Windows Active Directory with Roaming Profiles can be sluggish, but not if you configure folder redirects… although it is a bit fiddly to get it right here are my own notes. I gleaned the majority of this information from www.grouppolicy.biz so credit has to go to them but I just wanted to consolidate my own choices into a short document for future reference.
http://www.grouppolicy.biz/2010/08/best-practice-roaming-profiles-and-folder-redirection-a-k-a-user-virtualization/
Setup Folder Locations
Set up the folders where the users’ files will be redirected to:
- Create a ‘root’ folder. I recommend doing this on a separate drive to the OS.
- In folder’s Properties, Security, Advanced, Permisions, Edit, un-tick Include inheritable permissions from parent and click Copy (to copy all inherited permissions).
- Select Users with "Special" Permission and select Edit
- Change Apply to to “This folder only”
- Select Users “Read and Execute” ACL and click Edit
- Change Apply to to “This folder only”
- The Users ACL should now have combined to one ACL
- Click OK twice to return to the folder’s properties and select the Sharing tab
- In Advanced Sharing give the folder a share name ending with a dollar sign eg. Users$ then click Permissions
- Tick Allow for the Full Control permissions then OK and Close.
Enable Access Based Enumeration
Ensure users can only see their own folders:
- In Server Manager/Roles/File Services/Share and Storage Management, select the Users$ share.
- Select Properties/Advanced and tick “Enable access-based enumeration”
You also need to set up a GPO (Group Policy Object) to apply the roaming profile path:
Group Policy Management/Domains/[Domain name]; right click and select “Create a GPO in this domain and Link it here”. Call it “User Profiles” or something relevant.
In the GPO: Computer Configuration, Policies, Administrative Templates
- System, User Profiles:
- Set Roaming profile path: \\[FileServer]\Users$\%username%\profile
NB: THIS IS ACTUALLY WHERE ROAMING PROFILES ARE IMPLEMENTED or it can be done in the user object. I like to do it here so it can be over-written on a per-machine basis e.g. disabled on a server.
UPDATE: If you don't want roaming profiles then you can just set up folder re-direction. This is where the user's folders (e.g. My Documents) are re-directed to the server but their actual profile settings (e.g. desktop background) are not. This is in my opinion a more robust solution: it's not always appropriate to take settings or applications installed in the profile from one machine to another.
More on User Group Policy settings in another post here.
No comments:
Post a Comment