Before looking at specific ways you can optimize Windows settings and handle user data, let’s look at the policy settings related to profiles themselves. Policy settings that control the user profile configuration are found under Computer ConfigurationAdministrative TemplatesSystemUser Profiles and User ConfigurationAdministrative TemplatesSystemUser Profiles. As you read through this discussion, keep the following in mind:
A local user profile is created or retrieved each time a user logs on to a computer.
Changes to global settings and user data are stored in the local user profile and updated in a roaming profile when a user logs off.
User profile data is only accessible to the user for whom a profile was created.
Roamable user profile data includes everything under %SystemDrive%Documents and Settings\%UserName% except for the local computer-specific settings under %SystemDrive%Documents and Settings\%UserName%Local Settings.
As you’ll see, system and policy settings can modify this behavior in many ways.
By default, a local user profile is created or retrieved each time a user logs on to a computer. If the user account is configured to use a local profile, the local profile is created from the Default User Profile or loaded from an existing profile. If the user account is configured to use a roaming or mandatory profile, a locally cached copy of the profile is created from the server-stored user profile. If the profile server is unavailable during logon, the local cached copy of the profile can be used. If no locally cached copy of the profile is available, the Default User Profile is used.
Many policies can change or modify the way local and roaming profiles are used. These policies are stored in Computer Configuration under Administrative TemplatesSystemUser Profiles and include:
Only Allow Local User Profiles
Delete Cached Copies Of Roaming Profiles
Do Not Detect Slow Network Connection
Log Users Off When Roaming Profile Fails
Prompt User When Slow Link Is Detected
Slow Network Connection Timeout For User Profiles
Timeout For Dialog Boxes
Wait For Remote User Profile
The sections that follow discuss these policy settings and how they are used.
The Only Allow Local User Profiles setting prevents users from using a roaming profile. If a user with a roaming profile logs on after this policy is enabled (and computer policy has been refreshed), she will receive a new user profile based on the Default User Profile for the computer. This profile will then be used for all subsequent logons to that computer.
When you enable the Delete Cached Copies Of Roaming Profiles settings, any local copies of a user’s roaming profile are deleted from the local computer when a user logs off. The roaming profile then exists only on the server on which it is stored. As you might expect, this policy setting is meant to be used in environments where high security is required, and it comes with more than a few caveats. The setting doesn’t affect locally cached copies of profiles that were created before this policy setting took effect. Those profiles will remain until a user logs on to the computer where they are stored and logs off (and the log off process proceeds normally—with no unload or update issues at logoff). Because the local cached copy of the profile is deleted when a user logs off, no cached profile is available if the user logs on and the remote server is unavailable. In this case, the user gets a temporary user profile (based on the Default User Profile) that will be removed when he logs off.
You shouldn’t enable Delete Cached Copies Of Roaming Profiles on laptops or on computers that might access the network over slow links. When laptop users are disconnected from the network, there is no way to get the roaming profile, and because there is no locally cached profile, they will get a temporary profile. Further, if you enable Delete Cached Copies Of Roaming Profiles and the computer is configured to detect slow links, you’ll have similar problems. When users are connected to the network over a slow link, the default system behavior is to use a locally cached profile, but because there is no locally cached profile, they will get a temporary profile instead.
When you enable Do Not Detect Slow Network Connection, slow-link detection for user profiles is disabled and the computer ignores settings that tell it how to handle slow connections. This setting is useful when you delete locally cached copies of profiles and want to ensure that a roaming profile is available even if a user is connected over a slow link. The downside to this, of course, is that logon and logoff might take a long time (due to profile retrieval or update processing over slow links).
When you enable Log Users Off When Roaming Profile Fails, a user is logged off automatically if the computer cannot load her roaming profile. This means she cannot log on if the profile server is down or otherwise unavailable or if the profile contains errors that prevent it from loading correctly.
Log Users Off When Roaming Profile Fails is meant to be used in environments in which you want to be absolutely certain that users load their profiles from a server. For example, in a high-security environment you might not want users to use a temporary local profile. Rather than allowing them to log on with a temporary profile (based on the Default User Profile), you’ll want to log them off automatically instead.
When you enable Prompt User When Slow Link Is Detected, a user is prompted when a slow link is detected and is asked whether he wants to use a local copy of the profile (if available) or wait for the roaming profile to load. If the setting is disabled or not configured and a slow link is detected, the computer takes one of two actions:
If you haven’t specifically indicated that the computer should wait for a remote user profile, the computer tries to load a locally cached copy of the user’s profile (if available).
If you’ve specified that the computer should wait for a remote user profile, the computer tries to load the roaming profile (if available).
By default, the system waits 30 seconds for a user to make a selection. If he doesn’t make a selection, one of the above actions is taken. You can adjust the wait time using the Timeout For Dialog Boxes setting.
Note
Prompt User When Slow Link Is Detected is ignored if you’ve enabled Do Not Detect Slow Network Connection and when slow link detection is otherwise disabled. Also keep in mind that if you’ve enabled Delete Cached Copies Of Roaming Profiles, no locally cached profile will be available. In this case, the computer will use a temporary profile (based on the Default User Profile) as long as you haven’t also enabled Log Users Off When Roaming Profile Fails.
As discussed in Chapter 3 under "Configuring Slow Link Detection," computers use a specific algorithm to determine whether they are connected over a slow link. For computers connected to a network over TCP/IP, the response time to the server is measured using a Ping test and then by sending a message packet, as discussed previously. By default, if the connection speed is determined to be less than 500 kilobits per second (which can also be interpreted as high latency/reduced responsiveness on a fast network), the client computer interprets this as a slow network connection. For computers that aren’t using TCP/IP, only the response time to the server is measured. By default, if the server’s file system doesn’t respond within 120 milliseconds, the client computer interprets this as a slow network connection.
When you are using DHCP for dynamic IP addressing or when clients connect to the network over dial-up, you might want to increase these default values. To change the default values, follow these steps:
Access the GPO with which you want to work. Access Computer ConfigurationAdministrative TemplatesSystemUser Profiles.
Double-click Slow Network Connection Timeout For User Profiles, and then select Enabled, as shown in Figure 7-3.
Type the values you want to use for detecting slow links. Use the Connection Speed combo box to configure detection for IP networks. Use the Time combo box to configure detection for non-IP networks.
Click OK.
Tip
Slow Network Connection Timeout For User Profiles is ignored if you’ve enabled Do Not Detect Slow Network Connection and when slow link detection is otherwise disabled. Keep in mind that if you’ve enabled Delete Cached Copies Of Roaming Profiles, no locally cached profile will be available. In this case, the computer will use a temporary profile (based on the Default User Profile) as long as you haven’t also enabled Log Users Off When Roaming Profile Fails.
When you enable Prompt User When Slow Link Is Detected, the system waits 30 seconds for a user to make a selection. If she doesn’t make a selection, a default action is taken, which is to either load the locally cached profile (if allowed) or wait for the roaming profile to load (if this is required). User profile–related prompts are displayed in two other instances as well:
If the system cannot access the user’s server-based profile during logon or logoff, a prompt is displayed. The prompt tells the user that the local profile will be loaded (if one is available).
If the user’s locally cached profile is newer than the server-based profile, a prompt is displayed. The prompt tells the user that the local profile will be loaded (if one is available).
You can adjust the wait time by completing the following steps:
Access the GPO with which you want to work. Access Computer ConfigurationAdministrative TemplatesSystemUser Profiles.
Double-click Timeout For Dialog Boxes and then select Enabled, as shown in Figure 7-4.
Click OK.
To force a computer to use a roaming or mandatory profile from a server, you can enable Wait For Remote User Profile. The computer will then wait for the roaming or mandatory profile to load even if the network connection is slow. If you disable this setting or do not configure it and slow link detection is enabled, the user is prompted when a slow link is detected and has the opportunity to use either her local profile or her roaming profile (assuming these are available and no policy restricts their use). If the user doesn’t respond to the prompt, the default action is to load the locally cached profile (if allowed) or wait for the roaming profile to load (if this is required).
A typical scenario where you might want to use Wait For Remote User Profile is when users move between computers frequently and the local copy of their profile is not always current. Using the locally cached copy of the profile is best when quick logon is a priority.
Any changes to global settings and user data are stored in the local user profile first. When a user logs off and is using a roaming profile, the changes are written to the roaming profile on the server unless specifically prevented. When Terminal Services is used, areas of the registry (under HKEY_CURRENT_USER) might be locked when a user logs off. For example, this can happen if another program or service is reading or updating the registry; this would prevent the computer from writing the locked registry settings to the profile.
Windows XP and Windows 2003 try to avoid this issue by saving the registry settings after 60 seconds and then updating the roaming profile. Windows 2000 tries to access the registry settings immediately at logoff and then make any necessary updates in the roaming profile. If registry settings are locked, Windows 2000 keeps trying to sync the changes—up to the maximum retry value, which by default is 60. One minute is allotted for these retries, so the retries occur about once every second.
Two key policies change or modify this behavior:
Maximum Retries To Unload And Update User Profile. If you enable this setting, you can specify the number of times the system tries to save registry setting changes to the profile before giving up. The default value is 60. If you disable this setting or do not configure it, the system retries 60 times. If you set the number of retries to 0, the system tries just once to save the registry settings to the profile before giving up. You might want to consider increasing the number of retries specified in this setting if many user profiles are stored in the computer’s memory, as might be the case with servers running Terminal Services. Keep in mind that this setting doesn’t affect the system’s attempts to update the files in the user profile.
Prevent Roaming Profile Changes From Propagating To The Server. When you enable this setting, you prevent users from making permanent changes to their roaming profiles. When the user logs on, she receives the roaming profile as normal. However, any changes she makes to the profile are not saved to her roaming profile when she logs off. Although this setting is similar to using mandatory profiles, there is a fundamental difference between using a mandatory profile and preventing changes to roaming profiles: When you use a mandatory profile, no profile changes are stored when a user logs off, so neither the locally cached copy nor the remote copy of the profile is updated. When you prevent changes to roaming profiles, profile changes made locally are not copied back to the remote copy of the profile. The changes are, however, available the next time the user logs on to that computer. You might want to use this setting in instances in which you don’t want the local profile changes and user files to be copied back to a server and saved in the user’s roaming profile.
Roaming profiles are stored on designated servers. By default, user profile data can be accessed only by the user for whom the profile was created. Windows 2000 with SP3 or earlier and Windows XP without a service pack also allow the creator/owner of the profile folder to access the profile. For example, a user in the Server Operators or Account Operators group might pre-create a user’s profile folder, and as the creator/owner, he would be able to access the user’s profile data. Windows Server 2003, Windows 2000 with SP4 or later, and Windows XP with SP1 or later close this potential security problem by checking to see if the user is the only one with permissions on the profile folder and then not permitting roaming if the permissions on the user’s server-based folder are not those that Windows requires. The requirements are very specific: only the user or the Administrators group can be the owner of the user’s profile folder. Thus, if anyone other than the current user or the Administrators group owns the folder, roaming is not allowed and the user is forced to use a local profile. No changes to the local profile are propagated back to the profile server.
When a user with a roaming profile logs on and Windows Server 2003 determines that the roaming profile folder doesn’t have the required permissions, the following error message is displayed:
Windows did not load your roaming profile and is attempting to log you on with your local profile. Changes to the profile will not be copied to the server when you logoff. Windows did not load your profile because a server copy of the profile folder already exists that does not have the correct security. Either the current user or the Administrator's group must be the owner of the folder. Contact your network administrator.
If this is not the desired behavior, you can, through Group Policy, tell Windows Server 2003 not to check the permissions on roaming profile folders. To do this, enable Do Not Check For User Ownership Of Roaming Profile Folders under Computer ConfigurationAdministrative TemplatesSystemUser Profiles. With this policy setting enabled, Windows Server 2003, Windows 2000 with SP4 or later, and Windows XP with SP1 or later no longer check security permissions before updating data in existing user profile folders.
One of the most common reasons for pre-creating user profile folders is to ensure that a designated administrator can access profile data as necessary. One way to work around this issue is to allow Windows to create profile folders automatically as necessary and then configure security permissions on the profile folders so that administrators can access them. For users who don’t already have roaming profile folders, you can tell Windows to set permissions on new profile folders so that both administrators and the user have full control. You do this by enabling Add The Administrators Security Group To Roaming User Profiles under Computer ConfigurationAdministrative TemplatesSystemUser Profiles. Keep in mind that this policy setting doesn’t affect existing roaming profile folders and must be set on the target client computers rather than the server storing the profile folders.
To allow administrators to access existing profile folders, complete the following steps:
Log on to the profile server using an account that has administrator privileges.
In Windows Explorer, locate the user’s profile folder. Right-click it, and then choose Properties.
When you see a warning prompt telling you that you do not have permission to access the profile folder but can take ownership, click OK.
In the Properties dialog box, click the Security tab, and then click Advanced.
In the Advanced Security Settings dialog box, click the Owner tab.
Under Change Owner To, click Administrators, and then select the Replace Owners On Subcontainers And Objects check box.
Click OK. When prompted to confirm that you want to take ownership of the folder, click Yes.
You are prompted to close and open the folder’s Properties dialog box before you can view or change permissions. Click OK three times to close all open dialog boxes.
In Windows Explorer, right-click the user’s profile folder and then choose Properties.
In the Properties dialog box, click the Security tab and then click Advanced.
In the Advanced Security Settings For dialog box, click Add.
In the Select Users, Computers, Or Groups dialog box, type the user’s logon account name and then click Check Names. If the name is shown correctly, click OK.
In the Permissions Entry For dialog box, select This Folder, Subfolders And Files under Apply Onto and then select Allow for Full Control. Click OK.
Caution
In the Entry For dialog box, Apply These Permissions To Objects And/Or Containers Within This Container Only is not selected by default. Do not select this option. If you do, permissions will not be set correctly. For example, if this option is selected, a user logging on would see a specific error related to not being able to read the contents of the Application DataIdentities folder. If a user sees such an error during logon, you need to open the Advanced Security Settings For dialog box, select the user name, and click Edit. You then clear Apply These Permissions To Objects And/Or Containers Within This Container Only and click OK.
In the Advanced Security Settings For dialog box, select Replace Permission Entries On All Child Objects and then click OK. When prompted to confirm the action, click Yes.
Click OK.
User profiles can grow very large, and sometimes when you allow roaming you’ll want to limit their size or the folders they include. A key reason for doing this is to save space on the server storing the profiles, but limiting profile size and included folders can also speed up the logon and logoff processes. Don’t forget that you can also redirect some of the profile folders, such as My Documents and Application Data, so that they are connected via shares rather than moved around the network in the user’s profile. Limiting the profile size in this case might not be necessary.
If you limit profile size, any user who exceeds the profile limit sees this warning message when she tries to log off: "You have exceeded your profile storage space. Before you can log off, you need to move some items from your profile to network or local storage." The warning dialog box includes a list of files in her profile and provides details on her current profile size and the maximum allowed profile size. The user cannot log off until she deletes files and thereby reduces the size of her profile to within the permitted limits.
To limit the size of user profiles for a site, domain, or OU, follow these steps:
Access the GPO with which you want to work. Access User ConfigurationAdministrative TemplatesSystemUser Profiles.
Double-click Limit Profile Size, and then select Enabled, as shown in Figure 7-5.
If a user exceeds the profile limit and tries to log off, she sees the standard warning message. To display a different warning message at logoff, type the text of the message in the Custom Message box.
With this policy setting enabled, the default maximum profile size is 30 MB (30,000 KB). If you redirect profile data folders, such as My Documents and Application Data, to network shares, this default value might suffice. If you do not redirect profile data folders, this default value will, in most cases, be much too small. Either way, you should carefully consider what the profile limit should be and then use the Max Profile Size combo box to set the appropriate limit (in kilobytes).
By default, global settings are stored in the Ntuser.dat file in a user’s profile; the size of the Ntuser.dat file does not count toward the user’s profile limit. If you want to include the file size of the Ntuser.dat file in the profile limit, select Include Registry In File List.
By default, users see a warning about profile size only at logoff and are then given the opportunity to remove files from their profile. If you want to notify users whenever they exceed their profile storage space, select Notify User When Profile Storage Space Is Exceeded and then use the Remind User Every X Minutes combo box to determine how often the reminder is displayed.
Click OK.
Another way to limit the user’s profile size is to exclude folders and prevent them from roaming with the user’s profile. As discussed previously, folders under %SystemDrive%Documents and Settings\%UserName%Local Settings do not roam. If you want to exclude other folders, you can specify this in policy by completing the following steps:
Access the GPO you want to work with. Access User ConfigurationAdministrative TemplatesSystemUser Profiles.
Double-click Exclude Directories In Roaming Profile and then select Enabled, as shown in Figure 7-6.
Specify the folders that should not roam by entering them in the appropriate box. When you specify multiple folders to exclude, they must be separated by a semicolon. Always type folder names relative to the root of the profile, which is %SystemDrive%Documents and Settings\%UserName%. For example, if you want to exclude two folders on the desktop called Dailies and Old, type DesktopDailies;DesktopOld.
Click OK.
