none
Mandatory Roaming User profiles RRS feed

  • Question

  • Hi Technet,

    I've been trying to setup a specific roaming user profiles configuration for my organization, and seem to be having a strange issue.  First, a quick overview of our current situation:  We are a laptop-based environment where every staff member has a company-issued laptop that they take home, and bring to work with them.  We are running Window 10 1803, with Active Directory on some Server 2016 VMs.  About 2700 people in the org total.  People login with their domain credentials, which means that they logging in locally at home.  When something happens to a laptop, we take it and issue them a loaner until we can return the fixed device.  We use a combination of Office 2016 & O365 (ProPlus) for productivity.  Full suite installed on all staff devices; Full suite sans Outlook on all loaners (due to personal info stored by Outlook, whcih woudl require scrubbing the machine every time we get it back).  With the move to O365 we also moved our users' data to the OneDrive cloud, moving Documents, Desktop, Music, Pictures, & Video folkders to OneDrive, so it's accessible anywhere.

    Next, my goal: Due to constant complaints about the loaner exp and WebMail being "not intuitive" from our users, we are caving and installing the full office suite on loaners - or at least that's the plan.  We wont do it until we can mitigate the "personal info stored by outlook" part.  Ulitmately, we want loaners that a user can log into, do their work (connecting to O365 on the web for their files, and using the Outlook Desktop app for email), and then turn back into us, without us needing to scrub anything

    My idea was to use Roaming User Profiles, and a GPO to delete profiles that haven't been used in a certain number of days.  I've gotten it setup (or so I thought) using MS's docs on the subject (Followed steps 2, 3, 4, 6, & 8) and discovered Mandatory Roaming user Profiles, which sounds even better - making it so users will all always have the same loaner experience every time?  yes please.  I don't want Roaming profiles across all our devices - only the loaners, which live in their own OU in AD.  the problem I'm running into here is that after all of this setup, I've logged into a machine with an AD user, and I always seem to get a message saying "We can't sign into your account" - which is the classic "Temporary profile error" I've seen before.  I was able to "fix" this by adding the user to the Roaming User Profiles group I created for the computers - but that's the thing - I don't want to add everyone in my org to a new group.  Plus I fear doing that would start making everyone use a RUP by default, which I don't want.

    I'm sure there's something I'm missing here, so I'll answer any questions about the setup that would help figure this out.  Has anyone run into this, or am I missing the mark in my thinking of how this works?


    Thanks, -=Justin=-

    Friday, January 18, 2019 10:01 PM

All replies

  • Hello,
    1. Do we want to use mandatory user profiles or roaming user profiles for loaners?

    2. According to "My idea was to use Roaming User Profiles, and a GPO to delete profiles that haven't been used in a certain number of days", based on my understand, we want to set up roaming user profiles for loaners, then delete the roaming user profiles for loaners after a certain number of days.

    So according to the Deploying Roaming User Profiles we provided, check if we set up as below:

    Step 2: Create a Roaming User Profiles security group
    1. Do we put the loaners to this 
    Roaming User Profiles security group?
    2. Do we create an new OU, and put this 
    Roaming User Profiles security group into an OU?

    Step 3: Create a file share for roaming user profiles

    Step 4: Optionally create a GPO for Roaming User Profiles ->create a GPO

    Step 6: Optionally set up Roaming User Profiles on computers
    ->edit this GPO

    Step 8: Enable the Roaming User Profiles GPO
    ->link this GPO to the OU aboveDo we link this GPO to the OU above?

    At last, we need to restart the computer to see if the GPO takes effect. We can view the result by running the command of gpresult /h C:\profile.html (logon the computer with administrator account).


    And we can delete the roaming user profiles for loaners after a certain number of days through the following policy.

    Delete user profiles older than a specified number of days
    Computer Configuration > Administrative Templates > System > User Profiles >Delete user profiles older than a specified number of days


    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, January 21, 2019 2:12 PM
  • Hi,
    If this question has any update? Also, for the question, is there any other assistance we could provide?

    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, January 23, 2019 1:12 AM
  • Hi Daisy,

    Thanks for the helpful reply. Based on your reply, I think I may have a misunderstanding in my overall thinking.  I thought that Mandatory user profiles were an extension of roaming user profiles - but it sounds like that may not be the case?  If so, then I need to dive deeper to get a better understanding of these items.  My main question now is "will using mandatory user profiles solve the user data pice?"  That is to say, If I go with the mandatory user profiles, will the users' data (like Outlook data, etc) be stored on the local machine indefinitely?  Or is it not save at all, or cleared at logoff?


    Thanks, -=Justin=-


    Wednesday, January 23, 2019 7:26 PM
  • Hi,
    If we go with the mandatory user profiles, the users' data (like Outlook data, etc) will be not stored on the local machine indefinitely. With mandatory user profiles, a user can modify his or her desktop, but the changes are not saved when the user logs off. The next time the user logs on, the mandatory user profile created by the administrator is downloaded.

    We can see the differences between 
    Mandatory User Profiles and Roaming User Profiles.

    Mandatory User Profiles
    A mandatory user profile is a special type of pre-configured roaming user profile that administrators can use to specify settings for users. Only system administrators can make changes to mandatory user profiles. Changes made by users to desktop settings are lost when the user logs off.

    Roaming User Profiles
    A roaming user profile is a copy of the local profile that is copied to, and stored on, a server share. This profile is downloaded to any computer that a user logs onto on a network. Changes made to a roaming user profile are synchronized with the server copy of the profile when the user logs off. The advantage of roaming user profiles is that users do not need to create a profile on each computer they use on a network.

    For details we can refer to the following articles:

    About User Profiles
    https://msdn.microsoft.com/en-us/library/windows/desktop/bb776892(v=vs.85).aspx
    Mandatory User Profiles
    https://msdn.microsoft.com/en-us/library/windows/desktop/bb776895(v=vs.85).aspx


    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, January 24, 2019 1:18 AM
  • OK, then I did understand the difference, which is good.  I'd like to use Mandatory User Profiles, so I'll review your previous answer and get back to you about the results.

    Thanks!


    Thanks, -=Justin=-

    Thursday, January 24, 2019 3:35 PM
  • Hi,
    You are welcome! If anything is unclear, please feel free to let us know.  

    I am looking forward to your reply. It's always my pleasure to be of assistance. 

    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, January 25, 2019 6:09 AM
  • Hi Daisy,

    Based on what I'm reading, it seems like Mandatroy Profiles are more of a User-based thing.  After having reconfigured my Grou Polices to try to use Mandatory Profile, but keep it computer-based, I'm having major issues at login - mainly that the screen just flashes on an empty desktop.

    Based on my original post and goal, would you say that Mandatory Profiles are not the right solution here?  Or is it possible to have Mandatory Profiles that only apply to certain computers (based on OU) and *not* the user account?


    Thanks, -=Justin=-

    Friday, January 25, 2019 5:14 PM
  • Hi,
    I read the document we provided above again carefully.

    Step 5: Optionally set up Roaming User Profiles on user accounts
    If you are deploying Roaming User Profiles to user accounts, use the following procedure to specify roaming user profiles for user accounts in Active Directory Domain Services.


    Step 6: Optionally set up Roaming User Profiles on computers
    If you are deploying Roaming User Profiles to computers, as is typically done for Remote Desktop Services or virtualized desktop deployments, use the following procedure.

    If we do not use 
    Remote Desktop Services or virtualized desktop deployments, maybe we cannot set up Roaming User Profiles on computers.

    According to "After having reconfigured my Group Polices to try to use Mandatory Profile, but keep it computer-based", what group policy setting do we configure? If it is a user configuration, it is a user-based configuration.

    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, January 28, 2019 4:07 AM
  • Hi,
    I am just writing to see if this question has any update. If anything is unclear, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, January 30, 2019 1:16 AM