IPAddr

Configuring User State Management Features

While the Folder Redirection, Roaming User Profiles, and Offline Files technologies are complementary, they are functionally independent. You can apply them either in combination or one at a time. The preferred method is to use these technologies in Active Directory environments with Group Policy because this approach provides the full benefits of IntelliMirror.

Using Active Directory and Group Policy to implement the IntelliMirror technologies helps you accomplish the following tasks and responsibilities:

As you determine which technologies to deploy, consider how the deployment of one technology, such as Roaming User Profiles interacts with another, such as Folder Redirection. For example, redirected folders are not copied back and forth with Roaming User Profiles. Implementing Folder Redirection before implementing Roaming User Profiles provides two benefits:

This Figure shows the processes you use to implement the user state management features that you select.

Implementing new technologies in phases has a significant advantage: Testing is simpler. Because you have introduced fewer variables in each phase, it is easier to trace unexpected results back to their source.

It is important to include in your plan adequate time for testing the technologies that you intend to implement so that you can prevent problems. For more information about testing, see "Preparing for Deployment [http://technet2.microsoft.com/WindowsServer/en/library/3e9d120f-ae58-4cbc-a5ef-9e30ed8069e81033.mspx]" earlier in this chapter.

Implementing the IntelliMirror deployment plan entails selecting group policies for GPOs and then applying those Group Policy objects to selected groups of users or computers. For more information about working with GPOs, see "Designing a Group Policy Infrastructure [http://technet2.microsoft.com/WindowsServer/en/library/c75e3e6f-c322-4220-b205-46c6e9ba76741033.mspx]" in this book and the Group Policy topics in Help and Support Center for Windows Server 2003.

For information about managing desktops in environments that do not use Active Directory, see "Desktop Strategies for Computers Running Windows 2000 and Windows XP Without Active Directory [http://technet2.microsoft.com/WindowsServer/en/library/7ce6972c-33ec-499f-ac23-a913a63305771033.mspx] ," later in this chapter.


How to create and copy Roaming Windows User Profiles

You may have reason to copy a defined user profile to a number of users. This presents each user with an identical initial profile at logon. Each user can then modify this profile as required.

This article explains how to copy a profile to another location. It may be difficult to determine the correct syntax to use in the Copy To dialog box for the destination path when you attempt to create a roaming profile. This article addresses this issue.

Create a Roaming Profile

To create a roaming profile, follow these steps:

  1. Click Start, right-click My Computer, and then click Properties on the shortcut menu that appears.
  2. Click the Advanced tab, and then click Settings under User Profiles.
  3. In the Profiles stored on this computer list, click the profile that you want.
  4. To change the type of profile, click Change Type, click Roaming profile, and then click OK.

Copy a User Profile

To copy an existing user profile to another user's account, follow these steps:

  1. Click Start, right-click My Computer, and then click Properties on the shortcut menu that appears.
  2. Click the Advanced tab, and then click Settings under User Profiles.
  3. In the Profiles stored on this computer list, click the profile that you want to copy.
  4. Click Copy To.
  5. In the Copy To dialog box, do one of the following:
    • In the Copy profile to box, type the Universal Naming Convention (UNC) path to the target user's profile folder. For example type the following: \\ServerName\ShareName\UsersProfileDirectory
      or
    • Click Browse, and then navigate to the user profile folder that you want to copy the profile to. Click OK.
  6. Under Permitted to use, click Change. Type the name of the user that will be permitted to use this profile, and then click OK.
  7. In the Copy To dialog box, click OK. If you receive a "Confirm Copy" message, click Yes.
  8. Click OK twice.

NOTE: Verify that you are not choosing users or groups from a Microsoft Windows NT-based domain, because Windows XP is designed to use Active Directory to select domains.

Update the User Profile Path

Update the user profile path to point to the new profile. To do this, follow these steps:

  1. On a domain controller, start the Active Directory Users and Computers snap-in. Expand the domain, and then expand the organizational unit that contains the user account that you want.
  2. Right-click the user account that you want, and then click Properties on the shortcut menu that appears.
  3. Click the Profile tab, and then type the UNC path to the new profile folder in the Profile path box.
  4. Click Apply, and then click OK.

After the user has successfully logged on, the profile is saved on the server as a roaming profile, and any profile changes are saved to the server.


Configuring Roaming User Profiles

Before you create a roaming user profile, you need to create each user account. Then, log on to a server as an administrator to create a network share to store the roaming user profiles, designate the groups of users to receive the roaming user profiles, and grant all users Full Control permissions.

Use the following procedures when you create and manage roaming user profiles.

Creating Roaming User Profiles

To perform the following procedure, you must be a member of the Account Operators group, Domain Admins group, or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. For enhanced security, consider using the Runas command to perform this procedure.

To create a roaming user profile

  1. Open Active Directory Users and Computers.
  2. Click the domain and the OU where the user account resides.
  3. Right-click the user account for which to set a roaming profile, and then click Properties.
  4. Click the Profile tab, and then type the profile path information in Profile path. (Use the full path in each user account. For example, type \\Server\ShareName\UserName.)

Another way to populate the profile path is to use an Active Directory® Service Interfaces (ADSI) script. ADSI provides a single set of interfaces for managing resources on the network. You can use ADSI in combination with Microsoft® Visual Basic® Scripting Edition (VBScript) or JScript scripts to manage Active Directory resources such as users and services.

For information about ADSI and ADSI scripts, see the Microsoft Platform SDK link on the Web Resources page [http://go.microsoft.com/fwlink/?linkid=291] at http://www.microsoft.com/windows/reskits/webresources.

Changing User Profile Type from Local to Roaming

Typically, a large organization has many users with local profiles. For ease of management, you might want to change many of the local profiles to roaming profiles. Moving user's data and settings from the workstation to a server reduces the user's dependence on the workstation's availability, simplifies user data management, and allows centralized account management.

To create a roaming user profile for a user that has a local profile

  1. Open Active Directory Users and Computers.
  2. Click the domain and the OU where the user account resides.
  3. Right-click the appropriate user account for which to set a roaming profile, and then click Properties.
  4. Click the Profile tab, and type the profile path information in Profile path (for example, type \\Server\ShareName\UserName).

Note To change a user's local profile to a roaming profile for a user who uses multiple computers simultaneously, the user must log off last from the computer that has the profile that the user wants to use.

Disabling Roaming User Profiles on Certain Computers

You can prevent computers from receiving roaming profiles by enabling the Only allow local user profiles policy setting, which blocks roaming profiles from being used on a computer. By default, when roaming profile users log on to a computer, the user's roaming profile is copied to the local computer. If the user has previously logged on to this computer, the roaming profile is merged with the local profile. Similarly, when the user logs off from this computer, the local copy of the profile, including any changes the user made, is merged with the server copy of the profile.

If you enable the Only allow local user profiles policy setting, the following occurs on the affected computer: When the user first logs on, the user receives a new local profile instead of the roaming profile. At logoff, changes are saved to the local profile. All subsequent logons use the local profile.

If you enable both the Prevent Roaming Profile changes from propagating to the server setting and the Only allow local user profiles setting, roaming profiles are disabled for that computer. These policy settings are in the Computer Configuration\Administrative Templates\System\User Profiles node.

Creating Accounts That Possess roaming user profiles

You can save time and reduce the chances for error by scripting many repetitive tasks, such as creating user accounts. A script to automate the creation of user profiles for roaming user might look something like the sample script Listing 7.1, which shows a script for creating user accounts that have roaming profiles.

Creating User Accounts That Have Roaming User Profiles


  set Args = Wscript.ArgumentsouName = Args(0)
  usrName = Args(1)
  RUProot = Args(2)
  RUPpath = RUProot & " \"  & usrName
  'Get the domain
  Set dse = GetObject(" LDAP://RootDSE" )
  Set domain = GetObject( " LDAP://"  & dse.Get(" defaultNamingContext" ))
  set ou = domain.GetObject(" organizationalUnit" , " OU="  & ouName )
  wscript.echo " Creating user in "  & ou.Name
  set usr = ou.Create(" user" , " cn="  & usrName )
  usr.Put " samAccountName" , usrName
  usr.Put " userPrincipalName" , usrName
  usr.Put " Profilepath" , RUPpath
  usr.SetInfo
  wscript.echo "  User "  & usrName & "  was created successfully in "  & 
    ou.Name & " with a RUP Path of: "  & RUPpath

Every Windows Server 2003 user has a profile. If the operating system does not have a profile to apply to the user when the user logs on, a new local profile is created for the user, based on the defaults in place. Windows Server 2003 applies a generic user profile format by default.

Configuring a Default Profile

You can create a default profile to ensure that all users within a domain receive an identical profile the first time they log on. This option simplifies administrative control over the users' desktops and settings.

To create a default user profile, you must be logged on as Administrator or a member of the Administrators group. Create a default profile for all new user accounts in a domain. Include any domain-specific customizations that you want in the profile. To create subsequent profiles, you can create a new user account as a template.

Before creating a new user account to use as a new user's profile template, perform the following tasks:

  1. Log on to the domain as the new user, and then customize the desktop if appropriate.
  2. Optionally, install and configure any applications to be shared by user accounts made from this template.
  3. Log off, and then log on as the administrator.

For more information about creating a new user account, see "Create a new user account [http://technet2.microsoft.com/WindowsServer/en/library/ecd7f827-90b0-4946-bb5b-951cf04391c21033.mspx]" in Help and Support Center for Windows Server 2003.

To configure a new user account to use as a new user's profile template

  1. After you create a new user account template, in Control Panel, click System.
  2. On the Advanced tab, under User Profiles, click Settings.
  3. Under Profiles stored on this computer, select the user that you created in step 1, and then click Copy To.
  4. To create the default user profile for the domain, type the path to NETLOGON\Default User on the domain controller.
  5. In the Copy To dialog box, under Permitted to use, click Change.
  6. In the Select User or Group dialog box, enter the object name to select, and then type: Everyone.

Troubleshooting: Creating a Log File for User Profiles

User profiles log events in the Application event log. To aid in troubleshooting, administrators can also create detailed log files by using the following procedure.

Caution Do not edit the registry unless you have no alternative. The registry editor, regedit.exe, bypasses standard safeguards, allowing settings that can damage your system, or even require you to reinstall Windows. If you edit the registry, make sure to back it up first and see the Windows Server 2003 Resource Kit Registry Reference [http://technet2.microsoft.com/WindowsServer/en/library/56a33a88-a7b2-4f21-ab5e-5c62d728619f1033.mspx] on the Windows Server 2003 Deployment Kit companion CD or at .

To create a detailed log file for user profiles

  1. In the Run dialog box, type regedit, and then click OK.
  2. Locate the following subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon
  3. Create a new entry named UserEnvDebugLevel of data type REG_DWORD, and set its value to 0x30002.

The log file is stored in this location: %windir%\Debug\Usermode\Userenv.log.