====== Windows Roaming Profiles ======

See also **[[computing:windows:why_roaming_profiles_and_redirected_folders|Why Use Roaming Profiles with Redirected Folders]]**

See also **[[networking:windows:active_directory:folder_redirection|Folder Redirection]]**

See also **[[networking:windows:active_directory:home_directories|Windows Home Directories]]**

See also **[[networking:windows:active_directory:group_policy|Windows Group Policy]]**

http://technet.microsoft.com/en-us/library/bb490855.aspx#EKAA

http://www.computer-howto.com/2011/09/moving-user-profiles-new-server

http://richardkok.wordpress.com/2011/04/14/configuring-windows-7-roaming-profiles-on-a-windows-2008-r2-server/

===== Why Use Roaming Profiles =====

==== Upside ====

Roaming profiles provide valuable functionality:

  * Windows profiles are synchronized with a server
    * At logon, profiles are read from the server
    * At logoff, they are synchronized back to the server
  * Users can move to another workstation and see their personalized profile when they log in
  * Failure of a workstation is less of a disaster

==== Downside ====

There are down sides too:

  * Windows profiles tend to grow over time
    * Logon and logoff times grow longer and longer
  * Roaming profiles are a pain to set up
  * Profiles may be more susceptible to corruption
    * Particularly when they get very large

===== The Plan =====

  - Create a top-level share to hold roaming profiles
  - Roaming profiles are created automatically when the user logs in and logs out
  - Folder redirection minimizes the downside of roaming profiles

===== Top Level Profiles Folder =====

==== Folder Structure ====

<note important>We now have a batch file (**[[networking:windows:active_directory:folder_creation|script]]**) to create these folders, set the permissions and share the folders.</note>

This folder structure supports implementation of these four functions and permits the functions to be implemented separately at different times or together at once.

  * Shares
  * Home Directories
  * Roaming Profiles
  * Folder Redirection

<file>
E:\Shares
         \Share1
         \Share2
          
E:\Homes
        \User1
        \User2

E:\Profiles
                      
E:\Redirected
        \User1
        \User2
             \AppData
             \Documents
</file>

==== Top-Level 'Profiles' Folder Configuration ====

^User or Group  ^File/Folder Permissions (Security Tab) ^Comment                           ^
|Administrators |Full Control                           |This Folder, Subfolders and Files |
|SYSTEM         |Full Control                           |This Folder, Subfolders and Files |
|CREATOR OWNER  |Full Control                           |Subfolders and Files Only         |
|Everyone       |Full Control                           |This Folder Only                  |

^User or Group  ^Share Permissions (Sharing Tab)        ^
|Everyone       |Full Control                           |

<note important>Note that these settings allow for the automatic creation of per-user sub-folders of the top-level 'Profiles' folder and forbid users from accessing other users' profiles.</note>

<note important>Unless the recommended Group Policy changes are made (see below), even administrators cannot access the user profile folders without taking ownership...which will break the roaming profiles.</note>

<note important>Use a VSS-aware backup tool to make backups.</note>

<note important>Immediately after joining a computer to the domain move the computer from the default **Computer** container to the new **Company Computer** container in ADUC.</note>

==== Top-Level 'Profiles' Folder Creation ====

  - Create a folder 'Profiles'
    - Disable permissions inheritance
    - Set folder permissions per the table above
      - Use the Advanced option to edit permissions
  - Share the folder 'Profiles'
    - Set the share name as 'Profiles$'
      - The dollar symbol hides the share for better security
      - Leave off the $ if you prefer
      - Use **Properties -> Sharing -> Advanced** to create hidden shares
    - Set the share permissions per the table

===== Group Policy Settings for Roaming Profiles =====

See also **[[networking:windows:active_directory:group_policy|Group Policy]]**

  - Modify Group Policy
    - **Start -> Run -> ''gpmc.msc''**
    - Right-click the container holding **computer** objects and select **Create a GPO in this domain and link it here**
      - Name it something useful like ''Roaming Profiles''
    - **Computer Configuration -> Policy -> Administrative Templates -> System -> User Profiles**
      - ''Do not check for user ownership of Roaming Profile Folders'' -> **Enable**
      - ''Add the Administrators security group to roaming user profiles'' -> **Enable**

===== Enable Roaming Profiles for Users =====

Modify each user with the **Active Directory Users and Computers** (ADUC) tool.{{ :networking:windows:active_directory:roaming_profile_path.png?direct&300|}}

  - Browse to the container holding user objects
  - Hold the control key down and select all users you want to modify
  - Right-click one of the selected accounts -> Properties
  - Select the Profile tab
  - Select the roaming profile checkbox and fill in the Profile Path
    - ''\\<profile server name>\Profiles$\%username%''
    - Click OK to save
  - Test by logging in at a workstation as one of the selected users
    - Log off, then look in the Profiles folder
    - If the roaming profile was not created, wait a few minutes and test again

===== Migrate Roaming Profiles to New Server =====

FIXME All untested...

https://www.virtualizationhowto.com/2011/09/moving-user-profiles-new-server/

:!: This can be done even with users logged in!

  - Use a VSS aware backup utility to back up the current roaming profiles share.
  - Restore to the new location preserving all permissions.
  - Edit the properties of the Active Directory User to point to the new profile location.

==== Notes From Others ====

FIXME

Reboot all workstations to verify all users are logged out.

Copy roaming profiles to new server, preserving permissions:

<file>
robocopy.exe \\OldLocation\Users \\NewLocationUsers /MIR /COPY:DATSO /W:0 /R:1 /V /LOG:D\users_copy.log
</file>

<file>
robocopy.exe C:\Users\%USERNAME%\AppData\Roaming \\share\Profiles\%USERNAME%.V2\AppData\Roaming /MIR /COPY:DATSO /W:5 /R:10 /XO /V /LOG:C:\%USERNAME%.log
</file>

===== User Profiles Troubleshooting =====

==== Check Workstation Event Log ====

The first troubleshooting step should be to examine the Application event log on the client computer, and determine the error.

If this is a roaming profile, be sure to check for the correct permissions on the 'Profiles' folder.  Check share permissions as well as NTFS permissions.

==== Enable Advanced Logging ====

In addition to logging events in the Application Event log, User Profiles can provide a detailed log to aid troubleshooting. To create a detailed log file for user profiles, use regedit and locate the following path:

''HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon''

Create a new value called **UserEnvDebugLevel** as a **REG_DWORD** and set the value to 30002 in hexadecimal format.

The log file can be found at: %windir%\debug\usermode\userenv.log.

==== Delete Existing Profile Folders ====

You might try deleting a problem user's profile and redirected folders from the server so that they will be recreated cleanly according to your Group Policies and ADUC settings at the next user login.

**Right-click My Computer -> Properties -> Advanced -> User Profiles**

==== View All Shares ====

View all shares including hidden shares (share name ending with $ symbol):

<file>
net share
</file>