--
John Oliver, Jr
MCSE, MCT, CCNA
Exchange MVP 2009
Microsoft Certified Partner
"Sher" <Sh...@discussions.microsoft.com> wrote in message
news:1D42E234-96EE-4D70...@microsoft.com...
>Roaming profiles are going to be your only solution here. In fact, there
>are printers, files, favorites, etc. that users will most likely need, so
>Roaming Profiles are your best solution.
Agreed. Here's my boilerplate on roaming profiles....they can work
very well if you are extremely careful in how you set them up.
General tips:
1. Set up a share on the server. For example - d:\profiles, shared as
profiles$ to make it hidden from browsing. Make sure this share is
*not* set to allow offline files/caching! (that's on by default -
disable it)
2. Make sure the share permissions on profiles$ indicate everyone=full
control. Set the NTFS security to administrators, system, and
users=full control.
3. In the users' ADUC properties, specify
\\server\profiles$\%username% in the profiles field
4. Have each user log into the domain once - if this is an existing
user with a profile you wish to keep, have them log in at their usual
workstationand log out. The profile is now roaming.
5. If you want the administrators group to automatically have
permissions to the profiles folders, you'll need to make the
appropriate change in group policy. Look in computer
configuration/administrative templates/system/user profiles - there's
an option to add administrators group to the roaming profiles
permissions. Do this *before* the users' roaming profile folders are
created - it isn't retroactive.
********************
Notes:
Make sure users understand that they should not log into multiple
computers at the same time when they have roaming profiles (unless you
make the profiles mandatory by renaming ntuser.dat to ntuser.man so
they can't change them, which has major disadvantages),. Explain that
the 'last one out wins' when it comes to uploading the final, changed
copy of the profile. If you want to restrict multiple simultaneous
network logins, look at LimitLogon (too much overhead for me), or
this: http://www.jsifaq.com/SF/Tips/Tip.aspx?id=8768
********************
Keep your profiles TINY. Via group policy, you should be redirecting
My Documents (at the very least) - to a subfolder of the user's home
directory or user folder. Also consider redirecting Desktop &
Application Data similarly..... so the user will end up with:
\\server\users\%username%\My Documents,
\\server\users\%username%\Desktop,
\\server\users\%username%\Application Data.
[Alternatively, just manually re-target My Documents to
\\server\users\%username% (this is not optimal, however!)]
You should use folder redirection even without roaming profiles, but
it's especially critical if you *are* using them.
If you aren't going to also redirect the desktop using policies, tell
users that they are not to store any files on the desktop or you will
beat them with a
stick. Big profile=slow login/logout, and possible profile corruption.
********************
Note that user profiles are not compatible between different OS
versions, even between W2k/XP. Keep all your computers. Keep your
workstations as
identical as possible - meaning, OS version is the same, SP level is
the same, app load is (as much as possible) the same.
*********************
If you also have Terminal Services users, make sure you set up a
different TS profile path for them in their ADUC properties - e.g.,
\\server\tsprofiles$\%username%
********************
Do not let people store any data locally - all data belongs on the
server.
********************
The User Profile Hive Cleanup Utility should be running on all your
computers. You can download it here:
http://www.microsoft.com/downloads/details.aspx?familyid=1B286E6D-8912-4E18-B570-42470E2F3582&displaylang=en
********************
Roaming profile & folder redirection article -
http://www.windowsnetworking.com/articles_tutorials/Profile-Folder-Redirection-Windows-Server-2003.html"