placed at the same level as all the other redirected folders. You will see how this works later on in this post.
If you are still running Windows XP this policy works very well if you have used a geographical OU structure (see Best Practice: Active Directory Structure Guidelines – Part 1 ) for your workstations as you will be able to send the users  roaming profile path for each user  to a local file server. This would allow you to point users in the local site to the closest/quickest roaming profile server to reduce the time it takes to logon and logoff. However as Windows Vista and Windows 7 now uploads the profile asynchronously loading the profile via a higher latency lower bandwidth link is not so noticeable unless the users has never logged on to that computer before.

Which do I recommend?

Amazingly I am not going to recommend the per computer Group Policy method as there is no way you can get around not having a roaming profile if you logon as an administrator. This is a real show stoper as I think it is really bad for administrator accounts should not be encumbered with “crud” in their profile when logging onto a computer.
Therefore I recommend the per user roaming profile configuration method, which is made much easier to do with the multiple user attribute update option you get with the newer version of Active Directory Users and Computers.

Other Roaming Profile Group Policy settings

In this section I will go through (in no particular order) the Group Policy settings I recommend you configure for setting up roaming profiles.
Computer Configuration > Policies > Administrative Templates > System
Reference: Managing Roaming User Data Deployment Guide
Windows Vista provides little information about the status of loading or unloading roaming profiles during user logon and logoff. This lack of information is misleading and may give a user the impression Windows Vista is unresponsive.
Computer Configuration > Policies > Administrative Templates > Systems > User Profiles
Users Configuration > Policies > Administrative Templates > Systems > User Profiles
  • Do not check for users ownership of Roaming Profile Folders
Usefully if you are doing a cross domain/forest migration of user accounts. Also reduces logon issues caused by incorrectly set permissions on the folders.
  • Limit profile size (NOT RECOMMENDED)
Reference: Managing Roaming User Data Deployment Guide
Vista still respects this policy setting; however, no longer prevents the user from logging off the computer. Windows does not synchronize the user’s profile to the profile server when it exceeds the policy enabled limit.
  • Exclude directories in roaming profile
Handy to exclude applications that incorrectly write very large caches from the users Application Data folder if you do not have folder redirection enabled.
Trusted Sites
  • As you are redirecting the Desktop and Start Menu to a network location you will need to add the file server into the trusted sites list otherwise Windows will warn you are trying to run a program form an un-trusted location (see below).
Tip: To avoid having to enter in the name of every file server in your organisation simple added the Domain name portion of the server name so that all servers will be Intranet Zone (e.g. file://*.contoso.local ). See my other blog post How to use Group Policy to configure Internet Explorer security zone sites on how to do this…
Error Message you will get if you do not add you file servers into the Intranet Zone.

Updates: Roaming Profile Improvement in Windows 7

Background Synchronisation

The most significant improvement to Roaming Profiles with Windows 7 is the introduction of a new feature called Background upload of a roaming user profile’s registry file while user is logged on this enables the IT administrator to schedule a background upload of the users NTUSER.dat file if they don’t log off their computer. Even if your users are in the habit of logging off at the end of the day this is a setting you should consider turning on to ensure that the users settings are always being backed up as failures can happen at any time.

How to configure Folder Redirection via Group Policy

Now lets take a look at how to setup folder redirection for a user so that the files stored in their personal folders (e.g. Documents, Music & Videos) are stored on the file server an not on the local computer. By default all folders that are redirected are automatically made available offline which is done so that users can still access their personal files if they are disconnected from the file server. On a Windows XP system this can add substantial time to the logon/logoff process as the user has to wait for the files to be synced however in Windows Vista/7 this is done in the background therefore it is a much more seamless process.
Step 1. Edit a Group Policy Object that is targeted to your users and navigate to User Configuration > Policies > Windows Settings > Folder Redirection > Documents
Now we are going to setup folder redirections for the Documents (a.k.a. My Documents) folder as this is the most commonly redirected folder however you will need to repeat the same instructions for each of the other folders (if required).
Step 2. From the menu click on Action and then Properties
Step 3. Select the “Basic – Redirect everyone’s folder to the same location” option
For the purpose of this demo I am only going to show you how to setup a “Basic” redirection. However if you want to spread out the users amongst multiple locations you can use the advanced options and apply a different folder redirection based on the users security group membership (see image below). This option is useful if you want to distribute the load across multiple server but it can start to get complicated as the users roaming profile may then be stored in a different locations to their redirected folders. Also be careful with the order you apply these advanced settings as if the users is a member of multiple groups it will pick up the top entry in the list and there is no way to reorder the list after the entries are created. For these reasons unless you REALLY want to you should try and avoid using the Advanced option.
Advanced redirection (just for your FYI)
Step 4. Select the “Create a folder for each user under the root path” option under the “Target folder location” and then type the full UNC path in the root path that we created before (e.g. \\server04.contoso.local\users$ ) then click on the “Settings” Tab.
Step 5. Un tick “Grant the user exclusive rights to Documents”
Explanation: If leave “Grant the user exclusive rights to Documents” ticked then when the folder is initially setup Windows will block inheritance on the folder and grant exclusive access to the users on these files. This will lockout even administrators to the files which makes administration of these folders very difficult. If an administrator did need to access these files they will need to take ownership which in turn removes access from the users to their files. The admin will then need to ensure that they need to re-setup the permission on the folder to ensure that they users can still access the files….. very messy…  The only scenario I see you wanting to keep this ticked is if you have a VERY strict privacy policy in your organisation but as I said before its not as if a determined administrator cannot get access to these files if they really wanted to.
By default, Administrators do not have permissions to users’ redirected folders. If you require the ability to go into the users folders you will want to go to the “Settings” Tab, and uncheck: “Grant the user exclusive rights to” on each folder that is redirected. This allows Administrators to enter the users redirected folder locations without taking ownership of the folder and files.
Note: If this is also one of the support folder redirection types in Windows XP you will have the option to also apply this policy to Windows XP computers. I would strongly recommend that you think hard before ticking this option however as I am a strong believer in not crossing the streams when it comes to running dual SOE’s.
“Also apply…” option greyed out as its not a down level (a.k.a. Windows XP) supported setting.
Note2: The other option you may want to consider it the “Redirect the folder back to the local userprofile location when policy is removed”. What this means is that if a users is not longer subject to that Group Policy setting the the contents of the redirected folder are moved back to the local computer. This sounds good until this actually happens to a users and then it takes them about 2 hours to copy all their file down to the local computers. I recommend that you leave this at the default setting.
Step 6. As we did not tick the “Also apply redirection policy to Windows 2000, Windows 2000 Server, Windows XP and Windows Server 2003 operating systems” setting… phew… then you will need to press the “Yes” button.
Now repeat the setups above to configured all the other redirected folders (as shown below).
Note: You will see on the Pictures, Music or Video options you will have the option to select the “Follow the Documents folder” option. However I have found that selecting this option can cause the Video and Music libraries in Windows 7 to disappear so i recommend that you do n so that they will automatically inherit the Documents settings.
Warning (Pre Windows 7): When enabling folder redirection for existing users for the first time expect the logon to be very slow. Not only are you copying the contents of all the user’s personal folders across the network to the server you are doing this for multiple users at the same time when the login. This means that it is highly likely that your file server will be the bottle neck. To mitigate this you might want to security filter the policy and only enable it for a few users at a time working you way up to all your users.

Folder Redirection Improvements in Windows 7

Fast First Logon

One of the new feature with Windows 7 is called Fast First Logon which allows users to logon to their computer without having to wait for the folder to be moved first. This means if your are enabling folder redirection for users already running Windows 7 the performance impact will be greatly reduced.
Reference: What’s New in Offline Files
the user must wait only for Windows to move the files into the local Offline Files cache. After the files are moved, the user logs on and is free to perform other tasks while Windows synchronizes the locally cached data over the network as a background task

Background Synchronisation

As all redirected folder are also made available offline it allows users to work on their files when in offline mode but still have them periodically sync in the background when connected via a low link. This is very useful for roaming users connected via a VPN or even when the file server might be experiencing heavy load.
Reference: What’s New in Folder Redirection and User Profiles
When the network connection is slow or unavailable, Offline Files routes requests for the user folders that are stored on the server to the local computer cache. Users read and write from their local cache. Offline Files synchronizes new and changed files and folders from the local computer cache to the server when the network becomes available or in the background when the connection is slow.

The difference between Local, LocalLow and Roaming Applications Data

One of the most confusing aspect of folder redirection is all the type of Application Data folders there are and what they do. Below is my attempt at trying to explain the difference between the Applications Data folders and how they will affect your computers.
Reference: Managing Roaming User Data Deployment Guide
Local and LocalLow folders for application data that does not roam with the user.

Local AppData & AppData

The “LocalAppData” and “AppData” folder’s for a user that does not have folder redirection enabled is one and the same and will be located at “C:\Users\USERNAME\AppData\Local”. The most commonly saved files in this path would be very large cache files that would be impractical to constantly send and receive across the network. As the files are only cache’s then there would be no issues if they were lost as they information would simple need to be re-cached. A good example of this is the TEMP and TMP path variable that is configured where most applications are configured to save temporary files.
That being said when folder redirection is enabled the “AppData” environment variable will point to the network path that it is configured in the Group Policy (see image below). This then splits you AppData folder into two locations with any application configured to use the “AppData” variable will be pointed the path on the network and any application that is configured to use the “LocalAppData” variable will still be pointed to the local hard drive.
Enabling folder redirection for AppData is far more practical to do with Windows Vista/7 than Windows XP as the offline file cache can seamless transition form offline to online mode if the network latency goes above a threshold.
Warning: If you are running Windows XP and the users is connected via a slow link then the affect of having this folder redirected could be devastating to the users performance. In my experience even the simple act of scrolling a word document requires constant writing to this “Local” application data folder.
To identify if a user has application data folder redirection enabled by simple running “set” from the command prompt and the look at the value of the  “APPDATA” variable (see image below). The below image also illustrates that the “LOCALAPPDATA” variable will always point to the local hard drive even when folder redirection is enabled.

LocalLow AppData

The “LocalLow” folder for all users is “C:\Users\USERNAME\AppData\LocalLow”.  This BIG difference of “Local” to “LocalLow” is that it is specifically intended as a place for “Low Integrity” applications to write files such as Internet Explorer add-on like Google Gears, Google Earth, Adobe Acrobat, Apple QuickTime and Microsoft Silverlight. It also appears that this folder is neither redirected nor part of the roaming profile therefore all information stored into this folder is local to the computer and will not roaming with the user.
Reference: The difference between Local and LocalLow Folders

Updated: Should you enabled Local AppData Folder Redirection?

Should AppData Local be redirected? No… Because you Can’t… Hence the name “LOCAL”. In Windows XP days a users would either have their AppData folder online or offline and not matter how slow your connection was to the server so long as your still got a response you would stay online thus bringing your entire computer to a grinding halt. But if the Administrator did not enable folder redirection for the users this normally resulted in them having a MASSIVE roaming profile that would take forever to sync during the logon and logoff process. The work around to this was to exclude the entire AppData folder from the roaming profile but this meant you risked losing some of the users personal data.
As Aaron mentioned in the comments the decision to enable Application Data folder redirection is one that should not be taken lightly and can have real negative consequences for the performance of your users. As I mentioned above having AppData folder redirection enabled to a location that is performing slow will have very noticeable performance impact for your users especially if you are running Windows XP. However not having AppData redirection could mean that you are likely to lose some of the users settings and data if their computer’s hard drive fails. A good article to read on the the matter is Should AppData be Redirected or Left in the User Profile? which discuses the Pro’s and Con’s of enabling AppData Redirection.
However now with Windows 7 (and to a lesser extent Vista) the decision to enable folder redirection for Local AppData is tricky at best. Not made any easier by Microsoft on one hand by providing a specific Roaming\AppData folder for persistent information but on the other making improvements to the OS that makes it a far more practical option to enable.
The new Windows 7 features called Transparent Caching and Background Sync for offline files the issues with redirecting the Local AppData folder are now largely mitigated as the users will automatically work on the local copy of the file whenever network performance is poor. Thus making it far more practical to enable Local AppData folder redirection while still not something that you really should do…

Updated: Roaming AppData

The “Roaming” AppData folder is located on the user local hard drive at “C:\Users\USERNAME\AppData\Roaming” this is the folder where applications should store all the users persistent information.
AppData\Roaming is part of the users roaming profile so when a user log’s off their computer the files are location are copied up to “\\PROFILESERVER\Users$\USERNAME\Profile.v2\AppData\Roaming”. Any well written application for Windows Vista or later should be aware of the Roaming Application Data folder and should use this folder to save persistent information. A good example of something that should be saved to this location is a users custom dictionary or a browsers internet cookies.
Reference Managing Roaming User Data Deployment Guide
Roaming folder for application specific data, such as custom dictionaries, which are machine independent and should roam with the user profile.
Below is a screen shot of a users AppData\Roaming folder as stored on the local computer and the same location stored on the server.
Note: Unlike the users Registry information in the ntuser.dat file on Windows 7 the AppData\Roaming folder cannot be synchronised using the Background upload of a roaming user profile’s registry file while user is logged on setting.
AppData\Roaming on the local computer AppData\Roaming store on the Server
image image

So Should you enable this “AppData(Roaming)” folder redirection option? Probably not…. Why? You should ensure that your computers it is always using the local HDD which should give MAXIMUM performance (unless you driver is REALLY slow). This with all the improvements in Roaming Profiles Syncing such as Background Synchronisation (See What’s New in Folder Redirection and User Profiles) then the user AppData(Roaming) will still be saved to the network to reduce chance of any data loss for the user.

Updates: Excluding AppData Folders

Some applications may not be well written (SHOCKER) and as such save a numerous or large files to this location to the AppData\Roaming folder. This significantly adds to the logon and logoff with all the extra it takes to transfer all the excess files. Therefore you should fully understand where applications save the applications specific configuration and look at excluding these folders from the users roaming profile so they are not copied up to the network thus saving a lot of time during logoff and logon.
For a good starting point of a list of common applications that save large amount of information into the AppData\Roaming folder check out Stealthpuppy: Reduce logon times by excluding the bloat .

User State Virtualization Folder Structure Explained

Now that we have configured the user roaming profile and folder redirections the next time a users logon they will automatically create the required folders on the network for them to enable User State Virtualization.
As you can see below in the image below a user personal folders are part of their roaming profile. The files in these folders (e.g. documents and music) are saved locally and are synchronised asynchronously in the background with the server. Having no folder redirection also means that a users will take some time to logon to a computer for the first time as you will need to download a copy of the entire profile.
User State Virtualization Folder Structure before Folder Redirection is Applied
After folder redirection is applied to the user you can see that all the user folders (excluding AppData) have been moved up a folder out of the profile and into the root folder for the users data.
User State Virtualization Folder Structure after Folder Redirection is Applied


Hopefully you now have a good idea as to how to setup User State Virtualization in your environment. Just remember that this is not a product but more a combination of roaming profiles and folder redirection to enable a users to use any computer in your organisation while maintaining a consistent experience.
The other part of User State Virtualization that I did not go into on this post was the ability to have all your users applications also follow them no matter which computer they are log into however to do this you need to use Microsoft App-V and for that i would refer you to Aaron Parker’s Stealthpuppy web site.

Other Resources

This is just a list of other related articles that I have found since writing this post.

Folder Redirection Hotfixes

The following is a list of hotfixes that are specific to Folder Redirection and Roaming Profiles

0 nhận xét:

Post a Comment

Design by IT Manager | Bloggerized by Themes For IT Managers | MIS-DUONG