Configuring Windows 7 roaming profiles on a Windows 2008 R2 Server

The last few days I am playing around with Windows 7 and roaming profiles. At first I wrote it down for my own documentation but maybe its usefull for someone else as well.

Requirements

• A Windows 2008 R2 Server with the File Server Resource Manager (FSRM) role
• A Windows 7 Client
• Both machines in the same domain

Creating the home share on the windows 2008 R2 server

• Create a folder called HomeWin7 and rightmouseclick and choose properties
• You should see the following permissions

• Click on the Advanced button and click on Change Permissions
• DEselect Include inheritable permission form this object’s parent and click on ADD
• Select the Users “Special” ACL and then click the Edit Button

• Change the Apply to : This folder Only and click OK
• Select the Users “Read & execute” ACL and then click the Edit Button

• Change the Apply to : This folder Only and click OK
• It should look like this now:

• Click OK to close this screen and click on the “Sharing Tab” on the Users Properties screen and then click on the “Advanced Sharing” button to create a share
• Select share this folder and the sharename should be HomeWin7$

• Click on the caching button and select: no files or programs are avaliable offline
• Click OK and click on the permissions button
• Give the everyone group Full Control on the share and click on OK, OK and Close
• Start the Server Manager and go to File Services, Share and storage management
• Select the HomeWin7$ share, rightmouseclick and select properties, advanced
• Select: enable Enable access-based enumeration and click OK (this results in that users can only see their own folder if the users connect to the \\servername\HomeWin7$ share)

• Lets configure some GPO’s

Configure GPO’s for roaming profiles

• Start the GPMC and browse to the specific user OU
• Create a new GPO and then edit
• Browse to : User Configuration -> Policies -> Windows Settings -> Folder Redirection

• Rightmouseclick Appdata(roaming) and select properties. Configure like this:

• Select the Settings tab and configure like this:

• Make sure you configure all other redirection policies like the above
• Rightmouseclick Desktop and select properties. Configure like this:

• (if needed) Rightmouseclick Start Menu and select properties. We have it redirected to the Teachers startmenu on a different server
• Rightmouseclick Documents and select properties. Configure like this:

• Rightmouseclick Pictures,  Music, Videos’. Configure like this:

• Rightmouseclick Favorites and select properties. Configure like this:

• Rightmouseclick Contacts and select properties. Configure like this:

• Rightmouseclick Downloads and select properties. Configure like this:

• Rightmouseclick Links and select properties. Configure like this:

• Rightmouseclick Searches and select properties. Configure like this:

• Rightmouseclick Saved Games and select properties. Configure like this:

Additional Main GPO’s

• Browse to : User Configuration -> Policies -> Administrative Templates-> System -> User Profiles -> Exclude directories in roaming profiles. By default, the Appdata\Local and Appdata\LocalLow folders and all their subfolders like the History, Temp, and Temporary Internet Files folders are excluded from the user’s roaming profile. If you need to exclude additional folders you can add them here.
• Start the GPMC and browse to the specific computer OU and create a new GPO and then edit.
• Browse to : Computer Configuration -> Policies -> Administrative Templates-> System -> User Profiles -> Add the administrators security group to roaming user profiles. Set this to Enabled.
• Browse to : Computer Configuration -> Policies -> Administrative Templates-> System -> User Profiles -> Delete user profiles older than a specified number of days on system restart. Set this to Enabled and 30 days.
• Browse to : Computer Configuration -> Policies -> Administrative Templates-> System -> User Profiles -> Do not check for user ownership of roaming profiles folders. Set this to Enabled.
• Browse to : Computer Configuration -> Policies -> Administrative Templates-> System -> User Profiles -> Delete cached copies of roaming profiles. Can be usefull on student computers. Student profiles get deleted after logoff.
• Browse to : Computer Configuration -> Policies -> Administrative Templates-> System -> User Profiles -> Do not log users on with temporary profiles. Set this to Enabled. Can be usefull to avoid creating a temporary profile if the roaming profiles is corrupt or unavailable.

ADUC

• Open the user properties and configure the profile path like this:

• If you check the profile folder structure it will look like this:

Extra information

• Managing Roaming User Data Deployment Guide
• Stealthpuppy: Reduce logon times by excluding the bloat

Creating one mandatory user profile for all students

Creating and maintaining thousands of user profiles can chew up alot of time in an systems administrators daily job. Maintaining thousands of individual student user profiles even more. Wouldn’t be cool to have just one student profile that is locked and can thus cannot be modified by students. Lets explain on how to create such a mandatory user profile.

• First make sure you have an cleanly installed Windows XP operating system with all latest patches.
• Copy the ENTIRE content of c:\documents and settings\default user\ to your local machine
  OR
• Login to that XP machine and configure all needed settings
• Logout and copy that ENTIRE profile content to you local machine
• Now start regedit.exe on your machine
• Click on HKEY_LOCAL_MACHINE

• Goto File -> Load Hive

• Select USER.DAT residing in the profile folder
• Give the new hive a name. Lets say: test

• Click on HKEY_LOCAL_MACHINE\test en select permissions

• Remove all groups and users except SYSTEM
• Add an Active Directory group to your liking (students or so) or just everyone

• Make sure you click the advanced button and propagate the permissions to all subfolders

• When your done then you need to unload the hive

• Now click on HKEY_USERS and repeat the same process
• When you are done with that rename USER.DAT to USER.MAN
• Create an profile structure on a central server like \\server\d$\Profiles\student\
• Copy the entire profile folder content to \\server\d$\Profiles\student\
• Create a share named Profiles$ on \\server\d$\Profiles\
• Share permision should be : authenticated users, SYSTEM, SERVER\administrators = FULL CONTROL
• NTFS permissions should be : SYSTEM, SERVER\administrators = FULL CONTROL and authenticated users and for the Authenticated users group special permissions

• The NTFS permissions for the \\server\d$\Profiles\student\ folder should be:
  SYSTEM, SERVER\administrators = FULL CONTROL
  the active directory group named students = READ
• Now start the active directory users and computers MMC and select all student accounts
• Point the profile location to \\SERVER\profiles$\student
• Now you are done.