Managing Roaming User Data Deployment Guide

Managing user data is a critical part of the business environment. Today, customers use a combination of desktop, laptops, and terminal services, challenging administrators to make user data available in a consistent way. Windows Vista® provides the answer to challenges using roaming profiles and Folder Redirection to give users a consistent view as they roam. This guide covers using these new features to introduce Windows Vista in a Windows XP environment.

Note

You can download a copy of this document from https://go.microsoft.com/fwlink/?LinkId=73760

Technology Review

Windows Vista User Profiles

A user profile is a predetermined folder structure and accompanying registry data. Microsoft Windows uses the registry data to describe and preserve the user environment. The folder structure is storage for user and application data, specifically for an individual user. Windows stores the profile on the local hard drive, loads the profile when the user logs on, and unloads the profile when the user logs off. However, corporate environments have users who use different computers daily. Many users will switch from a desktop to a laptop while others will use desktops and Terminal Services. This situation creates a separation from the user and their data, as the user profile stays locally on each computer, creating a need for user data to roam with the user as they log on to different computers.

A roaming user profile is user data, stored in a specific folder structure, to follow users as they log on to and log off from different computers. Roaming user profiles are stored on a central server location. At log on, Windows copies the user profile from the central location to the local computer. When the user logs off, Windows copies changed user profile data from the client computer to the central storage location. This ensures that the client data follows users as they roam the environment.

Roaming user profiles solve part of the roaming problem, but it created added concerns. User profiles can increase in size, some as large as 20 megabytes or more. This increase causes delays in user logons, because it takes some time for Windows to copy the information to the local computer. Another concern with roaming user profiles is that they are saved only at logoff. Therefore, when a user logs on to one computer and changes data within their profile, the changes remain local and remain local until the user logs off, making real-time access to user data challenging in a roaming user environment. Folder Redirection reduces some of these problems.

Windows Vista Folder Redirection

Folder Redirection is a client side technology that provides an ability to change the target location of predetermined folders found within the user profile. This redirection is transparent to the user and gives the user a consistent way of saving their data, regardless of its storage location. Folder Redirection provides a way for administrators to divide user data from profile data. This division of user data decreases user logon times, and Windows downloads less data. Windows redirects the local folder to a central location, giving the user immediate access to their data when they save it, regardless of the computer they are using. This immediate access removes the need to update the user profile.

Folder Redirection helps with slow logons and missing data problems because Application Data, Desktop, My Documents, My Pictures, and Start Menu were the only folders supported by Folder Redirection in Windows XP. Folder Redirection did not include heavily used folders such as Favorites and Cookies. This kept the size of the user profile large enough to slow down logon performance. Also, synchronizing data in these folders still required a logoff.

Windows Vista has an improved roaming user experience leveraging changes in user profiles and Folder Redirection. The user profile folder structure or namespace has changed. Logically divided, the user profile namespace has a distinct separation between user and application data. Folder Redirection returns with the same behavior; however, now you can redirect 10 folders out of the user profile. Also, the new Folder Redirection Group Policy snap-in allows you to manage Folder Redirection policies for Windows Vista, Windows XP, and Windows 2000. You can create the most efficient roaming user experience when you combine Folder Redirection and roaming user profiles.

Roaming User Profiles

New Folder Hierarchy (Namespace)

As mentioned previously, a user profile is a namespace of user specific folders isolated for user and application data. Previously, Windows stored user profiles in the root folder, Documents and Settings. This location has changed, as Windows Vista stores user profiles in a more intuitively named folder—the Users folder.

The names of the folders and their locations have changed under the profile. Previous versions of user profiles contained a complex folder structure, often including nested folders two and three layers deep. The new folder locations contain fewer nested folders to ease navigation and the new names are more intuitive to the data contained within them. The following table displays the name of the folder in Windows Vista and Windows XP. Additionally, the table shows the Windows XP folder locations.

Windows Vista Folder Name Windows XP Folder Name Description Windows XP Folder Location

Contacts

Not applicable

Default Location for Users’s Contacts

Not applicable

Desktop

Desktop

Desktop items, including files and shortcuts

Documents and Settings\%username%\Desktop

Documents

My Documents

Default location for all user created documents

Documents and Settings\%username%\My Documents

Downloads

Not applicable

Default location to save all downloaded content

Not applicable

Favorites

Not applicable

Internet Explorer Favorites

Documents and Settings\%username%\Favorites

Music

My Music

Default location for user’s music files

Documents and Settings\%username%\My Music

Videos

My Videos

Default location for user’s video files

Documents and Settings\%username%\My Videos

Pictures

My Pictures

Default location for user’s picture files

Documents and Settings\%username%\My Pictures

Searches

Not applicable

Default location for saved searches

Not applicable

AppData

Not applicable

Default location for user application data and binaries (hidden folder)

Not applicable

Links

Not applicable

Contains Windows Explorer Favorite Links

Not applicable

Saved Games

Not applicable

Used for Saved Games

Not applicable

Windows Vista also has changed the Application Data folder structure. Previous user profiles did not logically sort data stored in the Application Data folder, making it difficult to distinguish data that belonged to the machine from data belonging to the user. Windows Vista addresses this issue by creating a single AppData folder under the user profile. The AppData folder contains three subfolders: Roaming, Local, and LocalLow.

Windows uses the Local and LocalLow folders for application data that does not roam with the user. Usually this data is either machine specific or too large to roam. The AppData\Local folder in Windows Vista is the same as the Documents and Settings\username\Local Settings\Application Data folder in Windows XP.

Windows uses the Roaming folder for application specific data, such as custom dictionaries, which are machine independent and should roam with the user profile. The AppData\Roaming folder in Windows Vista is the same as the Documents and Settings\username\Application Data folder in Windows XP.

It is important to understand how each new user profile folder maps to its predecessor in Windows XP, to ensure complete profile interoperability between Windows Vista and Windows XP. The following table maps the new Windows Vista profile folder to its Windows XP predecessor, where applicable.

Windows Vista Profile Location Users\username\... Windows XP Profile Location Documents and Settings\username\...

…\AppData\Roaming

Application Data

N/A

Local Settings

…\AppData\Local

Local Settings\Application Data

…\AppData\Local\Microsoft\Windows\History

Local Settings\History

…\AppData\Local\Temp

Local Settings\Temp

…\AppData\Local\Microsoft\Windows\Temporary Internet Files

Local Settings\Temporary Internet Files

…\AppData\Roaming\Microsoft \Windows\Cookies

Cookies

…\AppData\Roaming\Microsoft\Windows\Network Shortcuts

Nethood

…\AppData\Roaming\Microsoft\Windows\Printer Shortcuts

PrintHood

…\AppData\Roaming\Microsoft\Windows\Recent

Recent

…\AppData\Roaming\Microsoft\Windows\Send To

SendTo

…\AppData\Roaming\Microsoft\Windows\Start Menu

Start Menu

…\AppData\Roaming\Microsoft\Windows\Templates

Templates

…\Contacts

Not applicable

…\Desktop

Desktop

…\Documents

My Documents

…\Downloads

Not applicable

…\Favorites

Favorites

…\Music

My Music

…\Videos

My Videos

…\Pictures

My Pictures

…\Searches

Not applicable

…\Links

Not applicable

…\Saved Games

Not applicable

All Users Profile

Previous version of Windows provided the all users profile. This profile provided a way to add common user data to user profiles, without editing each user profile. Windows merges the contents of the Desktop and Start Menu folder under the All Users profile with the user profile when the user logs on. Adding a shortcut to the desktop of the all users profile would result in every user receiving the shortcut on their desktop, when they logon.

Windows Vista renames the all users profile to the Public profile and the folder structure is the same as all Windows Vista profiles. Windows Explorer will continue to merge specific folders in the Public profile, such as Desktop and Start Menu, with regular user profiles at logon. The Public profile does not have a user registry because Windows does not load this profile. Therefore, Windows writes all shared settings to the HKEY_LOCAL_MACHINE hive of the registry.

Logon and logoff behaviors

Windows Vista changes the appearance of the logon and logoff screens. Along with this visual change, come changes with the way roaming profiles behave during logon and logoff.

Logon and logoff status

Windows Vista provides little information about the status of loading or unloading roaming profiles during user logon and logoff. This lack of information is misleading and may give a user the impression Windows Vista is unresponsive. You can use the computer Group Policy setting "verbose vs. normal status messages" to change this behavior. This changed behavior displays more information about the status of the Windows loading and unloading the roaming profile during user logon and logoff.

Profile unload failures at logoff

Sometimes, earlier versions of Windows falied to unload the registry portion of the user profile. Many times this failure prevented the user from subsequent logons to the same computer. Windows Vista always unloads the registry portion of the user profile, even if it must forcefully do so, prior to synchronizing the profile to the profile server. Windows, when forcefully unloading profiles, writes an event message to the event log. The description of the event contains the name of the process that prevented the registry from unloading and the closed registry path.

Profile size does not prevent loging off

You can use Group Policy to enforce limits to the size of roaming profiles. Earlier versions of Windows prevented users from loggging off when the size of their profile exceeded the size in the policy settiing. Windows Vista still respects this policy setting; however, no longer prevents the user from logging off the computer. Windows does not synchronize the user's profile to the profile server when it exceeds the policy enabled limit. See the <insert Group Policy section> of this document for more information about user profile policy settings.

Event message sources

Event appearing in the event viewer realting to user profiles have a new source. Earlier versions of Windows recorded user profile events using the event source "Userenv". Windows Vista uses two event sources for user profile events: User Profile Service and User Profile General. The majority of most user profile events use the User Profile Service source. Windows uses the User Profile Generanl event source to provide file information about user data that did not synchronize during logon or logoff.

Encrypted File System (EFS)

Windows Vista supports encrypting the local user profile just the same as Windows XP. You can encrypt all files and folders within the user profile except for the ntuser.dat and the ...\AppData\Roaming\Microsoft\Credentials folder. These two items contain important data used by the Encrypted File System.

New user profiles Group Policy settings

Windows Vista provides an additional 700 policy settings to the existing 1700 policy settings. Many of these new settings allow you to control the behavior of profiles. This section introduces you to some of the new and changed profile policy setting included with Windows Vista.

Set roaming profile path for all users logging onto this computer

This policy setting allows you to configure a roaming user profile specifically for computer receiving this policy setting. This is a one of four ways you can configure roaming user profiles. Windows reads profile configurations in the following order and uses the first configured setting.

  • Terminal Services roaming profile path specified in the Terminal Services policy setting.
  • Terminal Services roaming profile path specific in the user object.
  • Per-computer roaming profile path specified in the above described policy setting.
  • Per-user roaming profile path specified in the user object.

Delete user profiles older that a specified number of days on system restart.

This policy setting allows you to configured how long Windows retains dormant user profiles. When enabled, Windows deletes all user profiles older than the value defined in the policy setting. This policy setting measures one day as 24 hours since the last time Windows loaded the profile.

Do not forcefully unload the user registry at user logoff

You use this policy setting to disable the proifle unload logoff behavior, described earlier in this doucment. When enabled, Windows Vista does not forcefully unload the registry and waits until all other processes complete their use of the user registry before it unloads it.

Set maximum wait time for the network if a user has a roaming user profile or remote home folder.

At logon, Windows Vista typically waits 30 seconds for an active network connection, when you configure the user with a roaming user profile or remote home directory. In cases such as wireless networks, it may take more time before the network connection becomes active. Enabling this policy allows Windows to wait up to the number of seconds specified in the policy setting for an active network connection. Windows immediately proceeds with logging on the user as soon as the network connection is active or the wait time exceeds the value specified in the policy setting. Windows does not synchronize roaming user profile or connect to the remote home folder if the logon occurred before the network connection became active.

Changed Group Policy settings

Exclude directories in roaming user profile

This policy setting behaves the same as in earlier versions of Windows. However, Windows Vista introduces a change in the user profile namespace. The results of this change include names and locations of folder located in the user profile. For best results, review the list of folders included in this policy to ensure they are accurate for your environment.

Prompt user when slow network connection is detected

The policy setting behavior is consisent with earlier versions of Windows; however, the implementation has changed. When enabled, earlier versions of Windows displayed a dialog box to the user logging on. This dialog box notified the user they are logging on over a slow link and provided them an optioin to download their roaming profile or logon with a local profile.

When Windows Vista encounters this policy settting, it displays a checkbox on the logon screen. This checkbox asks the user if they want to download their roaming profile over a slow network connection. The difference being, Windows Vista asks the user before they logon; whereas earlier versions asks the user during the logon.

Do not log users on with temporary profiles

Earlier versions of Windows refrerred to this policy setting as "Log user off when roaming profile fails." The policy name changed to accurately reflect the real actions Windows Vista performs when it encounters this policy setting. The policy setting prevents Windows from allowing users to logon with a temporary profile. This also prevents users from logging on in scenarios where user's roaming profile fails to load. Failing to load the user profile, Windows attempts to log the user on with a temporary profile.

Compatibility with Application and User Profiles from Previous Versions of Windows

Application Compatibility

Many applications take full advantage of the existing user profile namespace. Open and save dialog boxes locate the user profile, helping the user save their data in the correct location. In Windows Vista, this behavior will not change for most applications.

Well-known folders are the folders within the user profile, such as My Documents or Application Data. Windows Explorer knows the disk location of each well-known folder, as it may change when used with Folder Redirection. Therefore, each application has the ability to ask Windows for the exact location of the folder, regardless of its redirected location. This ensures the application has the correct location for Documents or Pictures, when prompted to open or save a document or picture. The profile changes in Windows Vista are transparent to applications using the previously described method to discover well-known folder locations.

Some applications use a slightly different way to discover well-known folder locations. The application will ask Windows to find a given well-known folder and store the location for future use. Upgrading to Windows Vista would change the on-disk location of the folder, making the stored location not valid. This results in the application failing to find the data. Windows Vista provides a way to allow these applications to find data by using junction points.

A junction point is a physical location on a hard disk that points to data found elsewhere on your hard disk. Windows Vista creates a junction point for shell folders that appeared within the Windows XP profile namespace. For example, the location of the Send To shell folder in Windows XP is Documents and Settings\username\SendTo. The location of the Send To shell folder in Windows Vista is Users\username\AppData\Roaming\Microsoft\Windows\SendTo. Figure 2 shows a list of all the folders in the user profile for a user named "admin." The list shows folder entries listed with <DIR> and junction points listed with <JUNCTION>. This example highlights the junction point SendTo, which is the equivalent Windows XP location for the Send To contents. The information in brackets ([ ]) displays the physical disk location of where the junction point SendTo points. When applications write to the Windows XP location of SendTo, the file system will redirect data to the Windows Vista location of SendTo. Additonally, Figure 2 shows others junction points within the Windows Vista User Profile.

Note

Junction points are a feature of the NTFS File System and not a feature of Folder Redirection. Also, Windows Vista creates junction points using the language configured in the system locale.

You may have application compatibility issues if the application does not use the previously discussed methods to discover the folder location. Fixing these compatibility issues can be as easy as editing the path within the application and as complex as contacting the application vendor. Testing the application before it is put into production is the best plan for success.

Compatibility with previous user profiles

The user profile namespace used in Windows XP is identical to the one used in Windows 2000, making interoperability between the operating systems transparent. However, the significant changes in the Windows Vista profile namespace create a challenge. These significant changes prevent Windows Vista from loading user profiles from previous versions of Windows. Also, previous versions of Windows do not load Windows Vista user profiles. Therefore, Windows Vista roaming user profiles will add "v2" to the end of the profile folder. The "v2" is to used isolate Windows Vista roaming user profiles from roaming user profiles created by previous operating systems. You can find more information about user profile interoperability with Windows XP user profiles later in this document.

Important

Users previously configured with roaming, mandatory, or super mandatory profiles no longer have a roaming, mandatory, or super mandatory profile after upgrading their computer to Windows Vista. This is a result of Window Vista using the ".V2" specification for Windows Vista user profiles. For best results, prepare Windows Vista mandatory and super mandatory user profiles prior to upgrading the users computer.

Folder Redirection in Windows Vista

Folder Redirection is a feature that allows users and administrators to redirect user-specific profile folders to an alternate location. Documents, Desktop, and Start Menu are examples of folders you can redirect. When you click the Documents folder, you see all of your documents. That same experience is true when you use Folder Redirection, only your files are not local to the computer. Your files follow you from workstation to workstation.

Before Folder Redirection, user profiles were the only way to allow user specific data to follow the user. However, user logons became slow, as users stored more data in their profile. Also, access to user data was not in real-time; users had to log off for new data to roam with them.

Folder Redirection gives administrators the ability to move this data out of the user profile, giving users real-time access to their data. Windows Vista improves Folder Redirection by allowing the administrator to redirect 10 user-specific folders. This change in Folder Redirection complements the improvements found in the Windows Vista user profile.

The best way to leverage Folder Redirection is in a domain environment using Group Policy. You configure Folder Redirection using the Folder Redirection snap-in found in Group Policy Object Editor.

Windows Vista includes a new Folder Redirection snap-in that allows you to configure Folder Redirection for clients running Windows Vista, Windows XP, and Windows 2000. You can choose the following settings for each folder listed in the Folder Redirection snap-in.

  • Not Configured
  • Basic Redirection
  • Advanced Redirection

Not Configured

The Not Configured Folder Redirection setting is available to all folders listed in the snap-in. When you select this setting, you are returning the Folder Redirection policy for the named folder to its default state. Folders previously redirected with the policy will stay redirected. User folders on clients without any previous knowledge of the folder redirection policy will remain local, unless acted on by another policy.

Basic Redirection and Advanced Redirection

Basic Redirection and Advanced Redirection are available to all folders listed in the snap-in. You use basic redirection when you store the selected folder in the Group Policy object on the same share for all users. You use Advanced Redirection when you want to redirect the selected folder to a different location based on a security group membership of the user. For example, you would use Advanced Folder Redirection when you want to redirect folders belonging to the Accounting group to the Finance server and folders belonging to the Sales group to the Marketing server.

Note

If a user is a member of multiple security groups listed for a specific folder, Folder Redirection will use the path of the first security group that matches for the given user.

Follow Documents folder

The Music, Pictures, and Videos folders support another Folder Redirection setting called Follow Documents folder. The Follow Documents folder setting redirects the Music, Pictures, and Videos folders as subfolders of the Documents folder. This folder redirection will make the selected folder inherit folder redirection options from the Documents folder and disable the folder redirection options for the selected folder.

Target Folder Location

Each folder needs a target location. Windows Vista provides four options when selecting a target folder location:

  • Create a folder for each user under the redirection path: This option will redirect the selected folder to the location specified in the Root Path. Also, this option will add a folder named after the user logon name. For example, if you redirect the Documents folder to the root path of \\server\share, Folder Redirection will create the Documents folder under the path \\server\share\username.
  • Redirect to the following location:This option redirects the named folder to the exact path listed in the Root Path. This has the capacity to redirect multiple users using the same share path for the redirected folder. You could use this option so multiple users have the same Desktop or Start Menu.

Note

Folder redirection only supports %USERNAME%, %USERPROFILE%, %HOMESHARE%, and %HOMEPATH% environment variables.

  • Redirect to the local user profile location: This option redirects the named folder to the local user profile. The local user profile for Windows Vista is Users\Username. The local user profile for Windows XP and Windows 2000 is Documents and Settings\username.
  • Redirect to the user’s home directory: This option is available only on the Documents folder and redirects the Documents folder to the home folder path configured in the properties of the user object. To make the Pictures, Music, and Videos folders follow the Documents folder to the home directory, check the "Apply redirection policy to Windows 2000, Windows 2000 Server, Windows XP, and Windows Server 2003 operating systems" setting.

Folder Redirection Settings

Folder Redirection settings allow you to control specific client side behaviors when you apply one or more Folder Redirection policies.

  • Grant the user exclusive rights to <folder>: Controls the NTFS permissions of a newly created %username% folder, allowing the user and Local System to have Full Control of the newly created folder. This is the default behavior.

Important

This setting controls the permissions on newly created folders. If the target folder does not exist, Folder Redirection will create the folder and set the permissions, allowing only the user and Local System to have Full Control permissions. The administrator and other user will not have permission to the folder. If the target folder does exist, Folder Redirection will verify the ownership of the folder. If another user owns the folder, Folder Redirection will fail redirection for the specified folder. Folder Redirection will not check ownership of the folder when you clear this check box.

  • Move the contents of <folder> to the new location: Will move all the user data in the named folder to the redirected folder. This setting defaults to enabled.
  • Also apply redirection policy to Windows 2000, Windows 2000 Server, Windows XP, and Windows Server 2003 operating systems: Directs the Folder Redirection management snap-in to write the redirection policy in a format recognized by the previous operating systems listed. When this setting is cleared, the snap-in will write the redirection policy in a format exclusive to Windows Vista.

Note

This setting is only available to Folders that allowed Folder Redirection before Windows Vista. These folders are Documents, Pictures, Application Data, Desktop, and Start Menu.

Policy Removal Settings

When a policy no longer applies to a specific user, that policy is out of scope. The Folder Redirection management snap-in has Policy Removal settings to allow you to choose the behavior you want folder redirection to perform once a policy is out of scope.

  • Leave folder in new location when policy is removed: Folder Redirection will leave the files in redirected location.
  • Redirect the folder back to the local user profile location when policy is removed: If enabled, Folder Redirection will copy the files in the redirected folder to the local user profile.

Policies usually become out of scope when they are unlinked or deleted by the administrator, or the user belongs to a group with specific permission not to apply the policy.

Roaming User Data Scenarios

The following scenarios will show you the benefits of Folder Redirection and roaming user profiles. These scenarios also will highlight some strategies you can use to confidently adopt Windows Vista in your current environment.

Manage roaming data using Folder Redirection

This scenario introduces the new Folder Redirection snap-in included in Windows Vista, which you will use to redirect new and existing user data folder. Included is a review of new choices within the snap-in to give you the knowledge needed to manage Folder Redirection policies from Windows Vista. In the end, you will have confidence knowing Windows Vista can manage Folder Redirection policies for itself as well as Windows XP.

Manage roaming data using Roaming and Mandatory Profiles

This scenario will guide you through understanding how to prepare and set up roaming and mandatory profiles using Windows Vista with more content covering the changes to profiles in Windows Vista.

Windows Vista and Windows XP Roaming User Profile Interoperability

In this last scenario, you will combine Folder Redirection with roaming user profiles to provide the best experience for corporate users that switch from Windows Vista and Windows XP.

Requirements for Roaming User Data

This document assumes you currently have a Windows 2003 domain that contains at least one domain controller, one file server, one Windows XP Service Pack 2 workstation, and one Windows Vista workstation. You can find out more information about how to install and configure a domain controller by reading the Step-by-Step Guide to a Common Infrastructure for Windows Server 2003 Deployment (https://go.microsoft.com/fwlink/?LinkID=70722). See the Windows Vista Web site for current hardware requirements (https://go.microsoft.com/fwlink/?LinkID=70723) for Windows Vista.

Requirement Checklist

  • A minimum of one domain controller running Windows Server 2003 Service Pack 1 or Windows Server 2003 R2
  • A minimum of one member server running Windows Server 2003 Service Pack 1 or Windows Server 2003 R2
  • A minimum of one member workstation running Windows XP Service Pack 2
  • A minimum of one member workstation running Windows Vista
  • Basic network connectivity using TCP/IP and Name Resolution using DNS

Contoso.com

The examples provided in this document are based on a single domain named contoso.com. The contoso.com domain contains a single domain controller running Windows Server 2003. In addition, the domain controller also serves as a DNS server for the contoso.com domain. Several other servers are used for file and print services. The client workstations are domain computers running Windows Vista and Windows XP.

Scenario 1: Manage roaming data using Folder Redirection

In this example, you will see how you can manage existing Folder Redirection policies with the new Folder Redirection Management snap-in that is included in Windows Vista. You will also use the new snap-in to create Folder Redirection policies specifically for clients running Windows Vista. Completing this example, you will see how you can use the Folder Redirection Management snap-in to manage all your Folder Redirection policies.

Manage an existing Folder Redirection Policy

All the users in the accounting department have their My Documents folder redirected to the finance server. Figure 6 shows the Folder Redirection management snap-in from Windows XP. Here you can see the settings for the XP Folder Redirection Policy that affects accounting users.

The IT department is incrementally installing new computers running Windows Vista for accounting users. You want to ensure the folder redirection policies are transparent for users as they move from Windows XP to Windows Vista. To do this, you will use Group Policy Management Console and the Folder Redirection Management snap-in to edit the Folder Redirection policy.

Edit an existing Folder Redirection Policy

  1. Log on to a domain computer running Windows Vista with domain administrator credentials. Open the Run command by pressing the Windows logo key + R. Type GPMC.MSC, and then click OK.

  2. Right-click a Group Policy object that has a previously enabled Folder Redirection policy, and then click Edit. For example, in the Contoso.com domain, there is a policy named XP Folder Redirection Policy.

  3. Under User Configuration, double-click to expand Windows Settings and Folder Redirection. Right-click the Documents folder, and then click Properties.

  4. Click the Settings tab in the Documents Properties dialog box and verify the Also apply redirection policy to Windows 2000, Windows 2000 Server, Windows XP, and Windows Server 2003 operating systems setting is selected. Click OK.

  5. Right-click the Pictures folder, and then click Edit. The default Folder Redirection setting should be set to Follow the Documents folder. Repeat this procedure for the Music and Videos folders. Close the Group Policy Object Editor to complete this step.

The Folder Redirection management snap-in can edit existing Folder Redirection Policies and create new Folder Redirection policies. It can even manage Folder Redirection policies for previous operating systems (Windows Server 2003, Windows XP, Windows 2000 Server, and Windows 2000).

In this next example, you will see how to create a new Folder Redirection policy that provides Folder Redirection for Windows Vista and earlier versions of Windows.

Create a new Folder Redirection policy

  1. Log on to a domain computer running Windows Vista with domain administrator credentials. Open the Run command by pressing the Windows logo key + R. Type GPMC.MSC, and then click OK.

  2. Right-click the Group Policy Objects node, and then click New. Type the name of the policy. For example, in the New GPO dialog box, type Windows Vista Folder Redirection Policy.

  3. Right-click the Group Policy object you created in step 2, and then click Edit.

  4. Under User Configuration, double-click to expand Windows Settings and Folder Redirection. Right-click the Documents folder, and then click Properties.

  5. On the Target tab, configure the following:

    • Setting: Basic—redirect everyone’s folder to the same location.
    • Target Folder Location: Create a folder for each user under the root path
    • Root Path: Type the UNC file path where you want to redirect the Documents folder. For example, users in the accounting department redirect their Documents folder to \\finance\userfolder.
  6. Click the Settings tab in the Documents Properties dialog box and configure the following:

    • Select the Grant the user exclusive rights to Documents check box.
    • Select the Move the contents of Documents to the new location check box.
    • Select the Also apply redirection policy to Windows 2000, Windows 2000 Server, Windows XP, and Windows Server 2003 operating systems check box.

Note

Redirecting the Documents folder to earlier versions of Windows will automatically set the Pictures, Music, and Video folders to follow the Documents folder, if you have not previously configured them.

  1. Right-click the Pictures folder, and then click Edit. The default Folder Redirection setting should be set to Follow the Documents folder. Repeat this procedure for the Music and Videos folders. Close the Group Policy Object Editor to complete this step.

Important

The Folder Redirection management snap-in is responsible for synchronizing the Folder Redirections policy settings for Windows Vista and earlier versions of Windows. Therefore, previous versions of the Folder Redirection Management snap-in will not save any changes to Folder Redirection policies created with the Windows Vista Folder Redirection management snap-in.

Remember these best practices to ensure compatibility:

  • Make sure you select the Folder Redirection policy setting Also apply redirection policy to Windows 2000, Windows 2000 Server, Windows XP, and Windows Server 2003 operating systems check box. The option is disabled on folders that support redirection only on Windows Vista.
  • Ensure you set Music and Videos folders to Follow the Documents folder. You can choose to redirect the Pictures folder to a location other than Documents, which was allowed in previous versions of Windows. Trying to redirect the Music and Videos folder to an alternate location other than the Documents folder will disable compatibility with earlier versions of Windows.
  • Folder Redirection compatibility with earlier versions of Windows only works with the AppData (Roaming), Desktop, Start Menu, Documents, and Pictures folders. The Music and Video folders support compatibility with earlier versions of Windows when set to Follow the Documents folder, which happens automatically when you redirect the Documents folder.

Scenario 2: Manage roaming data using Roaming and Mandatory Profiles

This example will show how to prepare and set up roaming profiles for Windows Vista in your current environment. You will learn how to set up a network default profile, roaming profile, mandatory profile, and super mandatory profile.

Preparing to use Roaming User Profiles

Windows Vista creates a user profile when a user logs on to a computer for the first time and does not have a roaming user profile. This newly created profile originates from a default user profile. Domain joined computers will search for a default network profile. The default network profile is the default profile that is stored in the Default User folder found in the Netlogon share of domain controllers.

Windows Vista cannot read a default network profile created from Windows Server 2003 or Windows XP. Therefore, you need to create a new default network profile using Windows Vista.

Note

A default network profile is optional. Windows Vista will use the local default profile when it cannot locate a default network profile.

Important

Creating a default network profile involves copying large amounts of data to the Netlogon share of a domain controller. The Netlogon share is a folder found on sysvol. The File Replication service (FRS) mirrors the sysvol share to all domain controllers in the domain. It may be favorable to perform these steps during off-peak hours, if you are using a production environment.

Create a Default Network User Profile

  1. Log on to a computer running Windows Vista with any domain user account. Do not use a domain administrator account.

  2. Configure user settings such as background colors and screen savers to meet your company standard. Log off the computer.

  3. Log on to the computer used in step 1 with a domain administrator account.

  4. Use the Run command to connect to the Netlogon share of a domain controller. For Example, the path used in the contoso.com domain looks like \\HQ-CON-SRV-01\NETLOGON

  5. Create a new folder in the Netlogon share and name it Default User.v2.

  6. Click Start, right-click Computer, and then click Properties.

  7. Click Advanced System Settings. Under User Profiles, click Settings.

  8. The User Profiles dialog box shows a list of profiles stored on the computer. Click the name of the user you used in step 1. Click Copy To.

  9. In the Copy To dialog box, type the network path to the Windows Vista default user folder you created in step 5 in the Copy profile to text box. For example, the network path in the contoso.com domain is \\HQ-CON-SRV-01\NETLOGON \Default User.v2.

  10. In Permitted to use, click Change. Type the name Everyone,and then click OK.

  11. Click OK to start copying the profile. Close all remaining windows and log off the computer when the copying process is complete.

You have successfully prepared your existing environment to allow for Windows Vista roaming user profiles. The default network profile is the profile from which Windows Vista will source all new profiles. Creating the default network profile in a central location lets you combine your organization's standards into a central user profile from which all users start.

Roaming Profiles on a user account.

Creating the default user profile prepares the environment to support Windows Vista profiles. Next, you need to configure a user account to have a roaming user profile and its roaming user profile path.

Prepare a user account

  1. As a domain administrator, open the Active Directory Users and Computer management console from a Windows Server 2003 or Windows XP computer.

  2. Right-click the user account for which you want to configure a roaming user profile.

  3. Click the Profile tab. Type the network path you created in step 2 in the profile path text box. Add the text \%username%. For example, the profile path for user1 in the contoso.com domain is \\finance\RUP\%username%.

Note

Windows will replace the environment variable %username% with the logon name of the user. For example, if the logon name is “user1” then Active Directory Users and Computers will replace %username% with the name “user1”. The full network path would be \finance\RUP\user1.

  1. Click OK, and then close the Active Directory User and Computer management console.

Prepare the roaming user profile location

  1. Create a new folder on a central fileserver. You will use this folder only for roaming user profiles. For example, you could use the folder name “Profiles”.

  2. Share the folder using a name suitable for your organization.

  3. Change the share permission to allow the Authenticated Users group the Full Control permission. For example, the finance department in contoso.com has a dedicated server on which to store user profiles. The name of the folder is "Profiles" and the share name is RUP.

Note

Windows creates the roaming user profile folder for the user and makes the user the owner of the folder.

Windows Vista uses the ".v2" extension to distinguish between version 1 and version 2 profiles. Windows Server 2003, Windows XP, and Windows 2000 author version 1 profiles. You store these profiles in a folder with a name that matches the logon name of the user account. Windows Vista authors version 2 profiles. You store version 2 profiles in a folder with the first part of the folder name matching the logon name of the user followed by ".v2".

Log on as the user

  1. Log on to a Windows Vista workstation with the domain user account you configured in the Prepare a user account procedure.

  2. Log off the computer.

Windows populates the roaming user profile when the user logs off for the first time. It will resolve the changes in the profile with each subsequent logoff. The folder you previously created has the contents of that user's roaming user profile.

Important

Do not add ".v2" to the profile path of the user object in Active Directory Users and Computers. Doing so may prevent Windows Vista from locating the roaming or mandatory profile. You should only apply the ".v2" suffix to the name of the user folder on the central file server

Important

It is acceptable to use the existing server and file share where you store your current roaming user profiles. However, each user will have two roaming profile folders, one for Windows Vista and one for Windows XP. The added folder also means additional storage requirements for the server. Ensure the drive hosting the share has adequate free space, and adjust any disk quota policies appropriately.

Mandatory Profiles

Use mandatory profiles when you want a persistent user environment for every user. Mandatory profiles work the same way as previously described roaming user profiles with one exception: Windows does not save the profile to the central location when the user logs off. A mandatory profile is a read-only profile, secured by network administrators to ensure a consistent look and behavior for each user, many times resulting in lowering the total cost of ownership.

For example, the IT administrators of the contoso.com domain are imposing mandatory profiles. The administrator configures the company logo as the default background for the workstation with various other corporate standard settings. User1, from the finance department, logs on to a Windows Vista workstation and receives the mandatory profile. User1 then decides to remove the company logo as the default background in favor of another picture. User1 then logs off the workstation. Later, user1 logs back on only to find the corporate logo has returned as the default background.

A roaming user profile would save the change of the default background and any other settings the user may manipulate. However, mandatory profiles do not save the changes, and therefore the user will receive a profile mandated by the administrators.

Create a Mandatory Profile

You can configure any profile to become a mandatory profile. You can have one central profile used by all users or you can turn individual roaming user profiles into mandatory profiles.

Prepare the mandatory profile location

  1. Create a new folder on a central file server, or use an existing folder that you use for roaming user profiles. For example, you could use the folder name “Profiles”.

  2. If you are creating a new folder, share the folder using a name suitable for your organization.

Note

Shared folders that contain roaming user profiles need the share permissions to allow the Authenticated Users group Full Control permission. Folders dedicated to storing mandatory profiles should have the share permissions to allow the Authenticated Users group Read permission and allow the administrators group Full Control permission.

  1. Create a new folder in the folder created or identified in step 1. You want the name of this folder to start with the logon name of the user account if the mandatory profile is for a specific user. If the mandatory profile is for more than one user, name it accordingly. For example, the contoso.com domain has a mandatory profile and the folder name begins with the word "mandatory."

  2. Finish naming the folder by adding ".v2" after the name. The example used in step 3 used the folder name, "mandatory." The final name of the folder for this user would be "mandatory.v2".

Create a new mandatory profile

  1. Log on to a computer running Windows Vista with any domain user account. Do not use a domain administrator account.

  2. Configure user settings such as background colors and screen savers to meet your company standard. Log off the computer.

  3. Log on to the computer previously used in step 1 with a domain administrator account.

  4. Click Start, right-click Computer, and then click Properties.

  5. Click Advanced System Settings. Under User Profiles, click Settings.

  6. The User Profiles dialog box shows a list of profiles stored on the computer. Click the name of the user you used in step 1. Click Copy To.

  7. In the Copy To dialog box, type the network path of the folder you created in the Prepare the mandatory profile location procedure in the Copy profile to text box. For example, the network path in the contoso.com domain would be \\finance\RUP\mandatory.

  8. Under Permitted to use, click Change. Type the name Everyone, and then click OK.

  9. Click OK to start copying the profile. Close all remaining windows and log off the computer when the copying process is complete.

You can convert any roaming user profile to a mandatory profile by changing the name of the NTUSER.DAT file.

You can divide Windows settings into two groups: user or computer settings. User settings include items such as font size, background color, or screen saver. Windows saves these settings in a file named NTUSER.DAT and stores the file in the user profile. To convert a roaming user profile, you need to rename the NTUSER.DAT file to NTUSER.MAN. However, Windows considers the NTUSER.DAT file to be a protected operating system file, which by default Windows Explorer does not show.

Convert a roaming user profile to a mandatory profile

  1. Log on to Windows Vista as a domain administrator.

  2. Click Start, right-click Computer, and then click Explore.

  3. Click Organize, and then click Folder options.

  4. Click the View tab. Scroll down and click Show hidden files and folders. Clear the Hide extensions for known file types and Hide protected operating system files check box. Click OK to dismiss the warning. Click OK to apply the changes and close the dialog box.

  5. Browse to the network location created in the Prepare the mandatory profile location procedure—or any other location that contains a roaming profile you want to convert to a mandatory profile.

  6. Right-click the file NTUSER.DAT, and then click Rename. Change the name of the file to NTUSER.MAN. Press ENTER.

You have successfully converted a roaming profile to a mandatory profile. You can apply a mandatory profile to any user by entering the network path of the mandatory profile into the profile path on the user object.

Super Mandatory Profiles

The super mandatory profile is a mandatory profile with an additional layer of security. Windows Vista must successfully load the super mandatory profile or the user cannot log on to the workstation. Occasionally, transient issues may prevent a roaming or mandatory profile from loading. When this happens, Windows Vista will create a temporary profile for the user based on the default network user profile or the default local user profile. Windows Vista deletes temporary profiles when the user logs off. Super mandatory profiles prevent creating a temporary user profile and restrict the user from logging on, should there be any problem with finding or loading the mandatory profile.

Create a super mandatory profile

  1. Create a mandatory profile by following the Create a mandatory profile procedure.

  2. While logged on as a domain administrator, connect to the network share you created or used in step 1. This should be the share path to the roaming or mandatory user profile. For example, the share path in the contoso.com domain is \\finance\RUP\.

  3. Right-click the user folder for which you want to configure a super mandatory user profile. Click Rename. Add .man.v2 to the end of the folder name. Close Windows Explorer.

  4. As a domain administrator, open the Active Directory Users and Computer management console from a Windows Server 2003 or Windows XP computer.

  5. Right-click the user account for which you want to configure a mandatory user profile.

  6. Click the Profile tab. Type the network path you created in step 1 in the Profile Path text box. Add .man to the end of the profile path. For example, a mandatory profile path for user1 in the contoso.com domain would be \\finance\RUP\user1.man.

You have successfully configured a super mandatory profile. Users configured with a super mandatory user profile will not save their settings back to the central server location. In addition, Windows will not allow the user to log on to the computer if the mandatory user profile fails to load.

Scenario 3: Windows Vista and Windows XP Roaming User Profile Interoperability

Windows Vista provides many benefits when combined with roaming user profiles and Folder Redirection. Redirecting user data to a central network location reduces the size of the user profile, makes user data immediately available, and increases user logon and logoff performance by transferring less data. Combining Folder Redirection with roaming user profiles allows a user to share roaming data between Windows Vista and Windows XP computers.

Computers running Windows Vista cannot read roaming user profiles created from Windows XP. This creates a problem for users who have a roaming user profile but must roam from Windows Vista and Windows XP computers. Windows Vista Folder Redirection makes this possible.

Folder Redirection allows you to redirect all the well-known folders that ship in a Windows Vista user profile. This ability allows you to share a folder in your Windows XP user profile with a folder in your Windows Vista profile. For example, you can share the Favorites folder between Windows Vista and Windows XP. You redirect the Favorites folder in Windows Vista to the same location where the Windows XP synchronizes the Favorites folder in the roaming user profile.

Use the following guidelines to create one or more Folder Redirection policies to allow users to share roaming user data with Windows Vista and Windows XP. The share path in the following guidelines is the share path to the user's roaming user folder.

Application Data

Configure the Application Data folder to interoperate between Windows Vista and Windows XP

  1. Log on to a domain computer running Windows Vista with domain administrator credentials. Open the Run command by pressing the Windows logo key + R. Type GPMC.MSC, and then click OK.

  2. Right-click a New Group Policy object or a Group Policy object that has a previously enabled Folder Redirection policy, and then click Edit. For example, in the Contoso.com domain, there is a policy named "Folder Redirection Policy."

  3. Under User Configuration, double-click to expand Windows Settings and Folder Redirection. Right-click the Application Data folder, and then click Properties.

  4. If you have deployed a folder redirection policy setting for the Application Data folder, then use the path and setting defined in that policy setting. If not, then use the Redirect to the following location policy setting with a path \\servername\share\%username%\Application Data.

  5. Click the Settings tab. Select the Grant the User Exclusive rights to Application Data and the Move the contents of Application Data to the new location check boxes.

  6. Clear the Also apply redirection policy to Windows 2000, Windows 2000 Server, Windows XP, and Windows Server 2003 operating systems check box and then click OK

This policy setting should apply only to clients running Windows Vista and not to earlier versions of Windows.

Desktop

Configure the Desktop folder to interoperate between Windows Vista and Windows XP

  1. Log on to a domain computer running Windows Vista with domain administrator credentials. Open the Run command by pressing the Windows logo key + R. Type GPMC.MSC, and then click OK.

  2. Right-click a New Group Policy object or a Group Policy object that has a previously enabled Folder Redirection policy, and then click Edit. For example, in the Contoso.com domain, there is a policy setting named "Folder Redirection Policy."

  3. Under User Configuration, double-click to expand Windows Settings and Folder Redirection. Right-click the Desktop folder, and then click Properties.

  4. If you have deployed a folder redirection policy setting for the Desktop folder, then use the path and setting defined in that policy setting. If not, then use the Redirect to the following location policy setting with a path \\servername\share\%username%\Desktop.

  5. Click the Settings tab. Select the Grant the User Exclusive rights to Desktop;Move the contents of Desktop to the new location; and Also apply redirection policy to Windows 2000, Windows 2000 Server, Windows XP, and Windows Server 2003 operating systems check boxes.

  6. Click OK

This policy setting should apply only to clients running Windows Vista and not to earlier versions of Windows.

Documents

Configure the Documents folder to interoperate between Windows Vista and Windows XP

  1. Log on to a domain computer running Windows Vista with domain administrator credentials. Open the Run command by pressing the Windows logo key + R. Type GPMC.MSC, and then click OK.

  2. Right-click a New Group Policy object or a Group Policy object that has a previously enabled Folder Redirection policy, and then click Edit. For example, in the Contoso.com domain, there is a policy named "Folder Redirection Policy."

  3. Under User Configuration, double-click to expand Windows Settings and Folder Redirection. Right-click the Documents folder, and then click Properties.

  4. If you have deployed a folder redirection policy setting for the Documents folder, then use the path and setting defined in that policy setting. If not, then use the Redirect to the following location policysetting with a path that is not included in the user profile

  5. Click the Settings tab. Select the Grant the User Exclusive rights to Desktop;Move the contents of Desktop to the new location; and Also apply redirection policy to Windows 2000, Windows 2000 Server, Windows XP, and Windows Server 2003 operating systems check boxes.

  6. Click OK

Note

To reduce the size of the user profile and provide the best logon performance, redirect Desktop and Documents to locations outside of the roaming user profile.

Favorites

Configure the Favorites folder to interoperate between Windows Vista and Windows XP

  1. Log on to a domain computer running Windows Vista with domain administrator credentials. Open the Run command by pressing the Windows logo key + R. Type GPMC.MSC, and then click OK.

  2. Right-click a New Group Policy object or a Group Policy object that has a previously enabled Folder Redirection policy setting, and then click Edit. For example, in the Contoso.com domain, there is a policy named "Folder Redirection Policy."

  3. Under User Configuration, double-click to expand Windows Settings and Folder Redirection. Right-click the Favorites folder, and then click Properties.

  4. Click the Redirect to the following location policy setting with a path \\servername\share\%username%\Favorites.

  5. Click the Settings tab. Select the Grant the User Exclusive rights to Favorites and the Move the contents of Favorites to the new location check boxes.

  6. Click OK

Music

Configure the Music folder to interoperate between Windows Vista and Windows XP

  1. Log on to a domain computer running Windows Vista with domain administrator credentials. Open the Run command by pressing the Windows logo key + R. Type GPMC.MSC, and then click OK.

  2. Right-click a New Group Policy object or a Group Policy object that has a previously enabled Folder Redirection policy setting, and then click Edit. For example, in the Contoso.com domain, there is a policy setting named "Folder Redirection Policy."

  3. Under User Configuration, double-click to expand Windows Settings and Folder Redirection. Right-click the Music folder, and then click Properties.

  4. Click the Follow the Documents folder policy setting to ensure you redirect the Music folder as a folder under the Documents folder.

  5. Click OK

Pictures

Configure the Pictures folder to interoperate between Windows Vista and Windows XP

  1. Log on to a domain computer running Windows Vista with domain administrator credentials. Open the Run command by pressing the Windows logo key + R. Type GPMC.MSC, and then click OK.

  2. Right-click a New Group Policy object or a Group Policy object that has a previously enabled Folder Redirection policy setting, and then click Edit. For example, in the Contoso.com domain, there is a policy setting named "Folder Redirection Policy."

  3. Under User Configuration, double-click to expand Windows Settings and Folder Redirection. Right-click the Pictures folder, and then click Properties.

  4. If you have deployed a folder redirection policy setting for the Pictures folder, then use the path and settings defined in that policy setting. If not, then use the Follow the Documents folder policy setting to ensure you redirect the Pictures folder as a folder under the Documents folder.

  5. Click OK

Start Menu

Configure the Start Menu folder to interoperate between Windows Vista and Windows XP

  1. Log on to a domain computer running Windows Vista with domain administrator credentials. Open the Run command by pressing the Windows logo key + R. Type GPMC.MSC, and then click OK.

  2. Right-click a New Group Policy object or a Group Policy object that has a previously enabled Folder Redirection policy setting, and then click Edit. For example, in the Contoso.com domain, there is a policy setting named "Folder Redirection Policy."

  3. Under User Configuration, double-click to expand Windows Settings and Folder Redirection. Right-click the Start Menu folder, and then click Properties.

  4. If you have deployed a folder redirection policy setting for the Start Menu folder, then use the path and setting defined in that policy setting. If not, then use the Redirect to the following location policy setting with a path \\servername\share\%username%\Start Menu.

  5. Click the Settings tab. Select the Grant the User Exclusive rights to Start Menu and the Move the contents of Start Menu to the new location check boxes.

  6. Clear the Also apply redirection policy to Windows 2000, Windows 2000 Server, Windows XP, and Windows Server 2003 operating systems check box and then click OK

This policy setting should apply only to clients running Windows Vista and not to earlier versions of Windows.

Videos

Use the Follow the Documents folder policy setting to ensure you redirect the Videos folder as a folder under the Documents folder.

Configure the Videos folder to interoperate between Windows Vista and Windows XP

  1. Log on to a domain computer running Windows Vista with domain administrator credentials. Open the Run command by pressing the Windows logo key + R. Type GPMC.MSC, and then click OK.

  2. Right-click a New Group Policy object or a Group Policy object that has a previously enabled Folder Redirection policy setting, and then click Edit. For example, in the Contoso.com domain, there is a policy setting named Folder Redirection Policy.

  3. Under User Configuration, double-click to expand Windows Settings and Folder Redirection. Right-click the Videos folder, and then click Properties.

  4. Click the Follow the Documents folder policy setting to ensure you redirect the Videos folder as a folder under the Documents folder.

  5. Click OK

Combine these Folder Redirection guidelines with roaming user profiles to share user specific data between Windows Vista and Windows XP.

Note

Data stored in redirected folders other than Documents, Application Data, Desktop, Start Menu, and Pictures is immediately available to clients running Windows Vista. Clients running Windows XP will download this data during logon and copy it to the server during logoff.

Summary

Roaming user data has improved with Windows Vista. Version 2 of the user profile namespace provides a clean separation of machine and user data. Improvements to Folder Redirection include a new administrative snap-in that can manage new and existing Folder Redirection policies as well as new client features that allow you to redirect every folder in the new user profile namespace. These two features improve logon and logoff performance, increase accessibility to user data from any workstation, and allow Windows Vista and Windows XP to share roaming data.