Setting up Roaming Profiles and Folder Redirection for a new user.

This page will document the steps I took to set up roaming profiles for ACS users and will therefore use ACS as a prefix for all names.  You should obviously use the prefix of your own OU.

Three notes to begin with:

1. I am assuming some minimal level of administrative knowledge that I'm simply too lazy to document here.  Contact me if any of these steps are absolutely foreign to you.

2. The group ACS Local Users is frequently referenced in this document. ACS Users is a Domain Local group with a single member, a Global group named ACS Users.  In ACS Users are all the staff members of ACS.  I routinely use this more restrictive ACS Local Users group in place of the Everyone group or the Authenticated Users group and to date have encountered no problems.

3.  The biggy.  Roaming Profiles and Folder Redirection are applied to machines, not users.  If one user of a machine is set to roam, all users are set to roam.  It's all or nothing, based upon the machine.
 

I'm assuming that your server is adequately secured.  Pay particular attention to Microsoft Security Bulletin MS02-64, also referenced in Q Article 327522.   I modified the permissions recommended in this article somewhat further, by removing the Everyone group from the list entirely and replacing Users with Authenticated Users.  I did not want to go so far as to use ACS Local Users here, in case this server needed to be accessed by someone from outside that particular group.

I'm also assuming that you have the AD management tools installed and are familiar with their use.  If not, see the AD home page to download and install them.

The File Server

1. Create a folder on a server named Users.
2. Set the permissions on this folder to
 
User/Group Permissions Scope Notes
Administrators Full Control Should be inherited from the root anyway
Domain Admins Full Control In case you need someone to help out in the event of something drastic
System Full Control Also inherited from above
Creator Owner Full Control Subfolders and files only
ACS Local Users List Folder/Read data
Read Attributes
Create Folder/Append data		 This folder only

3. Share this folder as ACS Users.  Since this share will not be published in AD, I do not technically have to add the ACS to the share name.  It has become my convention to do so, both to mentally separate the share from the local folder as well as to get in the habit of thinking campus-wide.

4. Set the share level permissions to ACS Users - Full Control.  Note that the above listed NTFS permissions secure the share adequately, even though our receptionists appear to have Full Control.

The Local machines

Log in as a local administrator and configure the following two (new) system environment variables

Profileserver

  which should be set to the fully qualified DNS name of the server used above, e.g. acs-server1.acs.sfu.ca

Profileshare

  which is set to the share name.  Again, in the example above, it is ACS Users

A reboot is likely required at this point.

Annoyingly, this must be done at the keyboard of all local machines.  If I can figure out a way to push this out, I'll certainly document it.

Roaming profile Group Policy

There isn't any required.  At this point, any new user logging in will have their profile automatically created on the server at first login (to any machine configured as above) and synchronized appropriately at logout.  However, while no Group Policy is required, some may be desired,  for one of two reasons.

1. Profiles are always local, even when set to roaming, in that when a user logs in, their roaming profile is copied to the local drive and modified/updated locally.  Only upon logout is the profile returned to the server.  By default, Windows will leave the existing profile behind.  This can be useful in the case of a notebook user, but extremely troublesome in a lab environment where thousands of profiles may end up on a machine, filling the disk with redundant information.

2. The permissions listed above do not necessarily grant an administrator (any administrator) full rights to every file and every folder in a user's profile when a profile is automatically created.  It would probably be a good idea to add this permission automatically, as I'm sure that no one wants to manually create profiles and set permissions for each and every user.

The machines you wish to apply Group Policies to should already be in an OU in AD, either your own root level OU or some level down.

1. Create a policy for that OU.  (One time hint: OU - Properties - Group Policies - New)

2. Give a suitable like name OU Roaming Profile Setup.  Adding your OU to the name is absolutely essential; inappropriately named GPOs cannot be tolerated.

3. Edit the GPO.

Under

    Computer Configuration
        Administrative Templates
            System
                User Profiles

Enable one or both of

     Delete cached copies of roaming profiles
    Add the Administrators security group to roaming user profiles

3a.  If you enable "Delete cached copies ...", there is a chance that some software installed via an MSI will whine and insist upon being reinstalled each and every time a user logs in.  Microsoft says this behaviour is by design.  I think they messed up.  Thankfully, there is a backhanded fix for it.  See Q298960 for more information, but follow the steps below (not the steps in Q298960) to make it work in the SFU environment.

Go to

    User Configuration
        Administrative Templates
            System
                Logon/logoff

and enable

    Exclude directories in roaming profiles.

Then, remove

    Local Settings

from the list of folders to be excluded.

Then go to

     Computer Configuration
        Administrative Templates
            System
                Group Policy

and enable

    User Group Policy loopback processing mode

For Mode, pick either Replace or Merge.  (There's no difference between the two at this point and never likely to be a difference unless you define the Folder Exclusion policy differently in some other policy).

4. Close the Policy Editor.

At reboot or at the next group policy refresh interval, the policy will be applied to the machines in the OU.
 

Folder Redirection

It is possible to redirect several folders in a user's profile to somewhere other than the default location.  These folders are Desktop, My Documents, Application Data and Start Menu. Quite simply, Folder Redirection allows these four special folders to appear to be local when they are in fact folders on a network share.  It is important to understand that an administrator may wish to use this feature with roaming or local profiles, although for different reasons.

Local profiles

Since we all back up our servers religiously and since users never back up anything anytime, Folder Redirection gives us the ability to "sneakily" store much of a user's data in the two most common locations ( the Desktop and My Documents ) to a fileserver, completely transparently.  That is, when a user with the My Documents folder redirected saves a file to My Documents, that file is saved to a fileserver.  To the user, it appears as if the file is being saved locally, just as it was in the Windows95 days but the file is in fact on the server and is not present on the local machine anywhere.

Being an "in for a penny, in for a pound" kinda guy, I recommend redirecting Application Data as well, to protect the user from themselves.

Roaming Profiles

In a sense, users with roaming profiles already have their data in the four special folders backed up, as at logout time, all of the profile, including the redirectable folders are copied back to the share that stores the profile.  The key word is back; all of the data in these folders is copied down to the local workstation at login, then copied back at logout.  Somebody's going to complain about the time it takes to login, so by redirecting Desktop, My Documents and Application Data, login/logout times are sped up enormously.

    The Start Menu is a special case, more related to locking a user down than to preserving data, so I'm going to ignore it.

There is a lot of information from Microsoft on the topic of Redirected Folders; some basic reading can be found in the following Q articles. Q232692, Q273842, Q274443 and Q220167.

Actually doing it.

Create a new GPO (mine is ACS Folder Redirection) and open it for editing.  Alternately, you could also simply add the settings I'm about to describe to the Roaming Profile GPO you may have just created.  The fewer policies applied to an OU, the faster the login time.  But more policies make it easier for me, as an admin, to keep track of things.

So, users ... or me ... users ... or me ...  Your guess which way I went.

In either case, go to

    User Configuration
        Windows Settings
            Folder Redirection

Click on a folder to redirect, then right-click to access the Properties

Choose either the Basic or the Advanced setting.  (If everyone will have their folders redirected to the same server and the same root share, Basic is an the choice)

Manually fill in the target folder (browsing probably won't work) in the form

\\server name\share name\the explicit string "%username%\folder name

As an example, here's mine

  \\acs-server1.acs.sfu.ca\ACS Users\%username%\My Documents

Note that I used the same server, share  for Folder Redirection as I did for Roaming Profiles. The same folder will also be used, by virtue of the %username% variable.   If for some reason you wish to use something different, ensure that the new server and share have the same permissions set as described above.

Click Settings

Uncheck Grant the user exclusive rights ... or you as an admin won't have access to the folders, regardless of the rights to the folder defined earlier.

You probably want to leave Move the contents ... checked.

In the Policy removal area, I have no universal advice.  I selected Redirect the folder back ... as ACS users tend to have large enough hard drives to store all their files and also (usually) have a backup strategy of some sort.  For users that are highly network-centric, either because of limited disk space or the need to do their backups for them, I might select Leave the folder...

Click OK

Repeat the above steps for any other folders you wish to redirect.

Now go to

     Computer Configuration
        Administrative Templates
            System
                Group Policy

and enable

    User Group Policy loopback processing mode

( This may already be enabled if you are using a single Roaming Profile/Folder Redirection GPO )

and also enable

    Folder Redirection policy processing

I would also advise checking Process even if Group Policy ... This will also slow down login time a bit but will ensure that all machines in the OU get the policy. (There is an unusual - and pretty rare - combination of circumstances that could result in a machine not getting this policy)  Once you're sure all the machines have this policy, you can remove the tick mark.

One last (important) thing.

Enabling Roaming Profiles basically means copying a lot of things from a server at login time and saving them back again at logout.  Folder Redirection means sorta the opposite, not copying things.  By a quirk of logic that seems to make sense only to residents of Redmond, if you apply both policies, as described above, the worst possible thing happens.  Not only is everything copied to the local machine at login time to a temporary local profile (seemingly in violation of what you intended when you set up Folder Redirection), you won't be able to delete anything from any folder that is redirected !  That's because (under these circumstances) there are three versions of any redirected folder.
  1. the folder on the server
  2. the "virtual" folder that appears on the desktop
  3. the temporary copy on the local machine that you thought was being redirected
Here's the problem.  When a file is created in a redirected location, it appears in all three folders.  But when it is deleted, it is only deleted from the virtual folder and the folder on the server.  It remains in the temporary local profile !  At logout time, things are "synchronized", which means that the local profile, including the redirected folder which includes the "deleted" files, are copied back to the server.

There is a solution, that a person would think would be automatic, but is not.  In the same policy that you are using to "tweak" Roaming Profiles (or if you are not using one, the Folder Redirection GPO), go to

    User Configuration
        Administrative Templates
            System
                Logon/logoff

and enable (if not already enabled)

    Exclude directories in roaming profiles.

Then, add any folders that you have redirected to the list.  Click OK, etc.
 

Last Last  Important thing:

You must remember that like Roaming Profiles, Folder Redirection is applied to a machine, not a user.  So, as I sit down at the various machines in ACS, I can log in to all of them (because I have so permitted it) and I can get my profile downloaded to all of them (because they all have the profileserver and profileshare variables set) and I can gain access to all My Documents, because the same Folder Redirection policy has been applied.  But when I sit down at a machine in some other OU, I may still be able to log in (if the OU admin has not locked me out), but I will not be able to download my profile (because the profile variables on that machine will almost certainly point to a different server) and I will not be able to immediately access my files (because even if a Folder Redirection policy has been applied to that machine, it again almost certainly points to a different server)

The file access is solvable by a login script, a topic for another paper, the profile is really not.