Feeds

User data: Where the profiles roam

Keeping track ain't so easy

  • alert
  • submit to reddit

Maximizing your infrastructure through virtualization

Instead it can be a very good idea to consider the use of mandatory profiles. You can set up a profile for your user, get the settings just right, and then convert it to a mandatory profile. Mandatory profiles are read-only - the local copy is never replicated back to the server. If you combine a mandatory profile with folder redirection, you get a profile where the 'critical' folders (the ones where the user and most well behaved programs store the bulk of their data) exist only on the server but the user experience is pre-configured and identical across multiple machines.

If you have multiple users that hotel across computers, you might want to take a look at 'delprof' from the Windows Server Resource Kit. It is a neat tool provided by Microsoft that cleans out local copies of profiles older than a supplied date. Combine it either with Systems Management Server or logon/logoff scripts, and you have an effective way of providing a constant user experience to hoteling users, protecting their data, and ensuring their profile footprint on the computers they use doesn’t grow out of control.

As always, there are a couple of snags. The dividing line between Windows 2000/XP/2003 (NT5) and Vista/7 (NT6) is enforced here. Roaming profiles, whether mandatory or not, simple aren’t cross-compatible. If you create a profile for an NT5 user, then as soon as they long onto an NT6 system it will create a folder called %userprofile%.v2 in your profiles share on the server. Irritating as that might be, it is actually a perfectly manageable situation.

Create two mandatory profiles, (one for each NT5 and NT6,) and folder redirection will work across the profile boundary. The gotcha on this is that certain applications tend to have problems when hoteling and folder redirection are combined. Multiple instances of the same program on different computers trying to access the same file (the only copy being that which lives on the server) can and often do cause problems. Multiple simultaneous systems using folder redirection where some are NT5 and some are NT6 is right out. I feel the need to reinforce this issue very strongly: when using roaming profiles or folder redirection use different users for NT5 and NT6 wherever possible. Thorough lab testing is therefore crucial before rolling out anything like roaming profiles or folder redirection into production.

The next up on the list of scenarios are remote users requiring offline access to their files. The most important question to ask yourself is if you are using encryption. Any notebook or remote PC that will be outside the corporate firewall storing a local copy of corporate information absolutely must be encrypted. If you are not encrypting your remote devices, then stop reading right now and solve that problem first.

If you have dealt with the liability issues surrounding storing copies of data outside the corporate firewall, then Microsoft has in theory got you covered. As has been discussed in my previous article, roaming profiles copies nearly the entire profile from the local device to the server. More importantly, folder redirection by default uses offline files and folders - it’s designed with this sort of thing in mind.

If your user lives on their notebook, doesn’t hotel, and can tolerate a profile rebuild if the notebook is lost, then folder redirection is the order of the day. If the user would still expect rapid turnaround in the case of the loss of a notebook, then enable roaming profiles and be done with it. If that user had a notebook, but also a local system inside the corporate firewall, then combine roaming profiles with folder redirection. Disable offline files and folders on the system connected to the corporate network while leaving it active on their notebook.

Sadly, if you were under the impression that this wraps up user data issues in a neat little bow, you really should know better than that. As I mentioned in my previous article, users with notebooks almost never actually log off or reboot their systems. You can try to force them to - GPOs that shove Windows Updates down their throats are effective at this, though they meet with harsh end user resistance. You can set up GPOs to force a logoff at a particular time, but I guarantee that will be allowed to happen exactly once. Instead, if at all possible, stick solely to folder redirection. Most critically, use Windows 7 and Server 2008 R2’s folder redirection.

In case you were wondering what Windows 7’s 'killer feature' is, the new treatment of offline files and folders finally won an upgrade refusnik like me over. If you’ve ever had problems with offline files and folders in the past (which would include every single person who has ever had to use it), then I heartily recommend taking the new one for a spin. It isn’t perfect, but offline files and folders under 7/2008 R2 is far more advanced than that of NT5 or even Vista. There are fewer errors, less issues with locked files and you can schedule synchronization.

More importantly, you can trigger synchronisation from scripts, which can themselves be triggered by any of a vast array of things in the new and very improved task scheduler. Scheduling and scripting can really help mitigate the issues that exist with notebook users not being connected to the corporate network when (or if) they log off. My canonical example would be a notebook scripted to wake itself from hibernation at 4am every night, only if not running on batteries. It would then connect up the VPN, synchronise offline files and folders, and then go back into hibernation. Even if the user never logs that notebook off, the data is still synchronised off to the server every night.

As mentioned earlier, there simply isn’t room in a single article to cover everything related to a topic this vast. While I’ve gone over the most common scenarios here, there are still more tools to look at that help us deal with the special cases that always occur to deviate from the norm. My next article will explore the 'slow link' group policy settings and how they can be one of the most useful tools in dealing with roaming profiles and folder redirection. I’ll also talk about super mandatory profiles and why resultant set of policy (rsop.msc) is your friend. ®

The Power of One eBook: Top reasons to choose HP BladeSystem

More from The Register

next story
Sysadmin Day 2014: Quick, there's still time to get the beers in
He walked over the broken glass, killed the thugs... and er... reconnected the cables*
Auntie remains MYSTIFIED by that weekend BBC iPlayer and website outage
Still doing 'forensics' on the caching layer – Beeb digi wonk
SHOCK and AWS: The fall of Amazon's deflationary cloud
Just as Jeff Bezos did to books and CDs, Amazon's rivals are now doing to it
BlackBerry: Toss the server, mate... BES is in the CLOUD now
BlackBerry Enterprise Services takes aim at SMEs - but there's a catch
The triumph of VVOL: Everyone's jumping into bed with VMware
'Bandwagon'? Yes, we're on it and so what, say big dogs
Carbon tax repeal won't see data centre operators cut prices
Rackspace says electricity isn't a major cost, Equinix promises 'no levy'
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.