Home > Windows > Roaming profiles and Folder Redirection settings

Roaming profiles and Folder Redirection settings

March 7th, 2012 Leave a comment Go to comments

Nowadays I meet couple customers which wanted to implement old school technologies: folders redirection and roaming profiles. When they have implemented features they didn’t do it right way, because they have used default settings which are not really what you might want. I also read couple articles why roaming profiles and folders redirection are bad solutions. They really ain’t that bad.

Roaming profiles

 Roaming profiles is feature which makes our profile go with us from computer to computer. It means our user settings travel with us. At the logoff process local saved profile is copied onto network share. And at the logon process saved profile is copied to local disk. So all the settings and data travel with you. This solution is good as far as you have big profile. And as you might know profile includes My Documents and Desktop. These two directories almost all the time hold couple megabytes of data 🙂 So every time you login or logoff, all the data are copied over the network and this slows all logon/logoff processes down. For this we have solution – Folder Redirection.

Folder Redirection

When your profile goes with you, you carry all the data with you, which can slow down logon/logoff processes. Folder Redirection is method to change location of those data from local storage disk to network share. So what it means is, that all your data in My Documents, Desktop, etc are not stored at the local profile (local disks), but they are stored on network share. Everytime you access those data, you browse on network share. Maybe you can have a question what would happend when network is down? Oh well, you won’t have a data available. But here is also solution from Microsoft. It’s called Offline Files. Everytime you access network share and all Offline Files settings are correctly configured your computer will store local copy of files on network share. So you can access them when you network is down or you are out of the office with no access to local LAN. When you connect back to work LAN (directly or VPN), files are synchronized.

Let’s set it up

Shares

To be able to save Roaming profiles and Folder Redirection to network, we need to set up network shares. For Roaming Profiles we will create shares with recommended security settings from Microsoft:

Make it clear. You need to create one share for Roaming Profiles and one from Folder Redirection.

For Roaming Profiles we created directory TS_Profiles with following NTFS settings and we will call it root Romaing Profiles directory:

CREATE OWNER

CREATE OWNER

 

SYSTEM

SYSTEM

 

Administrators

Administrators

 

Users' group

Users' group

 

Block inheritance from parent object

Block inheritance from parent object

 

Users’ group can be basically group called Domain Users.

You need to share this directory on network with following share permissions:

  • Administrators – Full Control
  • group of users which will use Roaming profiles (basically Domain Users) – Read+Change

You need to disable Caching for Roaming Profile share:

Roaming Profile Share

Roaming Profile Share

 

It is good practice to name share for Roaming Profiles with dollar sign on the end. For example “TS_Profiles$”, because these shares are hidden from bulk network scans.

Also good practice is to Enable GPO policy for Computers:

Computer Configuration\\Administrative Templates\\System\\User Profiles\\Add the Administrator security group to the roaming user profile share

This settings will set following things:

  • When user first logs off, logoff process will create folder in root of Romaing Profiles directory. This process will be able to list root of Romaing Profiles directory.
  • New created directory will be owned by user which profiles is stored in directory
  • Also SYSTEM (for backups) and Administrators (for checking stuff inside profile) will be able to access directories
  • Other users will not be able to access others’ profiles

Settings for Folder Redirection root directory are almost same. Here are settings that needs to be set for root directory Folder Redirection:

Administrators

Administrators

 

CREATOR OWNER

CREATOR OWNER

 

SYSTEM

SYSTEM

 

User's group

User's group

 

Block inheritance from parents object

Block inheritance from parents object

 

Settings for share are the same as for Roaming Profile share.

Folder redirection settings are set via GPO:

User Configuration\\Policies\\Windows Settings\\Folder Redirection\\<strong>*</strong>

It is also recomemded you set Folder Redirection Settings tab to following:

 

Folder Redirection Settings

Folder Redirection Settings

 

So I hope more people will try to use these two features and will be not afraid.

 

Categories: Windows Tags: , , , ,
  1. No comments yet.
  1. No trackbacks yet.