Roaming Profiles and Redirected Folders Inconsistent

[F3]

I'm Running Windows 2000 Small Business Server as a PDC/DC/AD, DNS, and
Terminal Server with a Windows 2003 Server running DHCP, DNS, and File
Server. Clients are Windows XP Pro.

On the W2K SBS, I set the default policy to include folder redirection
of the users' "My Documents", etc. folders. In AD, I set the users
profiles to be redirected (different path, same server, W2K3) as well.

The redirection is not working consistently. I've had cases where a
user logs in from one computer and their folders are redirected. The
same user goes to another computer and logs in - the folders are NOT
redirected. It is "hit and miss" as to whether the folders/profiles are
redirected or not.

What should I check to diagnose and fix these problems? What needs to
be changed?

 

[Lanwench [MVP - Exchange]]

I'm Running Windows 2000 Small Business Server as a PDC/DC/AD, DNS,
and Terminal Server with a Windows 2003 Server running DHCP, DNS, and
File Server. Clients are Windows XP Pro.

On the W2K SBS, I set the default policy to include folder redirection
of the users' "My Documents", etc. folders. In AD, I set the users
profiles to be redirected (different path, same server, W2K3) as well.

The redirection is not working consistently. I've had cases where a
user logs in from one computer and their folders are redirected. The
same user goes to another computer and logs in - the folders are NOT
redirected. It is "hit and miss" as to whether the folders/profiles
are redirected or not.

What should I check to diagnose and fix these problems? What needs to
be changed?

When you say "default policy" what do you mean? I always suggest creating
your own group policy objects & linking them at the appropriate OUs. Don't
mess with the default policies.

Here's my boilerplate on roaming profiles....review it & see if anything in
your setup stands out, and check your event logs & rsop.msc output on the
clients.Note that this was written with W2003/WinXP in mind, but most of it
should be the same.

Also note that SBS does many things its own way - in the future, you should
always post SBS questions in the appropriate SBS group, even if you
crosspost to the regular groups.

********************
General tips:

1. Set up a share on the server. For example - d:\profiles, shared as
profiles$ to make it hidden from browsing. Make sure this share is *not* set
to allow offline files/caching! (that's on by default - disable it)

2. Make sure the share permissions on profiles$ indicate everyone=full
control. Set the NTFS security to administrators, system, and users=full
control.

3. In the users' ADUC properties, specify \\server\profiles$\%username% in
the profiles field

4. Have each user log into the domain once - if this is an existing user
with a profile you wish to keep, have them log in at their usual
workstationand log out. The profile is now roaming.

5. If you want the administrators group to automatically have permissions to
the profiles folders, you'll need to make the appropriate change in group
policy. Look in computer configuration/administrative templates/system/user
profiles - there's an option to add administrators group to the roaming
profiles permissions. Do this *before* the users' roaming profile folders
are created - it isn't retroactive.

********************
Notes:

Make sure users understand that they should not log into multiple computers
at the same time when they have roaming profiles (unless you make the
profiles mandatory by renaming ntuser.dat to ntuser.man so they can't change
them, which has major disadvantages),. Explain that the 'last one out wins'
when it comes to uploading the final, changed copy of the profile. If you
want to restrict multiple simultaneous network logins, look at LimitLogon
(too much overhead for me), or this:
http://www.jsifaq.com/SF/Tips/Tip.aspx?id=8768

********************
Keep your profiles TINY. Via group policy, you should be redirecting My
Documents (at the very least) - to a subfolder of the user's home directory
or user folder. Also consider redirecting Desktop & Application Data
similarly..... so the user will end up with:

\\server\users\%username%\My Documents,
\\server\users\%username%\Desktop,
\\server\users\%username%\Application Data.

[Alternatively, just manually re-target My Documents to
\\server\users\%username% (this is not optimal, however!)]

You should use folder redirection even without roaming profiles, but it's
especially critical if you *are* using them.

If you aren't going to also redirect the desktop using policies, tell users
that they are not to store any files on the desktop or you will beat them
with a
stick. Big profile=slow login/logout, and possible profile corruption.

********************
Note that user profiles are not compatible between different OS versions,
even between W2k/XP. Keep all your computers. Keep your workstations as
identical as possible - meaning, OS version is the same, SP level is the
same, app load is (as much as possible) the same.

*********************
If you also have Terminal Services users, make sure you set up a different
TS profile path for them in their ADUC properties - e.g.,
\\server\tsprofiles$\%username%

********************
Do not let people store any data locally - all data belongs on the server.

********************
The User Profile Hive Cleanup Utility should be running on all your
computers. You can download it here:
http://www.microsoft.com/downloads/...6D-8912-4E18-B570-42470E2F3582&displaylang=en

********************
Roaming profile & folder redirection article -
http://www.windowsnetworking.com/ar...e-Folder-Redirection-Windows-Server-2003.html

 

[F3]

What's an "OU"?

Yes, unfortunately, I did mess with the default policies instead of
creating my own group policy objects.

Thanks.

I'm Running Windows 2000 Small Business Server as a PDC/DC/AD, DNS,
and Terminal Server with a Windows 2003 Server running DHCP, DNS, and
File Server. Clients are Windows XP Pro.

On the W2K SBS, I set the default policy to include folder redirection
of the users' "My Documents", etc. folders. In AD, I set the users
profiles to be redirected (different path, same server, W2K3) as well.

The redirection is not working consistently. I've had cases where a
user logs in from one computer and their folders are redirected. The
same user goes to another computer and logs in - the folders are NOT
redirected. It is "hit and miss" as to whether the folders/profiles
are redirected or not.

What should I check to diagnose and fix these problems? What needs to
be changed?

When you say "default policy" what do you mean? I always suggest creating
your own group policy objects & linking them at the appropriate OUs. Don't
mess with the default policies.

Here's my boilerplate on roaming profiles....review it & see if anything in
your setup stands out, and check your event logs & rsop.msc output on the
clients.Note that this was written with W2003/WinXP in mind, but most of it
should be the same.

Also note that SBS does many things its own way - in the future, you should
always post SBS questions in the appropriate SBS group, even if you
crosspost to the regular groups.

********************
General tips:

1. Set up a share on the server. For example - d:\profiles, shared as
profiles$ to make it hidden from browsing. Make sure this share is *not* set
to allow offline files/caching! (that's on by default - disable it)

2. Make sure the share permissions on profiles$ indicate everyone=full
control. Set the NTFS security to administrators, system, and users=full
control.

3. In the users' ADUC properties, specify \\server\profiles$\%username% in
the profiles field

4. Have each user log into the domain once - if this is an existing user
with a profile you wish to keep, have them log in at their usual
workstationand log out. The profile is now roaming.

5. If you want the administrators group to automatically have permissions to
the profiles folders, you'll need to make the appropriate change in group
policy. Look in computer configuration/administrative templates/system/user
profiles - there's an option to add administrators group to the roaming
profiles permissions. Do this *before* the users' roaming profile folders
are created - it isn't retroactive.

********************
Notes:

Make sure users understand that they should not log into multiple computers
at the same time when they have roaming profiles (unless you make the
profiles mandatory by renaming ntuser.dat to ntuser.man so they can't change
them, which has major disadvantages),. Explain that the 'last one out wins'
when it comes to uploading the final, changed copy of the profile. If you
want to restrict multiple simultaneous network logins, look at LimitLogon
(too much overhead for me), or this:
http://www.jsifaq.com/SF/Tips/Tip.aspx?id=8768

********************
Keep your profiles TINY. Via group policy, you should be redirecting My
Documents (at the very least) - to a subfolder of the user's home directory
or user folder. Also consider redirecting Desktop & Application Data
similarly..... so the user will end up with:

\\server\users\%username%\My Documents,
\\server\users\%username%\Desktop,
\\server\users\%username%\Application Data.

[Alternatively, just manually re-target My Documents to
\\server\users\%username% (this is not optimal, however!)]

You should use folder redirection even without roaming profiles, but it's
especially critical if you *are* using them.

If you aren't going to also redirect the desktop using policies, tell users
that they are not to store any files on the desktop or you will beat them
with a
stick. Big profile=slow login/logout, and possible profile corruption.

********************
Note that user profiles are not compatible between different OS versions,
even between W2k/XP. Keep all your computers. Keep your workstations as
identical as possible - meaning, OS version is the same, SP level is the
same, app load is (as much as possible) the same.

*********************
If you also have Terminal Services users, make sure you set up a different
TS profile path for them in their ADUC properties - e.g.,
\\server\tsprofiles$\%username%

********************
Do not let people store any data locally - all data belongs on the server.

********************
The User Profile Hive Cleanup Utility should be running on all your
computers. You can download it here:
http://www.microsoft.com/downloads/...6D-8912-4E18-B570-42470E2F3582&displaylang=en

********************
Roaming profile & folder redirection article -
http://www.windowsnetworking.com/ar...e-Folder-Redirection-Windows-Server-2003.html

 

[Lanwench [MVP - Exchange]]

What's an "OU"?

Organizational Unit.

Yes, unfortunately, I did mess with the default policies instead of
creating my own group policy objects.

Ah. You might want to back out your changes (or restore from backup) and
start over, honestly. The SBS2k group is
microsoft.public.backoffice.smallbiz2000. I see you also posted in the
SBS2003 group & another server group - but SBS often does things its own
way....post in the most relevant group for the most expert help (and
remember to crosspost next time if you need to post to multiple groups).

Thanks.

I'm Running Windows 2000 Small Business Server as a PDC/DC/AD, DNS,
and Terminal Server with a Windows 2003 Server running DHCP, DNS,
and File Server. Clients are Windows XP Pro.

On the W2K SBS, I set the default policy to include folder
redirection of the users' "My Documents", etc. folders. In AD, I
set the users profiles to be redirected (different path, same
server, W2K3) as well. The redirection is not working consistently.
I've had cases where a
user logs in from one computer and their folders are redirected. The
same user goes to another computer and logs in - the folders
are NOT redirected. It is "hit and miss" as to whether the
folders/profiles are redirected or not.

What should I check to diagnose and fix these problems? What needs
to be changed?

When you say "default policy" what do you mean? I always suggest
creating your own group policy objects & linking them at the
appropriate OUs. Don't mess with the default policies.

Here's my boilerplate on roaming profiles....review it & see if
anything in your setup stands out, and check your event logs &
rsop.msc output on the clients.Note that this was written with
W2003/WinXP in mind, but most of it should be the same.

Also note that SBS does many things its own way - in the future, you
should always post SBS questions in the appropriate SBS group, even
if you crosspost to the regular groups.

********************
General tips:

1. Set up a share on the server. For example - d:\profiles, shared as
profiles$ to make it hidden from browsing. Make sure this share is
*not* set to allow offline files/caching! (that's on by default -
disable it) 2. Make sure the share permissions on profiles$ indicate
everyone=full control. Set the NTFS security to administrators,
system, and users=full control.

3. In the users' ADUC properties, specify
\\server\profiles$\%username% in the profiles field

4. Have each user log into the domain once - if this is an existing
user with a profile you wish to keep, have them log in at their usual
workstationand log out. The profile is now roaming.

5. If you want the administrators group to automatically have
permissions to the profiles folders, you'll need to make the
appropriate change in group policy. Look in computer
configuration/administrative templates/system/user profiles -
there's an option to add administrators group to the roaming
profiles permissions. Do this *before* the users' roaming profile
folders are created - it isn't retroactive. ********************
Notes:

Make sure users understand that they should not log into multiple
computers at the same time when they have roaming profiles (unless
you make the profiles mandatory by renaming ntuser.dat to ntuser.man
so they can't change them, which has major disadvantages),. Explain
that the 'last one out wins' when it comes to uploading the final,
changed copy of the profile. If you want to restrict multiple
simultaneous network logins, look at LimitLogon (too much overhead
for me), or this: http://www.jsifaq.com/SF/Tips/Tip.aspx?id=8768

********************
Keep your profiles TINY. Via group policy, you should be redirecting
My Documents (at the very least) - to a subfolder of the user's home
directory or user folder. Also consider redirecting Desktop &
Application Data similarly..... so the user will end up with:

\\server\users\%username%\My Documents,
\\server\users\%username%\Desktop,
\\server\users\%username%\Application Data.

[Alternatively, just manually re-target My Documents to
\\server\users\%username% (this is not optimal, however!)]

You should use folder redirection even without roaming profiles, but
it's especially critical if you *are* using them.

If you aren't going to also redirect the desktop using policies,
tell users that they are not to store any files on the desktop or
you will beat them with a
stick. Big profile=slow login/logout, and possible profile
corruption. ********************
Note that user profiles are not compatible between different OS
versions, even between W2k/XP. Keep all your computers. Keep your
workstations as identical as possible - meaning, OS version is the
same, SP level is the same, app load is (as much as possible) the
same. *********************
If you also have Terminal Services users, make sure you set up a
different TS profile path for them in their ADUC properties - e.g.,
\\server\tsprofiles$\%username%

********************
Do not let people store any data locally - all data belongs on the
server. ********************
The User Profile Hive Cleanup Utility should be running on all your
computers. You can download it here:
http://www.microsoft.com/downloads/...6D-8912-4E18-B570-42470E2F3582&displaylang=en

********************
Roaming profile & folder redirection article -
http://www.windowsnetworking.com/ar...e-Folder-Redirection-Windows-Server-2003.html

 

[F3]

LW,

Thanks for the suggestions and the nod to the correct newsgroup. I'll
be posting there primarily and possibly cross-posting here as necessary
WRT this project.

How do I force an immediate refresh/update system-wide of policy
changes, etc.?

F3

What's an "OU"?

Organizational Unit.

Yes, unfortunately, I did mess with the default policies instead of
creating my own group policy objects.

Ah. You might want to back out your changes (or restore from backup) and
start over, honestly. The SBS2k group is
microsoft.public.backoffice.smallbiz2000. I see you also posted in the
SBS2003 group & another server group - but SBS often does things its own
way....post in the most relevant group for the most expert help (and
remember to crosspost next time if you need to post to multiple groups).

Thanks.

I'm Running Windows 2000 Small Business Server as a PDC/DC/AD, DNS,
and Terminal Server with a Windows 2003 Server running DHCP, DNS,
and File Server. Clients are Windows XP Pro.

On the W2K SBS, I set the default policy to include folder
redirection of the users' "My Documents", etc. folders. In AD, I
set the users profiles to be redirected (different path, same
server, W2K3) as well. The redirection is not working consistently.
I've had cases where a
user logs in from one computer and their folders are redirected. The
same user goes to another computer and logs in - the folders
are NOT redirected. It is "hit and miss" as to whether the
folders/profiles are redirected or not.

What should I check to diagnose and fix these problems? What needs
to be changed?

When you say "default policy" what do you mean? I always suggest
creating your own group policy objects & linking them at the
appropriate OUs. Don't mess with the default policies.

Here's my boilerplate on roaming profiles....review it & see if
anything in your setup stands out, and check your event logs &
rsop.msc output on the clients.Note that this was written with
W2003/WinXP in mind, but most of it should be the same.

Also note that SBS does many things its own way - in the future, you
should always post SBS questions in the appropriate SBS group, even
if you crosspost to the regular groups.

********************
General tips:

1. Set up a share on the server. For example - d:\profiles, shared as
profiles$ to make it hidden from browsing. Make sure this share is
*not* set to allow offline files/caching! (that's on by default -
disable it) 2. Make sure the share permissions on profiles$ indicate
everyone=full control. Set the NTFS security to administrators,
system, and users=full control.

3. In the users' ADUC properties, specify
\\server\profiles$\%username% in the profiles field

4. Have each user log into the domain once - if this is an existing
user with a profile you wish to keep, have them log in at their usual
workstationand log out. The profile is now roaming.

5. If you want the administrators group to automatically have
permissions to the profiles folders, you'll need to make the
appropriate change in group policy. Look in computer
configuration/administrative templates/system/user profiles -
there's an option to add administrators group to the roaming
profiles permissions. Do this *before* the users' roaming profile
folders are created - it isn't retroactive. ********************
Notes:

Make sure users understand that they should not log into multiple
computers at the same time when they have roaming profiles (unless
you make the profiles mandatory by renaming ntuser.dat to ntuser.man
so they can't change them, which has major disadvantages),. Explain
that the 'last one out wins' when it comes to uploading the final,
changed copy of the profile. If you want to restrict multiple
simultaneous network logins, look at LimitLogon (too much overhead
for me), or this: http://www.jsifaq.com/SF/Tips/Tip.aspx?id=8768

********************
Keep your profiles TINY. Via group policy, you should be redirecting
My Documents (at the very least) - to a subfolder of the user's home
directory or user folder. Also consider redirecting Desktop &
Application Data similarly..... so the user will end up with:

\\server\users\%username%\My Documents,
\\server\users\%username%\Desktop,
\\server\users\%username%\Application Data.

[Alternatively, just manually re-target My Documents to
\\server\users\%username% (this is not optimal, however!)]

You should use folder redirection even without roaming profiles, but
it's especially critical if you *are* using them.

If you aren't going to also redirect the desktop using policies,
tell users that they are not to store any files on the desktop or
you will beat them with a
stick. Big profile=slow login/logout, and possible profile
corruption. ********************
Note that user profiles are not compatible between different OS
versions, even between W2k/XP. Keep all your computers. Keep your
workstations as identical as possible - meaning, OS version is the
same, SP level is the same, app load is (as much as possible) the
same. *********************
If you also have Terminal Services users, make sure you set up a
different TS profile path for them in their ADUC properties - e.g.,
\\server\tsprofiles$\%username%

********************
Do not let people store any data locally - all data belongs on the
server. ********************
The User Profile Hive Cleanup Utility should be running on all your
computers. You can download it here:
http://www.microsoft.com/downloads/...6D-8912-4E18-B570-42470E2F3582&displaylang=en

********************
Roaming profile & folder redirection article -
http://www.windowsnetworking.com/ar...e-Folder-Redirection-Windows-Server-2003.html

 

[Lanwench [MVP - Exchange]]

LW,

Thanks for the suggestions and the nod to the correct newsgroup. I'll
be posting there primarily and possibly cross-posting here as
necessary WRT this project.

How do I force an immediate refresh/update system-wide of policy
changes, etc.?

F3

gpupdate /force

What's an "OU"?

Organizational Unit.

Yes, unfortunately, I did mess with the default policies instead of
creating my own group policy objects.

Ah. You might want to back out your changes (or restore from backup)
and start over, honestly. The SBS2k group is
microsoft.public.backoffice.smallbiz2000. I see you also posted in
the SBS2003 group & another server group - but SBS often does things
its own way....post in the most relevant group for the most expert
help (and remember to crosspost next time if you need to post to
multiple groups).

Thanks.

Lanwench [MVP - Exchange] wrote:
I'm Running Windows 2000 Small Business Server as a PDC/DC/AD,
DNS, and Terminal Server with a Windows 2003 Server running DHCP,
DNS, and File Server. Clients are Windows XP Pro.

On the W2K SBS, I set the default policy to include folder
redirection of the users' "My Documents", etc. folders. In AD, I
set the users profiles to be redirected (different path, same
server, W2K3) as well. The redirection is not working
consistently. I've had cases where a
user logs in from one computer and their folders are redirected.
The same user goes to another computer and logs in - the folders
are NOT redirected. It is "hit and miss" as to whether the
folders/profiles are redirected or not.

What should I check to diagnose and fix these problems? What
needs to be changed?

When you say "default policy" what do you mean? I always suggest
creating your own group policy objects & linking them at the
appropriate OUs. Don't mess with the default policies.

Here's my boilerplate on roaming profiles....review it & see if
anything in your setup stands out, and check your event logs &
rsop.msc output on the clients.Note that this was written with
W2003/WinXP in mind, but most of it should be the same.

Also note that SBS does many things its own way - in the future,
you should always post SBS questions in the appropriate SBS group,
even if you crosspost to the regular groups.

********************
General tips:

1. Set up a share on the server. For example - d:\profiles, shared
as profiles$ to make it hidden from browsing. Make sure this share
is *not* set to allow offline files/caching! (that's on by default
- disable it) 2. Make sure the share permissions on profiles$
indicate everyone=full control. Set the NTFS security to
administrators, system, and users=full control.

3. In the users' ADUC properties, specify
\\server\profiles$\%username% in the profiles field

4. Have each user log into the domain once - if this is an existing
user with a profile you wish to keep, have them log in at their
usual workstationand log out. The profile is now roaming.

5. If you want the administrators group to automatically have
permissions to the profiles folders, you'll need to make the
appropriate change in group policy. Look in computer
configuration/administrative templates/system/user profiles -
there's an option to add administrators group to the roaming
profiles permissions. Do this *before* the users' roaming profile
folders are created - it isn't retroactive. ********************
Notes:

Make sure users understand that they should not log into multiple
computers at the same time when they have roaming profiles (unless
you make the profiles mandatory by renaming ntuser.dat to
ntuser.man so they can't change them, which has major
disadvantages),. Explain that the 'last one out wins' when it
comes to uploading the final, changed copy of the profile. If you
want to restrict multiple simultaneous network logins, look at
LimitLogon (too much overhead for me), or this:
http://www.jsifaq.com/SF/Tips/Tip.aspx?id=8768 ********************
Keep your profiles TINY. Via group policy, you should be
redirecting My Documents (at the very least) - to a subfolder of
the user's home directory or user folder. Also consider
redirecting Desktop & Application Data similarly..... so the user
will end up with: \\server\users\%username%\My Documents,
\\server\users\%username%\Desktop,
\\server\users\%username%\Application Data.

[Alternatively, just manually re-target My Documents to
\\server\users\%username% (this is not optimal, however!)]

You should use folder redirection even without roaming profiles,
but it's especially critical if you *are* using them.

If you aren't going to also redirect the desktop using policies,
tell users that they are not to store any files on the desktop or
you will beat them with a
stick. Big profile=slow login/logout, and possible profile
corruption. ********************
Note that user profiles are not compatible between different OS
versions, even between W2k/XP. Keep all your computers. Keep your
workstations as identical as possible - meaning, OS version is the
same, SP level is the same, app load is (as much as possible) the
same. *********************
If you also have Terminal Services users, make sure you set up a
different TS profile path for them in their ADUC properties - e.g.,
\\server\tsprofiles$\%username%

********************
Do not let people store any data locally - all data belongs on the
server. ********************
The User Profile Hive Cleanup Utility should be running on all
your computers. You can download it here:
http://www.microsoft.com/downloads/...6D-8912-4E18-B570-42470E2F3582&displaylang=en

********************
Roaming profile & folder redirection article -
http://www.windowsnetworking.com/ar...e-Folder-Redirection-Windows-Server-2003.html