March 12, 2005
Roaming Profiles w/Case ADS
Roaming profiles not only make sense for a lab environment, but an office environment as well. In the Engineering Dean's Office I use them as a means of backing up all of a user's settings. If something happens to their PC, I can quickly put a backup machine in place while their office machine is repaired. The user simply logs in, and their previous settings are restored. This is how roaming profiles work with the campus ADS:
- Every campus account in ADS and ADSTEST now has their profile set to: \\%ProfileServer%\%ProfileShare%\%Username%
- The 'Only allow local user profiles' group policy is now enabled by default, so there is no error message like 'can't find roaming profile' should you not define these variables.
- On each machine you want to roam, you need to define the variables %ProfileServer% and %ProfileShare% (these are not normally part of windows) system wide. You can create these variables in the system control panel - make sure you add them to the system environment variables and not the user environment variables. For example, you can simply set %ProfileServer% = skybridge and %ProfileShare% = nord-profile$ (examples from my setup - $ makes it a hidden share).
- Create a group policy object linked to the OU you'd like to roam, and set this policy to "Disabled":
- Unique to my configuration was turning off caching of roaming profiles. Eventually the lab machines would have filled up with hundreds of cached copies of profiles. It makes sense to cache them in an office environment, but not in a lab:
Computer Configuration -> Administrative Templates -> System -> Logon -> Delete cached copies of roaming profiles
- Reboot the computer so these policies and the system environment variables take effect.
- Now when you log in as a user in the kerberos realm, a profile should be automatically created on your server's %ProfileShare% - if not check the permissions on the share. The minimum permissions needed are "List Folder/Read data", "Read Attributes", and "Create Folder/Append data" applied to scope "This folder only". For my setup, I applied these permissions to the Group "Authenticated Users". Share permissions were set to "Authenticated Users" Full Control
- The Cache Option for Offline Files Must Be Disabled on Roaming User Profile Shares. See KB287566
- The profile should roam between two or more computers that have been setup with the above steps.
- The Policies "Allow Cross-Forest User Policy and Roaming User Profiles" and "Add the Administrators security group to roaming user profiles" have been turned on by default. The first is necessary to make this work, and the second is so you can access users' profiles without having to change the permissions to include you first. The group added is %ProfileServer%\Administrators
Computer Configuration -> Administrative Template -> System -> User Profiles -> Only allow local user profiles
The default profile used when creating the user's first profile is the "C:\Documents and Settings\Default User" profile on the local machine used when first logging on. This is because no Default User profile exists in the SYSVOL share of the campus domain controllers (probably a good thing). Make any changes to this profile if you want them to apply to users when the first log in. See KB305709: HOW TO: Create a Custom Default User Profile
I have also setup Folder Redirection of the user's My Documents folder to speed up profile loading. Aside from the "nord-profile$" share I've created on my server, I've also setup "nord-home$". I then set the Folder Redirection policy to put My Documents in \\servername\nord-home$\%username% - using the same share/file system permissions listed above for the profile share. The results are seperating "My Documents" from the user's profile, so it isn't copied back and forth every time the user logs in. One 'surprise' is that Windows XP automatically turns on offline file caching for redirected folders. If you don't like this behaviour, enable the policy "Do not automatically make redirected folders available offline", under User Configuration -> Administrative Templates -> Network -> Offline Files.
Make sure to read Recommendations for Folder Redirection for more information on Folder Redirection policies.
Posted by djc6 at March 12, 2005 03:35 PM
TrackBack URL for this entry:
This is probably one of the single most complete "roaming profile" how-to's I've seen..
Good work!..another nice site for roaming profiles is
Keep up the good work!
Posted by: Kenny Calero at November 17, 2005 01:14 AM
Quick note: the system environment variable known as "ProfileServer" has to be set to the FQDN of the server. It was driving me nuts until I set the full name. (ex: servername.case.edu)
Posted by: Keith Wane at January 17, 2006 11:27 AM
Great article! Have you considered putting it up on Wikipedia?
Posted by: Les at March 22, 2006 12:21 AM
I can't find the "Add the Administrators security group to roaming user profiles" in policy editor.
I am using windows 2000 SP4. Can anyone help?
Posted by: Jon Cann at June 23, 2006 05:19 AM
This is a very good way to use multiple roaming profiles, for example depending on cmputer type (desktop or laptop).
Something I've used to be sure that the computer have the profilepath computer environment variable before the user loggs on is the following customized ADM file:
----- CustomizedComputer.adm -----
CATEGORY "Customized - Computer"
CATEGORY "Aditional computer environment variables"
KEYNAME "SYSTEM\CurrentControlSet\Control\Session Manager\Environment"
POLICY "Aditional self dfined variables"
PART "Add variables: " LISTBOX ADDITIVE EXPANDABLETEXT EXPLICITVALUE
----- CustomizedComputer.adm -----
I've tried it on Windows 2000 Standard Server SP4 with Windows XP Professional SP2 clients and it runs good
Posted by: Daniel at October 23, 2006 12:12 PM
Thanks so much for this excellent document. I am having a problem, though, setting the environment variables so that they are used on login.
They are available to the user once logged in but when used in the Profile Path they seem to not expand, or something...e.g. echo %PROFILESERVER% does in fact echo the name of the profile server, likewise for %PROFILESHARE%.
I have copied your naming conventions exactly and still no luck.
Any advice appreciated
Posted by: Erik M. at November 19, 2006 07:49 PM
the custom .adm file provided by daniel does not do anything. the file must be modified to work properly.
Posted by: keith at March 29, 2007 11:52 AM