Roaming Profiles

[BSpendlove]

In a short story:

 

My boss went for a meeting to a new customer, around 50+ users, an architectural firm. They have Roaming profiles implemented but since profiles have been growing larger and larger, roaming profiles are becoming a bit of a mess with the size and time to login/logout.

 

---

 

The first thing we discussed was about setting up a group policy on redirecting folders for a few of the biggest locations in users profile (that allows me in the folder direction policy).

 

 

Could people give me views on implementing a better idea for agile users moving desk to desk quite often. Redirecting Folders could work I guess but I feel like their is a better way... My Boss wants me to find a third-party application that handles Roaming profiles better than it is now, but I feel like I could gather information/resources and have a long talk with him on a few ideas.

 

---

 

My view on Disadvantages/advantages:

 

-Shouldn't take too long to set up redirecting folders?

-If multiple users try to access a large file from the redirected server stored on server, it may get a bit rough?

-Obviously mix and match Roaming Profiles WITH Redirecting Folders:

-Redirecting Folders can sometimes cause corrupt settings in specific applications that have hard coded paths to the actual local drive I believe?

 

 

 

As an apprentice for almost a month, I am really enjoying this job (Its only him and me) and I feel like I am learning a lot so I would like to get as much involved in this project with him as I can to get a lot of experience.

[leadeater]

Folder redirection with roaming profiles is a very common setup. Roaming profiles should never be used without it for the problems the client is having. There are very few applications that I have come across that have issues with this kind of setup, all of which are not business/corporate applications or are such badly written software you wouldn't want to be using it if you don't have to.

 

An example would be iTunes, this defaults to local C: drive user profile path. Way to get round this is change the directory in the iTunes application settings.

 

As far as network load concerns of the file server this is actually less of a problem than roaming profiles without folder redirection. Opening, closing and saving files with redirection is small light bursts of network traffic versus huge long spikes during login and logout. If the file server has 2 network ports you could look at teaming them to further reduce network congestion concerns.

 

May advice would be to select a user for proof of concept and setup the GPO targeting only that user account and see how that goes for a few weeks or a month. This will provide you with useful feed back and alert you of any issues before wider use. For that size of user base I would possibly even create a new AD group 'Folder Redirection Enabled' and add users to that one by one, or groups of, to manage the role out and reduce potential work load put on you and disruption to the business.

 

To give you an idea of the size of networks that I have been involved with/setup folder redirection with roaming profiles:

- Company I used to work for contracted solely to education sector, schools and universities. Currently work for a university now

- Folder redirection was part of the standard build

- Network sizes ranged from 300 users to 15000+, large ones obviously being universities.

- Network sizes of 2000 users with 500+ computers have worked fine with a single 1Gbps connection on the file server, used more whenever possible though

 

Let me know if you have any other questions, happy to help

[BSpendlove]

-snip-

 

Thank you so much for a detailed reply +  some examples. I really appreciate it.

 

I was wondering if 50+ users was quite small for that kind of thing. I will sit down and have a talk with him tomorrow. I've been researching into it before I talk to him about it.

 

 

So regarding Security and Users being able to access others folders, of course the permissions won't be a hassle, but I've seen a trick for the main folder (with each users folder) as an example like:

 

profiles$

 

and this '$' hides the specific folder, BUT users can still access it if the permissions are not set up?

[BSpendlove]

Regarding before, scratch that.

 

Tried to replicate it quickly on VM and it all seems to be working with permissions etc.. I'll just need to suggest my Boss to let me do it while he watches so we can test in the real environment. He can blame me if anything goes wrong.

 

Although Administrators do not have access, I may read this somewhere to do with the Inheritance?

[leadeater]

There's a couple of standard shares we create during network setup, much easier during new builds . As standard we also use DFS but this isn't a requirement just nice, especially if you need to move the underlying share path/storage. I also run this setup at home, cos I can and have number of computers/servers etc.

 

File Server: HMN-FS01

Local Paths

D:\Users\Homes\(Account type) e.g. D:\Users\Homes\Students\ or D:\Users\Homes\Staff\

D:\Users\Profiles\(Account type) e.g. D:\Users\Profiles\Students\ or D:\Users\Profiles\Staff\

 

Shares

\\HMN-FS01\homes_students$ , Real path being D:\Users\Homes\Students\ 

\\HMN-FS01\homes_statff$ , Real path being D:\Users\Homes\Staff\ 

\\HMN-FS01\profiles_students$ , Real path being D:\Users\Homes\Students\ 

\\HMN-FS01\profiles_statff$ , Real path being D:\Users\Homes\Staff\ 

 

DFS

\\FQDN\Users\Homes\Students

\\FQDN\Users\Profiles\Students

\\FQDN\Users\Homes\Staff

\\FQDN\Users\Profiles\Staff

 

Example user paths:

\\FQDN\Users\Homes\Students\TestStudent\(User's files and folders) , \\HMN-FS01\homes_students$\TestStudent\(User's files and folders) , D:\Users\Homes\Students\TestStudent\(User's files and folders)

\\FQDN\Users\Profiles\Students\TestStudent\(User's files and folders) , \\HMN-FS01\profiles_students$\TestStudent\(User's files and folders) , D:\Users\Profiles\Students\TestStudent\(User's files and folders)

 

Add the shares in to the matching DFS folder. Use the DFS paths for profile, folder redirection and home drive. Also on the DFS path enable access based enumeration, this means when you browse through the folders you only see what you have access to, so only your home folder. Using individual shares per user is fine in small setups but having thousands of shares to manage and look though is just annoying.

 

Back to your setup, make sure you don't redirect in to the profile folder else it will still fully sync on logout and login. You can have the profile folder in the 'Home Folder', where you redirect to, however. Personally I keep them separate.

 

For permissions see link below

https://msdn.microsoft.com/en-us/library/cc736916(v=ws.10).aspx

 

I use slightly different permissions to those mentioned but I have powershell scripts that create the user account, groups, folders and permissions etc. Manually creating 300+ user account every year, and deleting, just isn't a smart way of doing it and would take AGESSSS.

[BSpendlove]

Thank you leadeater. I find this very useful information. I will give it another try tonight on a few VMs just to get a hang of it.