Best Practice: Roaming Profiles and Folder Redirection (a.k.a. User State Virtualization) 18/08/2010, 7:00 pm | by Alan Burchill 62,999 views inShare3 Virtualization is currently a buzz word and it seems that Microsoft is falling over itself to brand as many products as possible with the “V” word (e.g. Hyper-V, App-V & Med-V). So “User State Virtualization” is the term that Microsoft now uses to describe what used to be call Roaming Profiles and/or Folder Redirection. The idea is simple… a user can logon to any computer in an organisations and have all their personal files and setting apply to that computer as it was the last time they used a computer. This is really a Win/Win for Users and IT Pros as for a user this is a big time saver as they no longer need to waste time setting up their drives, printers and other personal settings when they have to use another computers. IT Pro’s also benefit when there is an un-expected failure or loss of a computer then they don’t have to go through what could be a lengthily, costly and if not impossible, process of recovering the users data. The video below is part 1 in a 3 part series that give an overview about how Roaming Profiles and Folder Redirection give you User State Virtualisation. Now theoretically User State Virtualization can be totally done with just a Roaming Profile, however this quickly becomes impractical as users often store a LOT of data which can make users profile impossibly large. To get around this Microsoft users folder redirection to essentially redirect parts of a user’s profile to a file share on a server where it is centrally access whenever they logon to a computer. Reference: Managing Roaming User Data Deployment Guide Folder Redirection provides a way for administrators to divide user data from profile data. This division of user data decreases user logon times, and Windows downloads less data. Windows redirects the local folder to a central location, giving the user immediate access to their data when they save it, regardless of the computer they are using. This immediate access removes the need to update the user profile. By redirecting these folders to a server they are only access when needed and therefore very large files do not slow down the profile update process. The obvious disadvantage of doing this is that when a user cannot access the redirected folders (e.g. disconnected laptop users) they lose access to these files. However this restriction is also mitigated by ensuring that the user has a cached copy of these redirected folders. Below I am going to go through a number of tips and tricks to make sure you get the most out of a User State Virtualization setup in your environment and to ensure that you don’t fall into some configuration traps. Before you begin I would also recommend that you read the following articles from Microsoft about User State Virtualization. Choosing an Appropriate User State Virtualization Solution Understanding User State Virtualization Improvements In Windows 7 Note: I am going to mainly focus on Windows Vista/7 setups however most of the setting/principals I do mention below will still apply to Windows XP. Update: Here is a really good video from Darren Mar-Elia (Fellow Group Policy MVP) from TechEd North America 2011. This session is entitled Optimizing Group Policy in Virtual Desktop (VDI) Environments however much of it covers User State Virtualization. Setting up Folder Redirections using Group Policy Below I will show you how to setup folder redirection for you users profiles. It is very important that you realise the impact that redirection some of these folder can have as if users have many GB’s of music of videos on their local computers you could quickly find yourself running out of disk space on the server. Setting up file server share for User State Virtualization When setting up the file server you need to be sure that the permission on the folder are setup so that a user can create a new folder however you also need to ensure that they can only see their own files if they start to snoop about. Below I will go though the setup of a folder to be used for folder redirection and the roaming profiles. Combining a users redirected folders and roaming profile path to the one spot on the network is far easier to manage as it consolidates all the users information in one locations. Note: This consolidated storage of users information can only applies to Windows Vista/7 systems. Otherwise you will need to create a separate share for roaming profiles with offline caching disabled for Windows XP systems. Step 1. Create a folder to be used as a root folder for all the users information (e.g. Users) Step 2. Open the properties of the folder and then go to the Security tab and then click on the Advanced button. Step 3. Now click on the “Change Permissions” button Step 4. Un tick “Include inheritable permission form this object’s parent. Step 5. Click the “Add” button Explanation: We have now setup a folder with no inheritable file permissions from the parent. We do this so we can remove the Read permission from Users for all subfolders and files in a later step. You should now see something like this below. Step 6. Select the Users “Special” ACL and then click the Edit Button. Step 7. Change the Apply to: permission to “This folder only” and press “OK” Step 8. Select the Users “Read & execute” ACL and then click the “Edit” button. Step 9. Again select the “This folder only” option from the Apply to: section and then press “OK” Notice how the two “This folder only” permissions for Users have now combined into one ACL. Step 10. Then press “OK” and “OK” to get you back to the Users Properties screen. Now we need to share the folder… Step 11. Click on the “Sharing Tab” on the Users Properties screen and then click on the “Advanced Sharing” button. Step 12. Tick “Share this folder” and give the type in a share name ending with a $ (e.g. Users$) then click on the “Permissions” Button. Note: The $ symbol at the end of the share name makes it hidden to a users so they cannot browser to the folder. This is not necessary but it is good practice to help stop nosey users. Reference: http://blogs.technet.com/b/askds/archive/2008/06/30/automatic-creation-of-user-folders-for- home-roaming-profile-and-redirected-folders.aspx you should always hide the profile share using a dollar sign ($). Step 13. Tick “Allow” for the Full Control permissions (change should then get automatically ticked) and then press OK then OK then Close. (Optional) Setting up Roaming Profile Folder If you are still using Windows XP then I would recommend configuring the roaming profile folder is the same as the Users folder for the redirected folders except that you need to disable file caching. Simple repeat the steps above for “Setting up file server share for User State Virtualization” instead use the folder name called “Profiles” and a share name called “Profiles$”. After you configure the share permissions (see step 13 above) also click on the “Caching” button and select the “No Files or programs from the share folder are available offline” options then press OK then OK then Close. Reference: http://blogs.technet.com/b/askds/archive/2008/06/30/automatic-creation-of-user-folders-for- home-roaming-profile-and-redirected-folders.aspx You should disable Offline Files Enabling Access Based Enumeration Now we are going to enable Access Based Enumeration for the Users$ share so that any users that manually goes to \\server04.contoso.local\users$ will only see their own folder. This is optional however as it simple stops your snooping users from seeing who else is in the organisation. Reference: http://blogs.technet.com/b/askds/archive/2008/06/30/automatic-creation-of-user-folders-for- home-roaming-profile-and-redirected-folders.aspx This last part is for the former Novell Admins out there. Yes, you could use Access Based Enumeration (ABE) on these new shares; however if there is going to a lot of user folders on any one of these shares you could experience degradation of performance. Enabling ABE on a share does come at a price of performance. Step 1. Open Server Manager and expand Roles > File Services > Share and Storage Management and then highlight the Users$ share Step 2. From the menu click on Action and then Properties and then click the “Advanced” button Step 3: Tick “Enable access-based enumeration” and then click “OK” Step 4. Click OK The folder on your server is now ready for your users roaming profiles (Windows Vista/7) and folder redirections. Tip: You can also also enable a File Screen using the File Server Resource Manager to prevent your users from saving files type of a certain extension (e.g. MP3, AVI or MP4) to their redirected folders. Another option this gives you is the ability to apply an Auto Apply Quota to the users folders and have then get warning email messages whenever they consumer a lot of disk space. How to configured Roaming Profiles for a user using Group Policy Before we begin, take the time to watch part 2 video that shows an example of how Roaming Profiles can be used to give your users a better experience.