May 09 2008

Windows Vista Simplifies Folder Redirection and Profile Roaming

Changes to user profiles in Vista improve logon performance for users with roaming profiles.

For employees whose primary computing device is a desktop PC, moving to another computer often results in problems, such as applications that don’t work and files that can’t be found.

Windows stores user data and settings in user profiles, which consist of a folder namespace and registry hive. Every user account has an associated local or roaming profile. Roaming profiles, which are sometimes used on networked PCs, are stored on a server so that users’ settings and files follow them as they log on to different machines. Folder redirection makes it possible to change the location of files within a selected folder (such as Documents) in a user’s profile, from the local machine to a server.

Microsoft has made significant changes to the folder namespace for storing data in user profiles in Windows Vista. The new hierarchy clearly differentiates between machine-specific data and files that need to follow users, reducing the amount of space required to store roaming profiles. More folders can now be redirected using Group Policy, which may prove to be an effective alternative to — or may be used in combination with — roaming profiles.

Vista includes several new and/or renamed folders that reside under Users\username rather than Documents and Settings\username as in XP. Vista’s new AppData folder (Figure 1) consolidates several XP folders, such as Application Data, Local Settings\Application Data and Start Menu, among others. AppData is divided into three subfolders: Roaming, Local and LocalLow. The Roaming subfolder consolidates all data that needs to follow a user, and the other two contain machine-specific data. This separation of files allows more efficient folder redirection and profile roaming by reducing the quantity of data that needs to be copied to a server. For the purposes of application compatibility, Vista includes hidden junction points that redirect applications with hard-coded references to XP’s legacy file paths, so Documents and Settings\username will be transparently redirected to Users\username.

Figure 1

Roaming Profiles

Vista’s user profiles are not backward-compatible with XP’s, so two different profiles will reside on the server if roaming is used in a mixed environment. Vista’s profiles are identified by a .V2 extension appended to the folder name. Roaming profiles are cached on computers that a user has logged on to, so if the network is unavailable, a local copy of the profile is accessible. It’s also possible to configure default network and local profiles so that, in the worst case, there is always a temporary profile available to let users log on successfully. Before you enable a roaming profile for a user, you need a network share to store the profile, with Authenticated Users granted Full Control on the share’s Access Control List (ACL). Log on to a Server 2008 domain controller as a domain administrator:

Figure 2
  1. Open Active Directory Users and Computers (ADUC) from Administrative Tools on the Start menu.
  2. In the left-hand pane of ADUC, highlight the Users container or Organizational Unit (OU) where the user account is located. In the right-hand pane of ADUC, right-click a user account and select Properties from the menu.
  3. Click the Profile tab and enter the UNC path for the roaming profile in the Profile path box. In this example, the path is \\win2k8\roamingprofiles\%username%, where “win2k8” is the name of the server and “roamingprofiles” the name of the share; the folder name will be generated from the “%username%” environment variable (Figure 2). You can select multiple user accounts in ADUC and modify the Profile path attribute, in which case the “%username%” environment value becomes especially useful.

Figure 3

If we log on to a Vista workstation, a new folder will be created in the “roamingprofiles” share. In this example (Figure 3), a folder has been created called Accountant1.V2.

Folder Redirection

As opposed to roaming profiles, which transfer the entire profile to a server, folder redirection allows you to select only the data that needs to follow a user as they work on different machines. Folder redirection provides a lightweight alternative to roaming profiles, but it has one disadvantage: Folders must be used in conjunction with Vista’s Offline Files functionality or they won’t be available if the server is unreachable. But it’s likely that you will use Offline Files with notebook computers. Folder redirection is a simple affair with Vista and Windows Server 2008. Log on to a Server 2008 domain controller as a domain administrator:

  1. Figure 4

    Open Group Policy Management from Administrative Tools on the Start menu.

  2. In the left-hand pane of Group Policy Management, expand your domain, right-click Group Policy Objects and select New. Name it Folder Redirection and click OK.
  3. Expand Group Policy Objects, right-click the Folder Redirection Group Policy object (GPO) and select Edit from the menu.
  4. Expand User Configuration > Policies > Windows Settings > Folder Redirection (Figure 4). Right-click Documents and select Properties.
  5. On the Target tab, select Basic – Redirect everyone’s folder to the same location. (The advanced option allows you to redirect folders to different shares based on users’ security group membership.)
  6. We’ll leave the default option selected for Target folder location, which leaves the server to create a Documents folder for each user on the specified share. You can give an exact path, using environment variables such as “%username%,” if, for instance, the folders already exist on your server.

  7. Figure 5

    Enter the UNC path in Root Path for the share where redirected folders are stored on your network (Figure 5).

  8. Click OK. You can click Yes on the warning dialog, as we’re only working with Vista and Server 2008. Close the Group Policy Management Editor window.

Now that we’ve created a GPO for Folder Redirection, we need to link the GPO to an OU in the domain that contains user accounts to which we want to apply the new settings. To test the new policy, log on to Vista using an account located in the OU where the new policy is linked, right-click Documents on the Start menu and select Properties. The network location of the folder should be shown on the General tab.

Supermandatory Profiles

A new feature in Windows Vista — supermandatory profiles — ensures that users can log on only if the profile successfully loads from the server. A temporary or cached local profile will not be used. Before creating a supermandatory profile, prepare a new file share, with share permission of Full Control for Administrators and Read permission for Authenticated Users. To create a new supermandatory profile, log on to Vista as a domain administrator:

  1. Figure 6

    Right-click Computer on the Start menu and select Advanced system settings.

  2. On the Advanced tab of the System Properties dialog, click Settings under User Profiles.
  3. From the list of profiles, select a domain user account and then click Copy To. Any account that you have preconfigured can be used, but it shouldn’t be a domain administrator account.
  4. In the Copy profile to box, type the UNC path for your supermandatory profiles (Figure 6), making sure you append “man.V2” to the end of the folder name. In this example, let’s create a supermandatory profile, which will be used for all users in the Accounts department.
  5. Click Change under Permitted to use, type Everyone in the Enter the object name to select box and click OK. Click OK on the Copy To dialog. Close all the remaining windows.
  6. Log on to a domain controller as a domain administrator, locate the Accounts.V2 folder in your roaming profiles share and change the name of the NTUSER.DAT file to NTUSER.MAN. You’ll need to show hidden files by selecting Organize > Folder and Search Options in Windows Explorer and selecting Show hidden files and folders and deselecting Hide protected operating system files (Recommended) on the View tab.
  7. Now add the path for the supermandatory profile to a user account with ADUC, as we did in Step 3 for roaming profiles, noting that it’s not necessary to add .V2 to the end of the path: \\win2k8\mandatoryprofiles\accounts.man

To test the new profile, log on to Vista with the user account we’ve just modified in ADUC, and change the desktop background. Log off and back on again, and you should find that the changed desktop background was not saved. If the supermandatory profile is not accessible on the network, you won’t be able to log on.

Hybrid Solutions

To further improve logon performance, you can use folder redirection to move the Documents and Desktop (and any other folders that contain large amounts of data) out of the roaming profile folder namespace. Folder redirection can be used in conjunction with Group Policy, Group Policy Preferences and other means of automated configuration to provide users with a consistent environment when moving between machines, the net result being similar to roaming profiles. To achieve some degree of interoperability between Vista and XP roaming profiles in mixed environments, you can redirect folders from Vista user profiles to XP roaming profiles on a server.

IT Takeaway
The changes made to profiles in Vista will make it easier for IT departments to manage data and settings that need to be made available across multiple clients. The biggest disadvantage of roaming profiles is the quantity of data that might need to be transferred to the network, slowing down the logon. If your users travel between sites, consider the impact of replicating profiles and redirected folders. It may be a blessing rather than a curse that folder redirection doesn’t copy users’ registry data to the network. Unless you have a standardized environment, such configuration can cause unpredictable results when users move between machines.
Russell Smith is an independent consultant based in the United Kingdom who specializes in Microsoft systems management.