Friday, May 27, 2016

Creating Roaming User Profiles in Active Directory


Definition:  I like this definition of Roaming Profiles given by Brown University, "A roaming profile allows a users desktop and applications settings to follow them no matter what domain member Windows workstation they log into."

 Source:  https://cs.brown.edu/about/system/accounts/profiles/
Microsoft's write up about Roaming Profiles
Roaming user profiles have the following advantages:
Automatic resource availability. A user's unique profile is automatically available when he or she logs on to any computer on the network. Users do not need to create a profile on each computer they use on a network.
Simplified computer replacement and backup. When a user's computer must be replaced, it can be replaced easily because all of the user's profile information is maintained separately on the network, independent of an individual computer. When the user logs on to the new computer for the first time, the server copy of the user's profile is copied to the new computer.

 Operation: You will be setting up Roaming Profile much like the way you set up Home Directory (Minasi 1282-1286). 
 Prerequisite:1. Distributed file System (DFS) to be created.
 2. Extra storage- You want to set up the roaming profile's file on different logical storage than the C drive because of the need for scalability.
 Note: there is software out there that can re-size partitions even though you have it blocked in by other logical drives.


Section citing Mastering Windows Server 2012 R2 Book by Mark Minasi +  (A Must Buy Book)





You will be logged in as an administrator. Afterwards, you will open the File Explorer. 
In the share folder, you will create a folder called Profiles. You will do this operation by right-clicking on the Shares folder, and selecting  new>folder.
 (Minasi 1282).



Continuing on, you will change the permissions of the folder as the following:


(Minasi 1283)



                                                                                           










This operation will involve you right-clicking on the folder and selecting "properties." Next, you will click the security tab, and double click on advance. Then, you will click disable inheritance button.










        A pop-up window will give you two options of what to do with the current inherited permissions. You will choose “Convert inherited permissions into explicit permissions on this object." Then, you will click-on the Applying button. Note: you should get in the habit of clicking on the Apply button.















Continuing on, you will click the Add button (add a new entity).








On the following pop-up window, you will click on "Select a principal" link button. Type "System" into the Object name field.










Click the "Check Names" button to confirm that the object is valid. If valid, you will click the OK button.







You will now set the permissions if the System to full control by clicking the check-box next to full control attribute.












 Next, you will edit the Authenticated Users.














Now, you will click on the "Show advanced permissions" link button.











On the advanced permissions page, you will set the Authenticated Users permissions as listed above (in the red box).











After all of the changes made to match the above permissions, you will click the apply button and the the OK button (Minasi 1283).










Next, you will create a new share that will be located in the shared profile folder that you just created. This process will be done by the Server Manager (Minasi 1283).











On the “Select the profile for this share” page, you will choose “SMB Share- Quick “ option for all of the profile folder.You will click the Next button to continue.












         On the “Select the server and path for this share” page, you will select the "Type a Custom Path" and add the profile folder to be the folder that you're going to share. You should click the Browse Button and search for the profiles file. Moving on, you will click the Next button .












On the specify share name page, you will put a share name of "profiles$", which will make it a hidden share (Minasi 1284). You can also add a description of what the purpose of the share (Minasi 1284). 











For the "Configure share settings" page, you will continue on  by clicking the Next button.













On the permission page, you will click the customize permission button.













On the share tab of the Advanced Security Setting for Profiles$, you will set share to reflect the following:

 (Minasi 1284)







Make sure that the builtin administrator account have full control of the sharing. Also, authenticated users set to be able to change.














Jumping to the end of the share, you will create the share, and click the close button.












With DFS Management (link in located in Server Manager under tools), you will create the namespace that will make the folder available to the network with path. This set up will make it much easier to remember than the direct path to the server that it presides on. With that being stated, you will create a new folder under the namespace for pcurtis480.com or the name that you created for your name space (by right click on it and selecting "New Folder").









The new folder window will open up. You will enter in the name of your new file. After that, you will click the Add button to select the target folder. In this case, you will be grabbing the profile$ shared folder.













After the target folder is selected, you will click the OK button.
















Finally, you will add the folder path of "\\pcurtis480.com\DFS\RoamingProfiles\%Username%" add to Profile Path of each user. The Path is found in the properties of the namespace that you created earlier. This can be done both manually or through a CSV file.












With the completion of adding the path to all user profiles, you will then update Group Policy by running the "gpupdate /force" command in PowerShell. 









Lastly, you will start up a Windows 7 Client computer (a computer that is a part of the server's domain) for the purpose of logging in a user to check if they have an active roaming profile. This is located under the Control Panel at the following progression of window pages:Control Panel > Users Accounts > User Accounts > Configure advanced users profile properties  (as shown in the picture to the right).










Administrator set-up
You will set up the administrator to control these roaming profiles through GPO. Group Policy Object Management is located under the tools of Server Manager. Create a new group policy name Roaming Profile by right clicking on the Domain. Once the policy is created, you will make the setting changing by following this path: Computer Configuration>Policy >Administrative Templates>System>User Profiles. You will enable the "Add the administrators security group to roaming user profile...." policy.




Tips: You should definitely set up storage quotas on roaming profile folder. At the minimum, I recommend that you should set up email notification on breach of storage quote limit.


Troubleshoot:
Roaming Profiles doesn't work with an encrypted file (cite: https://msdn.microsoft.com/en-us/library/cc736881(v=ws.10).aspx.








Posted by at 1 comment:
Subscribe to: Comments (Atom)