Implementing Roaming User Profiles in Windows Vista

To implement roaming user profiles for users of Windows Vista computers in an Active Directory environment, follow these steps:

1. 1. Prepare the file server where you want to store roaming user profiles for users by creating a shared folder on the server. (This server is sometimes 2called the profile server; a typical sharename for this shared folder is Profiles.)
2. 2. Assign the permissions shown in Tables 1 and 2 to the underlying folder being shared and to the share itself. Also confirm that the permissions in Table 3 are automatically applied to each roaming user profile folder.

Table 1 NTFS Permissions for Roaming Profile Parent Folder

User account


Minimum permissions required

Creator/Owner


Full Control -Subfolders and Files Only

Administrator


None

Security group of


List Folder/Read Data, Create Folders/Append

users needing to


Data -This Folder Only

put data on share




Everyone


No Permissions

Local System


Full Control -This Folder, Subfolders, and Files

Table 2 Share-Level (SMB) Permissions for Roaming Profile Share

User account


Default permissions


Minimum permissions required

Everyone


Full Control


No Permissions

Security group of users needing to


N/A


Full Control

put data on share







Table 3 NTFS Permissions for Each User’s Roaming Profile Folder

User account


Default permissions


Minimum permissions required

%Username%


Full Control, Owner Of Folder


Full Control, Owner Of Folder

Local System


Full Control


Full Control

Administrators


No Permissions1


No Permissions

Everyone


No Permissions


No Permissions

1This is true unless you set the “Add the Administrator security group to the roaming user profile share” policy, in which case the Administrators group has Full Control (requires Windows 2000 Service Pack 2 or later).

3. 3. Create a default network profile for users and copy it to the NETLOGON share on a domain controller. Let it replicate to other domain controllers in the domain.
This step is optional and is typically necessary only if you want to preconfigure a roaming user profile for your users so that they will all have the same desktop experience when they first log on. If you do not create a default network profile, Windows Vista will use the local %SystemRoot%\Users\Default profile instead.
4. 4. Open Active Directory Users and Computers and configure the profile path on the Profile tab for each user who will roam.

3

Additional, optional steps include configuring roaming profiles as mandatory profiles or as super mandatory profiles if desired.
Creating a Default Network Profile

When a user logs on to a Windows Vista computer for the first time, Windows Vista tries to find a profile named Default User.v2 in the NETLOGON share on the domain controller authenticating the user. If Windows Vista finds such a profile, this profile is copied to the user’s computer to form the user’s local profile on the computer. If Windows Vista does not find such a profile, the Default profile under %SystemDrive%\Users on the user’s computer is copied instead as the user’s local profile.

To create a default network profile, follow these steps:

1. 1. Log on to any computer running Windows Vista, using any domain user account.
2. 2. Configure the desktop settings, Start menu, and other aspects of your computer’s environment as you want users who log on to Windows for the first time to experience them.
3. 3. Log off and then log on using an account that belongs to the Domain Admins group.
4. 4. Click Start, right-click Computer, and then select Properties.
5. 5. Click Advanced System Settings. In the System Properties dialog box, click the Advanced Settings tab and then click Settings under User Profiles. The User Profiles dialog box opens.
6. 6. Select the user profile you previously configured in step 2 and click Copy To.The Copy To dialog box opens.
7. 7. Type \\domain_controller\NETLOGON\Default User.v2 in the Copy To dialog box.
8. 8. Click Change, type Everyone and then click OK twice to copy the local user profile you previously configured to the NETLOGON share as the default network profile Default User v.2.
9. 9. Type \\domain_controller\NETLOGON in the Quick Search box and press ENTER to open the NETLOGON share on your domain controller in a Windows Explorer window. Verify that the profile has been copied.

Note You may already have a Default User profile in NETLOGON that you created previously as a default network profile for users of computers running earlier versions of Windows. This network profile is not compatible with Windows Vista. See the section “Considerations for Mixed Environments” later in this chapter for more information.
Configuring a User Account to Use a Roaming Profile

Once you have created a Profiles share and configured it with suitable permissions on a file server, you can configure new user accounts to use roaming user profiles. To do this, 4 follow these steps (a Windows Server 2003 domain is used in this example):

1. 1. Log on to a domain controller as a member of the Domain Admins group (or any administrator workstation running an earlier version of Windows on which adminpak.msi has been installed).
2. 2. Open Active Directory Users and Computers and select the organizational unit containing the new user accounts you want to enable roaming for.
3. 3. Select each user account in the OU that you want configure. Right-click each account and select Properties.
4. 4. Click the Profile tab, select the check box labeled Profile Path, type \\profile_server\Profiles\%username% in the Profile Path text box, and then click OK.

The selected new user accounts are now ready for using roaming profiles. To complete this procedure, have each user log on to a Windows Vista computer using his or her user credentials. When the user logs on to Windows Vista for the first time, the Default User.v2 profile is copied from NETLOGON to the user’s local profile and then copied as user_name.v2 to the Profiles share on the profile server. For example, a user named Jacky Chen (jchen@contoso.com) who logs on to a Windows Vista computer for the first time will receive the roaming user profile \\profile_server\Profiles\jchen.v2. The .v2 suffix identifies this profile as compatible only with Windows Vista or later.
Implementing Mandatory Profiles

The procedure for implementing mandatory user profiles is similar to the procedure for implementing roaming user profiles described earlier in the article, with the following differences:

* Instead ofassigning the Authenticated Users built-in group Full Control of the Profiles folder on the profile server, assign this group Read permission and the Administrators group Full Control instead.
* Follow the steps in the section “Creating a Default Network Profile,” but instead of copying the domain user profile you configured to \\domain_controller\NETLOGON\Default User.v2, copy the profile to \\profile_server\Profiles\Mandatory.v2.
* Browse to locate the super-hidden \\profile_server\Profiles\Mandatory.v2\ntuser.dat file and change its name to ntuser.man. (Super-hidden files have the hidden and system attributes set.)
* Follow the steps in the section “Configuring a User Account to Use a Roaming Profile,” but instead of typing \\profile_server\Profiles\%username% in the Profile Path text box, type \\profile_server\Profiles\Mandatory.

Any user who now logs on with this mandatory user profile will be able to configure the desktop environment while logged on to the network, but when the user logs off any changes made to the environment will not be saved.
5

Caution Do not add .v2 to the profile path of the user object in Active Directory Users and Computers. Doing so may prevent Windows Vista from locating the roaming or mandatory profile. You should only apply the .v2 suffix to the name of the user folder on the central file server.

Caution It is acceptable to use the existing server and file share where you store your current roaming user profiles. If you do so, however, each user will have two roaming profile folders: one for Windows Vista and one for Windows XP. The added folder also means additional storage requirements for the server. Ensure that the drive hosting the share has adequate free space, and adjust any disk-quota policies accordingly.
Implementing Super Mandatory Profiles

The procedure for implementing super mandatory profiles is similar to the procedure for implementing mandatory user profiles described earlier, with the following differences:

* Instead of copying the domain user profile you configured to \\domain_controller\NETLOGON\Default User.v2, copy the profile to \\profile_server\Profiles\Mandatory.man.v2.
* Instead of typing \\profile_server\Profiles\%username% in the Profile Path text box, type \\profile_server\Profiles\Mandatory.man.

Once you have implemented these profiles, users will be able to configure their desktop environments while logged on to the network, but when they log off any changes they made to their environments will not be saved. In addition, if the profile server is unavailable when the user tries to log on to the network (or if the super mandatory profile does not load for any other reason), Windows Vista will not allow the user to log on to the computer.
Using Roaming User Profiles Together with Folder Redirection

If you configure both Folder Redirection and roaming user profiles, do not store redirected folders within the user’s roaming profiles, but instead store them on the network share where Folder Redirection is targeted. This reduces the size of a user’s roaming profile, speeds up its download time, and improves the user’s logon experience.

In general, best practice is to configure Folder Redirection first, make sure it applies successfully, and then deploy roaming user profiles. Also, users should log off all computers and follow these steps on one computer first (with all their main data).
Considerations for Mixed Environments

The following considerations apply when implementing roaming user profiles in mixed environments that consist of both Windows Vista and Windows XP or Windows 2000 client computers:

* Default network profiles created for computer running an earlier version of Windows are not compatible with default network profiles created for Windows Vista computers because the profile namespace of Windows Vista 6 is incompatible with the profile namespace of Windows XP. Because of this incompatibility, users who log on to a computer running an earlier version of Windows cannot roam their profiles to Windows Vista computers and vice versa. If users must use both Windows Vista computers and earlier versions of Windows, they will need separate roaming profiles for each computer and must manage the profiles separately. If Folder Redirection is implemented, however, part of the user profiles (the redirected folders) can be shared between the two desktop environments.
* If users need to roam across both Windows Vista computers and computers running earlier versions of Windows, you will need twice the usual space to store their roaming profiles. For example, if user Jacky Chen roams across both Windows Vista and computer running an earlier version of Windows, he will have two roaming profiles on the profile server:
o \\profile_server\Profiles\jchen, which is his roaming profile on earlier versions of Windows
o \\profile_server\Profiles\jchen.v2, which is his roaming profile on Windows Vista computers

These two user profiles are incompatible and will not share any data unless you have also implemented Folder Redirection for the user. Specifically, if you implement all available Folder Redirection policies for this user (including those that apply to earlier versions of Windows), only the HKCU settings will be unavailable between platforms.

In Windows Vista, disk quotas configured on roaming profiles no longer prevent users from logging off as disk quotas did on earlier versions of Windows. However, disk quotas will prevent roaming profiles from being uploaded to the profile server when the user logs off. No user data is lost, however, since the data still remains in the user’s local user profile on the computer.