Lanwench
Fri Jul 11 14:56:34 PDT 2008
kaotix <kaotix.3ce3nd@DoNotSpam.com> wrote:
> I currently manage a number of networks, one of which is not using a
> server at all and are looking to upgrade to roaming profiles to allow
> users to move around more.
> Each machine currently has a single local profile for a user, only one
> person uses each machine at the moment hence the single profile.
> Is there a way to migrate these profiles and keep all settings in-tact
> to an AD server to allow roaming profiles?
>
> Thanks
Yes. It's twofold - first you'll migrate their local machine account
profiles to their domain account profiles (using the /connectcomputer wizard
to join the PCs to the domain).
Then you can make the new domain profiles roam - however, you should
definitely implement a custom folder redirection group policy first to
ensure the profiles stay as small as possible.
My boilerplate on roaming profiles is below....
********************
General tips:
1. Set up a share on the server. For example - d:\profiles, shared as
profiles$ to make it hidden from browsing. Make sure this share is *not* set
to allow offline files/caching! (that's on by default - disable it)
2. Make sure the share permissions on profiles$ indicate everyone=full
control. Set the NTFS security to administrators, system, and users=full
control.
3. In the users' ADUC properties, specify \\server\profiles$\%username% in
the profiles field
4. Have each user log into the domain once - if this is an existing user
with a profile you wish to keep, have them log in at their usual
workstationand log out. The profile is now roaming.
5. If you want the administrators group to automatically have permissions to
the profiles folders, you'll need to make the appropriate change in group
policy. Look in computer configuration/administrative templates/system/user
profiles - there's an option to add administrators group to the roaming
profiles permissions. Do this *before* the users' roaming profile folders
are created - it isn't retroactive.
********************
Notes:
Make sure users understand that they should not log into multiple computers
at the same time when they have roaming profiles (unless you make the
profiles mandatory by renaming ntuser.dat to ntuser.man so they can't change
them, which has major disadvantages),. Explain that the 'last one out wins'
when it comes to uploading the final, changed copy of the profile. If you
want to restrict multiple simultaneous network logins, look at LimitLogon
(too much overhead for me), or this:
http://www.jsifaq.com/SF/Tips/Tip.aspx?id=8768
********************
Keep your profiles TINY. Via group policy, you should be redirecting My
Documents (at the very least) - to a subfolder of the user's home directory
or user folder. Also consider redirecting Desktop & Application Data
similarly..... so the user will end up with:
\\server\users\%username%\My Documents,
\\server\users\%username%\Desktop,
\\server\users\%username%\Application Data.
[Alternatively, just manually re-target My Documents to
\\server\users\%username% (this is not optimal, however!)]
You should use folder redirection even without roaming profiles, but it's
especially critical if you *are* using them.
If you aren't going to also redirect the desktop using policies, tell users
that they are not to store any files on the desktop or you will beat them
with a
stick. Big profile=slow login/logout, and possible profile corruption.
********************
Note that user profiles are not compatible between different OS versions,
even between W2k/XP. Keep all your computers. Keep your workstations as
identical as possible - meaning, OS version is the same, SP level is the
same, app load is (as much as possible) the same.
*********************
If you also have Terminal Services users, make sure you set up a different
TS profile path for them in their ADUC properties - e.g.,
\\server\tsprofiles$\%username%
********************
Do not let people store any data locally - all data belongs on the server.
********************
The User Profile Hive Cleanup Utility should be running on all your
computers. You can download it here:
http://www.microsoft.com/downloads/details.aspx?familyid=1B286E6D-8912-4E18-B570-42470E2F3582&displaylang=en
********************
Roaming profile & folder redirection article -
http://www.windowsnetworking.com/articles_tutorials/Profile-Folder-Redirection-Windows-Server-2003.html