User data: Where the profiles roam
Keeping track ain't so easy
Instead it can be a very good idea to consider the use of mandatory profiles. You can set up a profile for your user, get the settings just right, and then convert it to a mandatory profile. Mandatory profiles are read-only - the local copy is never replicated back to the server. If you combine a mandatory profile with folder redirection, you get a profile where the 'critical' folders (the ones where the user and most well behaved programs store the bulk of their data) exist only on the server but the user experience is pre-configured and identical across multiple machines.
If you have multiple users that hotel across computers, you might want to take a look at 'delprof' from the Windows Server Resource Kit. It is a neat tool provided by Microsoft that cleans out local copies of profiles older than a supplied date. Combine it either with Systems Management Server or logon/logoff scripts, and you have an effective way of providing a constant user experience to hoteling users, protecting their data, and ensuring their profile footprint on the computers they use doesn’t grow out of control.
As always, there are a couple of snags. The dividing line between Windows 2000/XP/2003 (NT5) and Vista/7 (NT6) is enforced here. Roaming profiles, whether mandatory or not, simple aren’t cross-compatible. If you create a profile for an NT5 user, then as soon as they long onto an NT6 system it will create a folder called %userprofile%.v2 in your profiles share on the server. Irritating as that might be, it is actually a perfectly manageable situation.
Create two mandatory profiles, (one for each NT5 and NT6,) and folder redirection will work across the profile boundary. The gotcha on this is that certain applications tend to have problems when hoteling and folder redirection are combined. Multiple instances of the same program on different computers trying to access the same file (the only copy being that which lives on the server) can and often do cause problems. Multiple simultaneous systems using folder redirection where some are NT5 and some are NT6 is right out. I feel the need to reinforce this issue very strongly: when using roaming profiles or folder redirection use different users for NT5 and NT6 wherever possible. Thorough lab testing is therefore crucial before rolling out anything like roaming profiles or folder redirection into production.
The next up on the list of scenarios are remote users requiring offline access to their files. The most important question to ask yourself is if you are using encryption. Any notebook or remote PC that will be outside the corporate firewall storing a local copy of corporate information absolutely must be encrypted. If you are not encrypting your remote devices, then stop reading right now and solve that problem first.
If you have dealt with the liability issues surrounding storing copies of data outside the corporate firewall, then Microsoft has in theory got you covered. As has been discussed in my previous article, roaming profiles copies nearly the entire profile from the local device to the server. More importantly, folder redirection by default uses offline files and folders - it’s designed with this sort of thing in mind.
If your user lives on their notebook, doesn’t hotel, and can tolerate a profile rebuild if the notebook is lost, then folder redirection is the order of the day. If the user would still expect rapid turnaround in the case of the loss of a notebook, then enable roaming profiles and be done with it. If that user had a notebook, but also a local system inside the corporate firewall, then combine roaming profiles with folder redirection. Disable offline files and folders on the system connected to the corporate network while leaving it active on their notebook.
Sadly, if you were under the impression that this wraps up user data issues in a neat little bow, you really should know better than that. As I mentioned in my previous article, users with notebooks almost never actually log off or reboot their systems. You can try to force them to - GPOs that shove Windows Updates down their throats are effective at this, though they meet with harsh end user resistance. You can set up GPOs to force a logoff at a particular time, but I guarantee that will be allowed to happen exactly once. Instead, if at all possible, stick solely to folder redirection. Most critically, use Windows 7 and Server 2008 R2’s folder redirection.
In case you were wondering what Windows 7’s 'killer feature' is, the new treatment of offline files and folders finally won an upgrade refusnik like me over. If you’ve ever had problems with offline files and folders in the past (which would include every single person who has ever had to use it), then I heartily recommend taking the new one for a spin. It isn’t perfect, but offline files and folders under 7/2008 R2 is far more advanced than that of NT5 or even Vista. There are fewer errors, less issues with locked files and you can schedule synchronization.
More importantly, you can trigger synchronisation from scripts, which can themselves be triggered by any of a vast array of things in the new and very improved task scheduler. Scheduling and scripting can really help mitigate the issues that exist with notebook users not being connected to the corporate network when (or if) they log off. My canonical example would be a notebook scripted to wake itself from hibernation at 4am every night, only if not running on batteries. It would then connect up the VPN, synchronise offline files and folders, and then go back into hibernation. Even if the user never logs that notebook off, the data is still synchronised off to the server every night.
As mentioned earlier, there simply isn’t room in a single article to cover everything related to a topic this vast. While I’ve gone over the most common scenarios here, there are still more tools to look at that help us deal with the special cases that always occur to deviate from the norm. My next article will explore the 'slow link' group policy settings and how they can be one of the most useful tools in dealing with roaming profiles and folder redirection. I’ll also talk about super mandatory profiles and why resultant set of policy (rsop.msc) is your friend. ®
Sponsored: 2016 Cyberthreat defense report