All about roaming profiles and folder redirection in simple words

Preface

I’ve long wanted to write about roaming profiles, but I didn’t have time. I read a lot on the Internet, various reviews, opinions, comments, etc. Many articles and videos posted online were not fully disclosed, but in general terms. It seems that the person himself does not fully understand the essence of the issue (which I doubt), or believes that everyone already has sufficient knowledge and therefore many details are not disclosed. Little things were missed that should have been paid attention to. I couldn’t find a fully covered topic anywhere, so I decided to write this article.

I wanted to write for people who don’t have practical experience working with roaming profiles and don’t know how to do everything correctly so that it doesn’t hurt and feel bad about wasted time and effort.

In short, everything here is for beginners. Chewed down to the smallest detail. If you do everything correctly, there will be no problems.

Before I sat down to write this article, I connected 56 computers to the server and all 56 are running through roaming profiles. More than six months have already passed since the last machine was connected and about 10 months since the first computer was connected. Therefore, I have, although small, good experience in this matter.

I'm sure there will be a lot of negative feedback in the comments. There will be questions, discussions and condemnations. I'm ready for this. And so I’ll start with a small introductory part.

1. What does a roaming profile and folder redirection give us other than a headache?

1.1 The ability to work with your documents from any computer entered into the domain.

1.2 There is no fear that your computer will die (break, burn, etc.) and all your data will be lost, because there is never time to throw everything valuable from the desktop onto a flash drive, and we always store everything valuable on the desktop. We just take another computer and work on it as if it were our own.

1.3 You can experiment with the operating system as you please, because if the AXIS is covered with a copper basin, everything that was stored on the desktop, in downloads, in documents is saved on the server.

1.4 A user, knowing that the contents of his desktop and other folders are on the server at the disposal of the system administrator, is unlikely to store confidential information on his machine. Even if it is password protected.

2. What headaches can a roaming profile and folder redirection cause?

2.1 To the user – none. The user sometimes cannot even understand that the server has died and he is working with documents offline.

2.2 To the system administrator – if everything is done correctly, there will be no problems either. But this is subject to the necessary requirements.

A little fly in the ointment with profiles.

You should not deploy roaming profile and folder redirection on a regular computer where the domain is deployed. Even if you have not one domain controller, but three (which I highly doubt), and then with three controllers your folder with profiles on two child controllers will not be useful.

Yes, it is replicated from the first controller to the other two. Yes, all your profile data will be duplicated twice. But if the primary domain controller does not work, users will not be able to connect to the server because their profiles are tightly linked to the primary domain controller. And the only temporary option will be for users to work offline until the main controller is restored.

To avoid this, you must meet the following hardware requirements:

1. For the domain, allocate a real server on which it is possible to create RAID arrays.

2. Select 2 HDDs for the system and enter them into RAID 1.

3. Select at least 3 HDDs for user profiles and add them to RAID 5.

4. The server must have an option to resume operation after a power outage.

Or another option:

1. Motherboards with support for RAID 1, 5,10,50 are now on sale. Build a computer on this mother and install Server 2016/2019. And in the end we will get a not full-fledged, but quite working and reliable server. Even if the power from the server is cut off, you can always manually start it later.

2. For a rainy day, have a backup of the system along with GPO, users, etc. The best option would be backup via Acronis. Well, this is my personal opinion. To the free – freedom.

And only if these conditions are met can you deploy a roaming profile and folder redirection.

Part 1

Creating user folders in AD and a roaming profile.

1. Open “Users and Computers” in AD on the server.

2. In the general “users” subdivision, we determine access rights. For administrators we will need the “Administrator” security group, and for users – “Domain Users”.

3. We create a shared folder – preferably on a separate disk (on a clean one to start with). Let me explain – if something goes wrong with the profiles (you write the wrong path) – it’s difficult to delete them if mistakes are made with the profiles. I just formatted the disk. Then, when you do everything without errors, share the folder where you need it.

4. I created a shared folder called “USER PROFILES”. This is my folder. Yours can be called whatever you like. We give full access to this folder to the Domain Users security group. In the “Security\Advanced” tab, remove inheritance.

5. We create Divisions of Administrators and Users in the current container – that is, in our domain.

1. Then we create user divisions by department, and within the departmental divisions we create user accounts.

1. Open the properties of Ivanov’s user account. (All other user accounts are created according to the same principle). By default, created accounts have the Domain Users security group. This is what we need. We don't change anything.

Click on the “Profile” button.

Path to profile – we don’t enter anything.

Connect – select the drive (this is not a drive, but a user folder on the server, although it will look like a network drive) and enter \\server name\shared folder name\department name\ and %username%

%username% is a user variable to avoid manually entering users in the shared folder.

I got it like this: \\Virtual-server\user profiles\ACCOUNTING\%username%

As soon as we click OK, a folder with the user name Ivanov will immediately appear in the shared folder. Then we do the same with Petrov’s account and Sidorov’s account. As a result, personal user folders will appear in the ACCOUNTING folder.

Those. the %username% variable is converted to the username in the folder structure.

Comfortable.

Why such manipulations? In order for the user who logs in under his account to go exactly to his folder on his desktop, i.e. The profile name will be written, and a folder with the profile name will appear in the shared folder.

All service folders will be redirected to these user folders based on group policy – that’s what they are called – REDIRECTED FOLDERS.

In the future, when we create several GPOs with different parameters for different users, they can be applied specifically to certain computers or for all users or individually. More on this in the next article.

At this stage, we have created a structure of departmental user profiles and distributed these profiles into their own folders. These profile folders are currently empty.

This completes the first stage.

Part 2

Creating a group policy for REDIRECTED FOLDERS

1. In AD, launch “Group Policy Management”

1. In “Group Policy Objects” we create a new policy by right-clicking “New” and give it a clear name, what this policy is intended for. For accounting, I assigned a name – ACCOUNTING PROFILES.

2. ATTENTION! For each department, we create a separate GPO with the registration of the path for its department! You will understand everything later.

3. Next, select the created GPO and right-click “Edit”. The Group Policy Management Editor will open.

4. Open this path – User Configuration\Policies\Windows Configuration.

5. We are interested in the “Folder Redirection” tab. Let's open it.

The right column shows folders that can be redirected. You can only redirect the “Desktop” and that’s it. Well, also add “Documents”. But I redirect all folders except “Save Games”. Games – and so it is clear. No time to play at work.

Although “Contacts”, “Links” and “Searches” are almost never needed. It is up to everyone to decide who will redirect which folders.

Next, right-click on the Desktop folder and open the “Properties” tab.

1. The following window opens:

1. In the first line you need to set the value “Redirect all users' folders to one location.”

2. In the second line set the value “Create a folder for the user on the root path.”

3. And in the third line, enter the path of your shared folder, where the profiles will be stored. Please note – folder redirection path for different departments.

For accounting after \\server name\shared folder name\ need to be entered Accountingfor the planning department enter Planning department etc.

I talked about this in paragraph 3 of the Second Stage.

4. In this window there is also a “Options” button.

1. We remove the first checkbox, leave the second one, I unchecked the third one, because… I don't have these axes.

2. “Deleting a policy.” At your discretion, but sometimes incorrectly, folders are redirected back. I've encountered this several times. Therefore, I am not going to change the policy and left the point in the first window.

3. Click OK. This means that the folders will be redirected to the shared folder and to the folder of the previously created profile. Everything is interconnected. Each user's profile and GPO have the same path.

4. As soon as we are done with this GPO, close the Group Policy Editor. But it is not yet tied to users and computers.

This completes the second stage.

Part 3

Setting up and linking a GPO to a specific object

We return to the “Group Policy Management”.

In order to link a GPO to an object, simply drag it to the desired folder. Those. Drag the GPO with the name ACCOUNTING PROFILES to the ACCOUNTING division. Therefore, this policy applies to everyone in the unit. And to the user Ivanov, and to the user Petrov, and to Sidorova.

But if you mistakenly drag a GPO to Petrov’s department, then the policy will only work for Petrov’s user. I made a mistake a couple of times while parked, and then I couldn’t understand why everything wasn’t working right.

But it is necessary to set your own application rules for the created GPO. Otherwise it won't work.

We select our GPO and see this window.

1. In the security filters of the “Area” tab, add “Domain Computers” and “Domain Users”. By default, the “Authenticated Authenticated” security group is located there. We are deleting it for now.

2. Look at the “Delegation” tab at the top

At the bottom right of this window, click the “Advanced” button.

This is where we add the “Verified” group. We give this group read-only rights.

We give “Read” and “Execute Group Policy” rights to “Domain Computers” and “Domain Users”.

“Enterprise Domain Controllers” – read only.

“System” – rights do not apply. I'm empty.

“Domain Admins” and “Enterprise Admins” – full rights, except for “Execute Group Policy”.

Note! Here we only need “Domain Computers”, “Domain Users” and “Authenticated Users”. The rest can be deleted. The GPO will work fine, but then you won't be able to change the GPO if necessary. Therefore, let everything remain as it is.

Only after this the GPO is considered configured

To update the GPO server, click “Start”\Run” and enter the command “gpupdate /force”. All policies will be applied and updated.

Now it's a small matter – we need to check everything.

We go on the test computer (not on the server) under the created user – Ivanov and wait, sir. The desktop will be prepared on the computer.

After the desktop has opened, open the shared folder on the server with the name of Ivanov’s profile.

These service folders should appear in Ivanov’s profile folder:

This means that the folder redirection GPO worked great.

This completes the stage of creating a group policy for folder redirection and moving the user profile.

This completes the third stage.

Part 4

Final

Now we need to create the same group policies for other departments.

But there is no need to create them again. Simply in “Group Policy Objects”, copy the created policy for Accounting, paste it into “Group Policy Objects” (while maintaining existing permissions,

Rename it to the name of another department, right-click – change.

We're going down the path again – User Configuration\Policies\Windows Configuration\Folder Redirection.

In redirected folders, we only change the department name, as I said earlier.

The end result will be several different policies for different departments.

Let me remind you – these are policies for folder redirection and profile movement.

Creating group policies for different tasks for different users will be explained in another article.

Now one of the important points.

If the main controller turns off, the network cable falls off, or the switch dies, how can the user work without connecting to the server?

Just. Offline.

And for this you need to enable this mode.

After you have logged into your account (for example, Ivanov) and open “My Computer”, you will see something like this:

1. Your local drives.

2. Network drive under the name of the user profile.

In fact, this is not a network drive, but a profile folder on the server. In order to enable offline mode, right-click on this network folder. The following window pops up:

We are interested in the “Offline Files” tab. Let's open it.

Check the box “Always available offline” and click “Synchronize”.

Your files will begin synchronizing into a special folder.

After synchronization, you can work calmly without fear that if you disconnect from the server, you will not get to your desktop.

When starting with the server disabled, loading will be slightly slower due to the fact that the computer will search for the server. If it doesn't find it, the offline mode will be applied. Nothing will be lost from the desktop, all files will remain in their places.

You can continue working as if nothing had happened. Once the server is up and running again, in about 1-2 minutes your machine will replicate with the server and all changed files will be replicated to the server.

In this way, you can be sure that all your data is reliably protected.

Now about the necessary things.

We received a new desktop, new system folders in the user profile. But all these folders are empty. The last step remains – all the user’s information from his computer must be transferred to the server.

It's very simple. We open the user profile on the work computer, and copy everything from each system folder to the same folders that are located on the “network drive”

Believe me, what I post here, I checked everything on my servers and users’ machines. There were a lot of mistakes until the technology and sequence for creating and using movable profiles were perfected.

Well, that's all for now. I wish everyone good luck.