User data: Where the profiles roam

Keeping track ain't so easy

  • alert
  • submit to reddit

High performance access to file storage

Instead it can be a very good idea to consider the use of mandatory profiles. You can set up a profile for your user, get the settings just right, and then convert it to a mandatory profile. Mandatory profiles are read-only - the local copy is never replicated back to the server. If you combine a mandatory profile with folder redirection, you get a profile where the 'critical' folders (the ones where the user and most well behaved programs store the bulk of their data) exist only on the server but the user experience is pre-configured and identical across multiple machines.

If you have multiple users that hotel across computers, you might want to take a look at 'delprof' from the Windows Server Resource Kit. It is a neat tool provided by Microsoft that cleans out local copies of profiles older than a supplied date. Combine it either with Systems Management Server or logon/logoff scripts, and you have an effective way of providing a constant user experience to hoteling users, protecting their data, and ensuring their profile footprint on the computers they use doesn’t grow out of control.

As always, there are a couple of snags. The dividing line between Windows 2000/XP/2003 (NT5) and Vista/7 (NT6) is enforced here. Roaming profiles, whether mandatory or not, simple aren’t cross-compatible. If you create a profile for an NT5 user, then as soon as they long onto an NT6 system it will create a folder called %userprofile%.v2 in your profiles share on the server. Irritating as that might be, it is actually a perfectly manageable situation.

Create two mandatory profiles, (one for each NT5 and NT6,) and folder redirection will work across the profile boundary. The gotcha on this is that certain applications tend to have problems when hoteling and folder redirection are combined. Multiple instances of the same program on different computers trying to access the same file (the only copy being that which lives on the server) can and often do cause problems. Multiple simultaneous systems using folder redirection where some are NT5 and some are NT6 is right out. I feel the need to reinforce this issue very strongly: when using roaming profiles or folder redirection use different users for NT5 and NT6 wherever possible. Thorough lab testing is therefore crucial before rolling out anything like roaming profiles or folder redirection into production.

The next up on the list of scenarios are remote users requiring offline access to their files. The most important question to ask yourself is if you are using encryption. Any notebook or remote PC that will be outside the corporate firewall storing a local copy of corporate information absolutely must be encrypted. If you are not encrypting your remote devices, then stop reading right now and solve that problem first.

If you have dealt with the liability issues surrounding storing copies of data outside the corporate firewall, then Microsoft has in theory got you covered. As has been discussed in my previous article, roaming profiles copies nearly the entire profile from the local device to the server. More importantly, folder redirection by default uses offline files and folders - it’s designed with this sort of thing in mind.

If your user lives on their notebook, doesn’t hotel, and can tolerate a profile rebuild if the notebook is lost, then folder redirection is the order of the day. If the user would still expect rapid turnaround in the case of the loss of a notebook, then enable roaming profiles and be done with it. If that user had a notebook, but also a local system inside the corporate firewall, then combine roaming profiles with folder redirection. Disable offline files and folders on the system connected to the corporate network while leaving it active on their notebook.

Sadly, if you were under the impression that this wraps up user data issues in a neat little bow, you really should know better than that. As I mentioned in my previous article, users with notebooks almost never actually log off or reboot their systems. You can try to force them to - GPOs that shove Windows Updates down their throats are effective at this, though they meet with harsh end user resistance. You can set up GPOs to force a logoff at a particular time, but I guarantee that will be allowed to happen exactly once. Instead, if at all possible, stick solely to folder redirection. Most critically, use Windows 7 and Server 2008 R2’s folder redirection.

In case you were wondering what Windows 7’s 'killer feature' is, the new treatment of offline files and folders finally won an upgrade refusnik like me over. If you’ve ever had problems with offline files and folders in the past (which would include every single person who has ever had to use it), then I heartily recommend taking the new one for a spin. It isn’t perfect, but offline files and folders under 7/2008 R2 is far more advanced than that of NT5 or even Vista. There are fewer errors, less issues with locked files and you can schedule synchronization.

More importantly, you can trigger synchronisation from scripts, which can themselves be triggered by any of a vast array of things in the new and very improved task scheduler. Scheduling and scripting can really help mitigate the issues that exist with notebook users not being connected to the corporate network when (or if) they log off. My canonical example would be a notebook scripted to wake itself from hibernation at 4am every night, only if not running on batteries. It would then connect up the VPN, synchronise offline files and folders, and then go back into hibernation. Even if the user never logs that notebook off, the data is still synchronised off to the server every night.

As mentioned earlier, there simply isn’t room in a single article to cover everything related to a topic this vast. While I’ve gone over the most common scenarios here, there are still more tools to look at that help us deal with the special cases that always occur to deviate from the norm. My next article will explore the 'slow link' group policy settings and how they can be one of the most useful tools in dealing with roaming profiles and folder redirection. I’ll also talk about super mandatory profiles and why resultant set of policy (rsop.msc) is your friend. ®

High performance access to file storage

More from The Register

next story
Seagate brings out 6TB HDD, did not need NO STEENKIN' SHINGLES
Or helium filling either, according to reports
European Court of Justice rips up Data Retention Directive
Rules 'interfering' measure to be 'invalid'
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
Cisco reps flog Whiptail's Invicta arrays against EMC and Pure
Storage reseller report reveals who's selling what
Bored with trading oil and gold? Why not flog some CLOUD servers?
Chicago Mercantile Exchange plans cloud spot exchange
Just what could be inside Dropbox's new 'Home For Life'?
Biz apps, messaging, photos, email, more storage – sorry, did you think there would be cake?
IT bods: How long does it take YOU to train up on new tech?
I'll leave my arrays to do the hard work, if you don't mind
Amazon reveals its Google-killing 'R3' server instances
A mega-memory instance that never forgets
prev story


Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.