none
how to set up Roaming profiles

    Question

  • Hi All,

    On server 2013, I have profiles set up for the users.  As far as I can tell, they are sharing the Desktop between

    different workstations.

    Question:  How do I get roaming profiles to

      1) mount their network share?

      2) share their Libraries (specifically their Documents)?

      3) share their App Data directories?

    Many thanks, -T

    Tuesday, February 11, 2014 5:35 AM

Answers

  • by default, Roaming User Profiles on Windows/AD, uses UNC paths for the mount points, it doesn't use drive letter mappings (if that's what you meant).
    So, users won't be presented with any obvious/visible mount point to their profile share, via Windows explorer (File Explorer).

    I've always considered this to be that way because a typical end-user has no need to fiddle about in the central/server profile.

    I'm assuming that you are using either the "legacy" attribute for profileDir in the user object, or, are using a domain GPO to specify the profilepath ?

    b) why would you want to "share" the userprofile content? (do you mean share that user's content with other users?)

    Are your trying to implement a "hot desking" or "un-assigned seating" or "shift worker" scenario ?

    i.e. humans will move to different desks/computers, and will logon/logoff at each computer with their own userid. When they logon, their content (data, settings) will be made available from a central server and loaded onto that computer, for their immediate use, and, when they logoff, their data/settings are stored on a central server.

    this can be done via Roaming User Profiles (which involves shipping the data up and down at every logon/logoff, and/or a differencing/reconciliation), or via Folder Redirection (which means don't store the content on the workstation at all. You can do FR with or without OfflineFiles/caching)


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)


    Thursday, February 13, 2014 8:46 PM
  • "User State Virtualization" is the name given by MS to these features. This 10min video explains it fairly well: http://technet.microsoft.com/en-us/windows/ff629664.aspx and it shows how to implement by setting each user, or by a GPO. There's also a link to a further video for more detail.

    USV doesn't address the concept of a group/shared drive, since USV is dealing an individual users data.

    For a group/shared drive (e.g. a drive mapping of L:=\\server01\data\public ), you can do that with a logon script, but it's more commonly done these days via Group Policy Preferences, like this: http://blogs.technet.com/b/askds/archive/2009/01/07/using-group-policy-preferences-to-map-drives-based-on-group-membership.aspx

    Roaming User Profiles (RUP), will copy (sync) c:\users\Don\AppData\Roaming, and c:\users\Don\NTUSER.DAT and a bunch of other stuff like c:\users\Don\Desktop, c:\users\Don\Favorites, c:\users\Don\Documents, etc.

    The video correctly warns that all those folders, within a users profile, can get large, and so RUP can quickly lead to very long logon/logoff times, and vast amounts of network traffic at those times. e.g. do you want every user's iTunes library shipped up and back every day?

    You can use GPO to exclude specified folders from syncing.
    Or, you can use Folder Redirection (FR) instead.
    You could also use RUP + FR, to roam some stuff, and redirect the other stuff.

    Again, drive mappings are not considered part of USV at all, but they are a valid part of the user data experience.

    As for HKCU, this is embodied in the NTUSER.DAT file, at user logon, NTUSER.DAT is mounted into the live registry environment and is presented as HKCU. A user has full rights to HKCU by default, since HKCU is the user data area of registry, and that is where all per-user registry settings are stored.

    You might find this useful (more reading, sorry ;): http://www.microsoft.com/en-us/download/details.aspx?id=14161

    How to deploy RUP: http://technet.microsoft.com/en-us/library/jj649079.aspx


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)



    Friday, February 14, 2014 10:45 PM
  • Also, is giving the user access to his section of the registry (HK Current User), considered a security risk for PCI (credit card) security?

    So, by default a user has full rights to their own HKCU. There should be no need to grant a user rights to HKCU, since they should already have rights. A user needs rights so that apps and Windows itself can store per-user settings/preferences there, e.g. the Outlook MAPI profile (which details your mailbox server, folders, toolbars, colours, etc)

    A user's MostRecentlyUsed (MRU) filelist, for each application, is also stored in HKCU, and the user-level process threads have to have rights to write those settings.

    Having said all of that, even if HKCU wasn't a user-editable registry area, I can't see how that really relates to PCI DSS.
    PCI DSS does try to tackle the principles of system administration, but all that's really doing is reinforcing concepts such as "the principle of least privilege", which boils down to this: if a user of any kind doesn't need an access level/privilege, don't give it to them.
    Similar to "if you don't need java/flash/whatever, don't install it, so you won't have to patch it."


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Friday, February 14, 2014 10:55 PM

All replies

  • um...you mean folder redirection?

    understand folder redirection, roaming profile...

    http://technet.microsoft.com/en-us/library/hh848267.aspx

    -->1) mount their network share?

    use GPP

    Best,

    Howtodo

    Thursday, February 13, 2014 4:25 PM
  • by default, Roaming User Profiles on Windows/AD, uses UNC paths for the mount points, it doesn't use drive letter mappings (if that's what you meant).
    So, users won't be presented with any obvious/visible mount point to their profile share, via Windows explorer (File Explorer).

    I've always considered this to be that way because a typical end-user has no need to fiddle about in the central/server profile.

    I'm assuming that you are using either the "legacy" attribute for profileDir in the user object, or, are using a domain GPO to specify the profilepath ?

    b) why would you want to "share" the userprofile content? (do you mean share that user's content with other users?)

    Are your trying to implement a "hot desking" or "un-assigned seating" or "shift worker" scenario ?

    i.e. humans will move to different desks/computers, and will logon/logoff at each computer with their own userid. When they logon, their content (data, settings) will be made available from a central server and loaded onto that computer, for their immediate use, and, when they logoff, their data/settings are stored on a central server.

    this can be done via Roaming User Profiles (which involves shipping the data up and down at every logon/logoff, and/or a differencing/reconciliation), or via Folder Redirection (which means don't store the content on the workstation at all. You can do FR with or without OfflineFiles/caching)


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)


    Thursday, February 13, 2014 8:46 PM
  • Hi Don,

    > hot desking" or "un-assigned seating" or "shift worker" scenario ?

    Yes.  Customer said "I want to sit down at any workstation and have all my stuff"

    For shared drives, I was meaning with other user accounts.  Those public shares everyone sees.  I presume I do this with a logon script in the AD "profile" section.  Something like:

    set DR=F
    if not exist %DR%:\nul net use F: \\VBOXSVR\vm-backups /PERSISTENT:YES

    Do I presume correctly?  Is there a way to get AD to do this without the script?

    Question: I am presuming that under a roaming profiles, the W7 AppData/Roaming directory gets mapped to the AD server.  And, for programs to take advantage of this, they have to be written that way.  (Firefox, for instance uses AppData/Roaming).  Do I presume correctly?

    Question:  what is the best method to put the user's "My Documents" over on the AD server?  Folder redirection, I presume?  By hand on each workstation?  Or from the logon script, something like

    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Personal /t reg_expand_sz /d "G:\MyDocs" /f  > nul 2>&1

    Do I presume correctly?  Is there a way to do this in AD, without the logon script?

    Also, is giving the user access to his section of the registry (HK Current User), considered a security risk for PCI (credit card) security?

    And, lastly, I presume that "Roaming Profiles" only maps two things to the server:  1) Desktop, 2) AppData/Roaming.  Did I miss anything?

    Many thanks, -T

    Friday, February 14, 2014 5:55 PM
  • um...you mean folder redirection?

    understand folder redirection, roaming profile...

    http://technet.microsoft.com/en-us/library/hh848267.aspx

    -->1) mount their network share?

    use GPP

    Best,

    Howtodo

    Great reference.  Unfortunately, GET TO THE POINT!  Tons and tons of words, but really difficult to figure out what is going on.  Dude must have been paid by the word.  (In which case, he got paid handsomely.)

    What I am looking for is how to do this from the AD server.  If I have to use a logon script, what are the registry entries?

    Friday, February 14, 2014 5:56 PM
  • "User State Virtualization" is the name given by MS to these features. This 10min video explains it fairly well: http://technet.microsoft.com/en-us/windows/ff629664.aspx and it shows how to implement by setting each user, or by a GPO. There's also a link to a further video for more detail.

    USV doesn't address the concept of a group/shared drive, since USV is dealing an individual users data.

    For a group/shared drive (e.g. a drive mapping of L:=\\server01\data\public ), you can do that with a logon script, but it's more commonly done these days via Group Policy Preferences, like this: http://blogs.technet.com/b/askds/archive/2009/01/07/using-group-policy-preferences-to-map-drives-based-on-group-membership.aspx

    Roaming User Profiles (RUP), will copy (sync) c:\users\Don\AppData\Roaming, and c:\users\Don\NTUSER.DAT and a bunch of other stuff like c:\users\Don\Desktop, c:\users\Don\Favorites, c:\users\Don\Documents, etc.

    The video correctly warns that all those folders, within a users profile, can get large, and so RUP can quickly lead to very long logon/logoff times, and vast amounts of network traffic at those times. e.g. do you want every user's iTunes library shipped up and back every day?

    You can use GPO to exclude specified folders from syncing.
    Or, you can use Folder Redirection (FR) instead.
    You could also use RUP + FR, to roam some stuff, and redirect the other stuff.

    Again, drive mappings are not considered part of USV at all, but they are a valid part of the user data experience.

    As for HKCU, this is embodied in the NTUSER.DAT file, at user logon, NTUSER.DAT is mounted into the live registry environment and is presented as HKCU. A user has full rights to HKCU by default, since HKCU is the user data area of registry, and that is where all per-user registry settings are stored.

    You might find this useful (more reading, sorry ;): http://www.microsoft.com/en-us/download/details.aspx?id=14161

    How to deploy RUP: http://technet.microsoft.com/en-us/library/jj649079.aspx


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)



    Friday, February 14, 2014 10:45 PM
  • Also, is giving the user access to his section of the registry (HK Current User), considered a security risk for PCI (credit card) security?

    So, by default a user has full rights to their own HKCU. There should be no need to grant a user rights to HKCU, since they should already have rights. A user needs rights so that apps and Windows itself can store per-user settings/preferences there, e.g. the Outlook MAPI profile (which details your mailbox server, folders, toolbars, colours, etc)

    A user's MostRecentlyUsed (MRU) filelist, for each application, is also stored in HKCU, and the user-level process threads have to have rights to write those settings.

    Having said all of that, even if HKCU wasn't a user-editable registry area, I can't see how that really relates to PCI DSS.
    PCI DSS does try to tackle the principles of system administration, but all that's really doing is reinforcing concepts such as "the principle of least privilege", which boils down to this: if a user of any kind doesn't need an access level/privilege, don't give it to them.
    Similar to "if you don't need java/flash/whatever, don't install it, so you won't have to patch it."


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Friday, February 14, 2014 10:55 PM
  • Hi Don,

    Thank you!

    -T

    Monday, February 24, 2014 7:12 PM