Guest chris.wilkins10@virgin.net Posted October 13, 2007 Posted October 13, 2007 I'm looking into setting up default, mandatory and roaming profiles. Which is the best location to save these? My Active Directory is divided into several partitions:- Partition C: = OS ie. Server 2003 Partition E: = NTDS database Partition F: = NTDS logs Partition G: = SYSVOL Partition H: = Swap file Chris..
Guest Lanwench [MVP - Exchange] Posted October 13, 2007 Posted October 13, 2007 Re: Where to store/save user profiles? chris.wilkins10@virgin.net wrote: > I'm looking into setting up default, mandatory and roaming profiles. > Which is the best location to save these? > > My Active Directory is divided into several partitions:- > > Partition C: = OS ie. Server 2003 > Partition E: = NTDS database > Partition F: = NTDS logs > Partition G: = SYSVOL > Partition H: = Swap file > > Chris.. In addition to Mathieu's comments (with which I agree) - ------------------------ Default profile setup ------------------------ Create a local 'template user' on a workstation. Log in, and tweak everything that you want to standardize but cannot (easily) control via group policy. This includes power settings, Windows Explorer display settings, etc. Don't add a mail profile, or anything that will be unique to any domain user - keep it nice and generic. Once you're done with this 'template' profile, log out - then log in as a domain admin (or any account that has permissions to write to \\DCname\netlogon). In control panel | system, copy the 'template' user profile you created to \\DCname\netlogon\Default User (with the proper capitalization & the space). Set "Allowed to use" to "Everyone" .. Then your new *domain* users will have these settings. ------------------------ Mandatory profiles ------------------------ I suggest you avoid them unless there's some compelling reason - it's a pain if you ever need to make a change. However, if you want to use one, just rename the user's ntuser.dat to ntuser.man ------------------------ Roaming profiles ------------------------ These can work well if you are very careful - but if you aren't, much can go wrong. You're probably going to need a lot of disk space to hold them. If you use folder redirection for My Documents, Application Data and Desktop, you may not need roaming profiles. In a domain, you should redirect those even if you don't use roaming profiles. This is done via group policy. If you choose to go with roaming, profiles, here's my boilerplate on the subject. 1. Set up a share on the server. For example - d:\profiles, shared as profiles$ to make it hidden from browsing. Make sure this share is *not* set to allow offline files/caching! (that's on by default - disable it) 2. Make sure the share permissions on profiles$ indicate everyone=full control. Set the NTFS security to administrators, system, and users=full control. 3. In the users' ADUC properties, specify \\server\profiles$\%username% in the profiles field 4. If you want the administrators group to automatically have permissions to the profiles folders, you'll need to make the appropriate change in group policy. Look in computer configuration/administrative templates/system/user profiles - there's an option to add administrators group to the roaming profiles permissions. Make sure you do this before the users log in and create their subfolders, as this doesn't apply retroactively. 5. Have each user log into the domain once from their usual workstation (where their existing profile lives) and log out. The profile is now roaming. Notes: * Make sure users understand that they should not log into multiple computers at the same time when they have roaming profiles (unless you make the profiles mandatory by renaming ntuser.dat to ntuser.man so they can't change them). Explain that the "last one out wins" when it comes to uploading the final, changed copy of the profile. * Keep your profiles TINY. Via group policy, redirect My Documents at the very least - to a subfolder of the user's home directory or user folder. Also consider redirecting Desktop & Application Data similarly..... so the user will have: \\server\home$\%username%\My Documents, \\server\home$\%username%\Desktop, \\server\home$\%username%\Application Data. If you aren't going to also redirect the desktop using policies, tell users that they are not to store any files on the desktop. Big profile=slow login/logout, and possible profile corruption. * Note that user profiles are not compatible between different OS versions, even between W2k/XP. Keep all your computers. Keep your workstations as identical as possible - meaning, OS version is the same, SP level is the same, app load is (as much as possible) the same. * Do not let people store any data locally - all data belongs on the server. * The User Profile Hive Cleanup Utility should be running on all your computers. You can download it here: http://www.microsoft.com/downloads/details.aspx?familyid=1B286E6D-8912-4E18-B570-42470E2F3582&displaylang=en
Guest David Griffiths Posted October 14, 2007 Posted October 14, 2007 Re: Where to store/save user profiles? Hi Lanwench A simple question. If the redirect is set for My Documents Desktop etc... does this just redirect the roaming storage on the server or does it make the workstation always use the server rather than the local path... if that makes sense Dave "Lanwench [MVP - Exchange]" <lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in message news:%23IsSUQbDIHA.6012@TK2MSFTNGP03.phx.gbl... > chris.wilkins10@virgin.net wrote: >> I'm looking into setting up default, mandatory and roaming profiles. >> Which is the best location to save these? >> >> My Active Directory is divided into several partitions:- >> >> Partition C: = OS ie. Server 2003 >> Partition E: = NTDS database >> Partition F: = NTDS logs >> Partition G: = SYSVOL >> Partition H: = Swap file >> >> Chris.. > > In addition to Mathieu's comments (with which I agree) - > > ------------------------ > Default profile setup > ------------------------ > Create a local 'template user' on a workstation. Log in, and tweak > everything that you want to standardize but cannot (easily) control via > group policy. This includes power settings, Windows Explorer display > settings, etc. Don't add a mail profile, or anything that will be unique > to any domain user - keep it nice and generic. > > Once you're done with this 'template' profile, log out - then log in as a > domain admin (or any account that has permissions to write to > \\DCname\netlogon). > > In control panel | system, copy the 'template' user profile you created to > \\DCname\netlogon\Default User (with the proper capitalization & the > space). Set "Allowed to use" to "Everyone" > . > Then your new *domain* users will have these settings. > > ------------------------ > Mandatory profiles > ------------------------ > > I suggest you avoid them unless there's some compelling reason - it's a > pain if you ever need to make a change. However, if you want to use one, > just rename the user's ntuser.dat to ntuser.man > > ------------------------ > Roaming profiles > ------------------------ > > These can work well if you are very careful - but if you aren't, much can > go wrong. You're probably going to need a lot of disk space to hold them. > If you use folder redirection for My Documents, Application Data and > Desktop, you may not need roaming profiles. In a domain, you should > redirect those even if you don't use roaming profiles. This is done via > group policy. > > If you choose to go with roaming, profiles, here's my boilerplate on the > subject. > > 1. Set up a share on the server. For example - d:\profiles, shared as > profiles$ to make it hidden from browsing. Make sure this share is *not* > set to allow offline files/caching! (that's on by default - disable it) > > 2. Make sure the share permissions on profiles$ indicate everyone=full > control. Set the NTFS security to administrators, system, and users=full > control. > > 3. In the users' ADUC properties, specify \\server\profiles$\%username% in > the profiles field > > 4. If you want the administrators group to automatically have permissions > to the profiles folders, you'll need to make the appropriate change in > group policy. Look in computer configuration/administrative > templates/system/user profiles - there's an option to add administrators > group to the roaming profiles permissions. Make sure you do this before > the users log in and create their subfolders, as this doesn't apply > retroactively. > > 5. Have each user log into the domain once from their usual workstation > (where their existing profile lives) and log out. The profile is now > roaming. > > > > Notes: > > * Make sure users understand that they should not log into multiple > computers at the same time when they have roaming profiles (unless you > make the profiles mandatory by renaming ntuser.dat to ntuser.man so they > can't change them). Explain that the "last one out wins" when it comes to > uploading the final, changed copy of the profile. > > * Keep your profiles TINY. Via group policy, redirect My Documents at the > very least - to a subfolder of the user's home directory or user folder. > Also consider redirecting Desktop & Application Data similarly..... so the > user will have: > > \\server\home$\%username%\My Documents, > \\server\home$\%username%\Desktop, > \\server\home$\%username%\Application Data. > > If you aren't going to also redirect the desktop using policies, tell > users that they are not to store any files on the desktop. Big > profile=slow login/logout, and possible profile corruption. > > * Note that user profiles are not compatible between different OS > versions, even between W2k/XP. Keep all your computers. Keep your > workstations as identical as possible - meaning, OS version is the same, > SP level is the same, app load is (as much as possible) the same. > > * Do not let people store any data locally - all data belongs on the > server. > > * The User Profile Hive Cleanup Utility should be running on all your > computers. You can download it here: > http://www.microsoft.com/downloads/details.aspx?familyid=1B286E6D-8912-4E18-B570-42470E2F3582&displaylang=en > >
Guest Mathieu CHATEAU Posted October 14, 2007 Posted October 14, 2007 Re: Where to store/save user profiles? Hello, windows store only on the redirected path, no more locally. So if you loose access to the redirected path, Desktop becomes empty (all icons gone), same for quicklaunch. This is the difference with roaming, there is not local copy storage, it's directly and only on the redirected path -- Cordialement, Mathieu CHATEAU English blog: http://lordoftheping.blogspot.com French blog: http://www.lotp.fr "David Griffiths" <dayvg69@yahoo.nospam.co.uk> wrote in message news:L_idnduuOrY2d4za4p2dnAA@telenor.com... > Hi Lanwench > > A simple question. > > If the redirect is set for My Documents Desktop etc... does this just > redirect the roaming storage on the server or does it make the workstation > always use the server rather than the local path... if that makes sense > > Dave > > "Lanwench [MVP - Exchange]" > <lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in > message news:%23IsSUQbDIHA.6012@TK2MSFTNGP03.phx.gbl... >> chris.wilkins10@virgin.net wrote: >>> I'm looking into setting up default, mandatory and roaming profiles. >>> Which is the best location to save these? >>> >>> My Active Directory is divided into several partitions:- >>> >>> Partition C: = OS ie. Server 2003 >>> Partition E: = NTDS database >>> Partition F: = NTDS logs >>> Partition G: = SYSVOL >>> Partition H: = Swap file >>> >>> Chris.. >> >> In addition to Mathieu's comments (with which I agree) - >> >> ------------------------ >> Default profile setup >> ------------------------ >> Create a local 'template user' on a workstation. Log in, and tweak >> everything that you want to standardize but cannot (easily) control via >> group policy. This includes power settings, Windows Explorer display >> settings, etc. Don't add a mail profile, or anything that will be unique >> to any domain user - keep it nice and generic. >> >> Once you're done with this 'template' profile, log out - then log in as >> a domain admin (or any account that has permissions to write to >> \\DCname\netlogon). >> >> In control panel | system, copy the 'template' user profile you created >> to \\DCname\netlogon\Default User (with the proper capitalization & the >> space). Set "Allowed to use" to "Everyone" >> . >> Then your new *domain* users will have these settings. >> >> ------------------------ >> Mandatory profiles >> ------------------------ >> >> I suggest you avoid them unless there's some compelling reason - it's a >> pain if you ever need to make a change. However, if you want to use one, >> just rename the user's ntuser.dat to ntuser.man >> >> ------------------------ >> Roaming profiles >> ------------------------ >> >> These can work well if you are very careful - but if you aren't, much can >> go wrong. You're probably going to need a lot of disk space to hold them. >> If you use folder redirection for My Documents, Application Data and >> Desktop, you may not need roaming profiles. In a domain, you should >> redirect those even if you don't use roaming profiles. This is done via >> group policy. >> >> If you choose to go with roaming, profiles, here's my boilerplate on the >> subject. >> >> 1. Set up a share on the server. For example - d:\profiles, shared as >> profiles$ to make it hidden from browsing. Make sure this share is *not* >> set to allow offline files/caching! (that's on by default - disable it) >> >> 2. Make sure the share permissions on profiles$ indicate everyone=full >> control. Set the NTFS security to administrators, system, and users=full >> control. >> >> 3. In the users' ADUC properties, specify \\server\profiles$\%username% >> in the profiles field >> >> 4. If you want the administrators group to automatically have permissions >> to the profiles folders, you'll need to make the appropriate change in >> group policy. Look in computer configuration/administrative >> templates/system/user profiles - there's an option to add administrators >> group to the roaming profiles permissions. Make sure you do this before >> the users log in and create their subfolders, as this doesn't apply >> retroactively. >> >> 5. Have each user log into the domain once from their usual workstation >> (where their existing profile lives) and log out. The profile is now >> roaming. >> >> >> >> Notes: >> >> * Make sure users understand that they should not log into multiple >> computers at the same time when they have roaming profiles (unless you >> make the profiles mandatory by renaming ntuser.dat to ntuser.man so they >> can't change them). Explain that the "last one out wins" when it comes to >> uploading the final, changed copy of the profile. >> >> * Keep your profiles TINY. Via group policy, redirect My Documents at the >> very least - to a subfolder of the user's home directory or user folder. >> Also consider redirecting Desktop & Application Data similarly..... so >> the user will have: >> >> \\server\home$\%username%\My Documents, >> \\server\home$\%username%\Desktop, >> \\server\home$\%username%\Application Data. >> >> If you aren't going to also redirect the desktop using policies, tell >> users that they are not to store any files on the desktop. Big >> profile=slow login/logout, and possible profile corruption. >> >> * Note that user profiles are not compatible between different OS >> versions, even between W2k/XP. Keep all your computers. Keep your >> workstations as identical as possible - meaning, OS version is the same, >> SP level is the same, app load is (as much as possible) the same. >> >> * Do not let people store any data locally - all data belongs on the >> server. >> >> * The User Profile Hive Cleanup Utility should be running on all your >> computers. You can download it here: >> http://www.microsoft.com/downloads/details.aspx?familyid=1B286E6D-8912-4E18-B570-42470E2F3582&displaylang=en >> >> >
Recommended Posts