Roaming Profiles: Best Practices

I want to setup roaming profiles for about 50 users. What is the best way to go about doing this? What are the best practices. I've read about desktops/my Documents being TOO big. How big is too big?

We have a few users who keep a lot of media on their machine to listen to throughout the day. I would imagine they have a few gigs of MP3's in their My Documents folder. How do you deal with this?

Thanks!


Using Folder Redirection to get the "My Documents", "Desktop", and potentially "Application Data" folders out of the user's roaming user profile will help matters tremendously.

I'd review this document from Microsoft: "Managing Roaming User Data Deployment Guide". It's dauntingly in-depth, but it's filled with very good information.

Some people only use Folder Redirection and don't use roaming user profiles. I tend to disagree with that strategy because, to me, the user's profile is user data, too, and needs to be backed-up with the same degree of stewardship as their "overtly" data items. Roaming user profiles makes moving the user to a new PC a lot easier, too.

Whether you use "Offline Files" to cache data client-side is dependent on your environment. Windows XP doesn't handle Offline Files well when the user's redirected folders get larger than 2GB in size. Windows Vista and Windows 7 have a much-improved caching engine and do a better job. To my mind, if the user's computer isn't portable there isn't a "win" in using "Offline Files". Others' views may vary.

Finally, I tend not to use the default security paradigm that Microsoft "recommends". I set the permissions on the root of a shared folder hosting user redirected folders to something like: SYSTEM/Full Control, Administrators/Full Control, Authenticated Users/List Folder Contents-This folder only. Then, I pre-create each user's folder and add a That-User/Full Control permission. I change the default settings in "Folder Redirection" to prevent granting the user "exclusive access" (which really means "mess up my folder permission hierarchy and turn off inheritance"). I also set the group policy setting to "Do not check for ownership of Roaming Profile Folders" to enabled to allow me to set the security on my roaming profile folders the same as above.

I do all this w/ permissions for two reasons. Microsoft's defaults "break" the permission inheritance hierarchy on my filesystem, and I find that both irritating and an obstacle that I'll invariably have to fight with at some point in the future. Secondly, the "Microsoft way" invovles setting the share-root folder to allow users to create subfolders. At best, this is just lax security. At worst, one user could launch a denial-of-service attack against a new user by pre-creating the folders for that user before they logon and setting the permissions to deny the new user access.


Designing roaming profiles is a complex task. The following article tries to give an overview:

User Profile Design: A Primer

The links at the end lead to articles that go into additional detail.

Folder redirection is a very common way to reduce the logon duration by removing folders that are typically large from the part of the profile that gets copied during logon and logoff. However, with folder redirecting you are trading logon/logoff speed for in-session performance. A detailed discussion with demo videos can be found in a multi-part blog series starting here:

How Folder Redirection Impacts UX & Breaks Applications


"Too big" will depend on your network speed, users at the end of a slow WAN with GBs of documents will notice slow logons. Those in the same office as their home server should be fine.

A best practice (well, not best, but better than most alternatives) is folder redirection combined with client-side caching, and ideally DFS. This is rumoured to work much better with Vista/Win7 than with with XP. This technology works with XP but is clumsy to manage or trouble-shoot.

One advantage is that synchronisation occurs in the background and doesn't hold up logon.

Redirection can be done via Group Policy, in your case you'd point "My Documents" to a user's share, but point "My Music" back to the local harddrive. That way you have backup of documents for laptop users without filling up the server with MP3s. Desktop users won't need Offline Files at all.

Use DFS for your shares and you can even change servers in the future. A real gotcha with GPO-configured folder redirection is that if you need to move the folder both the old share and the new share need to be available - DFS avoids this. If you activate redirected My Documents for an existing user with GBs of files over a slow WAN they will be locked out of their Windows XP PC while the data is moved.

There was a great two-part article "Best Practices for Managing User Data and Settings" in Windows IT Pro about this last year, dealing with both XP and Vista users in the same policies - the guy had given this some thought.