Microsoft Windows 2000-based Roaming User Profiles

  • Article

Deploying IntelliMirror® Roaming User Profiles at Microsoft

roampr01

Executive Summary

Computers in the workplace are of value only insofar as people can use them to access information needed to support their day-to-day decision-making in areas ranging from sales, marketing, and purchasing to shipping, support, process improvement, and much more. To address such needs, personal computers have traditionally been deployed in the areas of an organization where most employees are located. While this approach helps to ensure regular computer access by those employees, it does not address the widespread trend toward a highly mobile and geographically distributed workforce. Just as many employees are no longer tied to a given geographical location to do their job, they also are no longer tied to a given personal computer. Many of them, of course, carry laptops from place to place, but others are more likely to end up "sharing" personal computers—using whatever personal computer is located closest to them when they need it.

To address these trends, Microsoft provides enhanced support for Roaming User Profiles, with IntelliMirror® management technologies included in the Microsoft® Windows® 2000 operating system. With Roaming User Profiles, an employee can "carry" his or her PC user settings and preferences from location to location, just as he or she might otherwise carry a laptop. These include settings and preferences for Office 2000, the Microsoft Outlook® 2000 messaging and collaboration client, the desktop, the Start bar, and others. Roaming User Profiles also supports folder-exclusion lists and per-user quotas on profile size. Any users whose accounts have been configured to take advantage of Roaming User Profiles become "roaming users" in that their PC settings and preferences can follow them no matter what Windows 2000-based PC they are using on the network.

Roaming User Profiles not only improves the computing experience for users but also makes life easier for network administrators. Because Roaming User Profiles stores user settings and preferences on the server side, they are not necessarily affected when a personal computer is replaced or upgraded. This means administrators need to deploy only the standardized applications to each Windows 2000 Professional–based desktop, because settings and preferences will automatically follow each roaming user.

This report describes the strategy used, the steps taken, and many of the valuable lessons learned by the Microsoft Information Technology Group (ITG) from its successful deployment of Roaming User Profiles at Microsoft. ITG is sharing its experience with customers in hopes that, if applicable, customers might learn from those experiences and apply what they have learned to the deployment of Roaming User Profiles within their own organizations.

Deploying Roaming User Profiles

Windows 2000-based Roaming User Profiles, were deployed within Microsoft while in the beta stages to assure that the technology would be fit for other large enterprises. ITG used that opportunity to enhance the computing environment used by internal employees, while also giving that group the flexibility to replace machines more easily. What should the profile limit be? Which directories should be allowed to roam? Where should roaming data be stored? The deployment team answers these and other questions in the following pages.

Considering the Environment

The way employees work at Microsoft and the way they interact with computer hardware and software played big roles in determining how Roaming User Profiles would be deployed within the company. Here are a few of the more significant factors defining the employee work and computing environment at Microsoft.

Software testing is vital. The majority of internal employees at Microsoft participate in testing beta software to help ensure that it will be fit for other large enterprises before release. Integral to this testing is the ability of employees install, configure, and test the software using their own personal computers.

Employees prefer to use self help-based solutions. While some employees prefer to have ITG configure their personal computers, others prefer to perform the task themselves. This is especially common among employees who are testing software, because if ITG were to change such an employee's personal computer without his or her knowledge, the testing would likely be interrupted. To accommodate this environment ITG strives always to develop intranet-based configuration tools that employees can use at any time.

Most employees have their own dedicated personal computers. Within Microsoft there are more than 100,000 personal computers. On average, employees need two or more personal computers to carry out their day-to-day job functions: one for running such applications as Office 2000 and Outlook 2000 and another (or two or three others) for developing or testing new software.

Applications are not standardized. Diverse job responsibilities require that different employees run different applications. While most Microsoft employees use Office 2000 and Windows 2000 Professional to perform some of their day-to-day job functions, many of them require additional applications as well. For example, testers need applications for filing, recording, and resolving bugs, human-resources employees need applications for tracking and posting job openings, accountants need financial applications, and so on.

Determining the Audience

To maximize the gains in employee efficiencies and improvements to the computing information environment, ITG profiled the audience for its deployment of Roaming User Profiles at Microsoft. With such a profile ITG could determine which employees might be the best candidates to use Roaming Using Profiles. Some employees need Roaming User Profiles to do their work effectively, others do not specifically need it but might want to use it from time to time, while still others need to avoid having Roaming User Profiles at all. For example, employees who perform highly controlled testing of desktop content or Office and Outlook settings might find that testing is interrupted if they are unable to temporarily suspend the use of Roaming User Profiles.

Table 1 illustrates a profile of the working environment and work habits of two unique groups within Microsoft. The information in the table was useful in determining the audience and approach for the deployment of IntelliMirror Roaming User Profiles.

Table 1 Profile of two unique groups within Microsoft

Is the employee expected to

Product Testers

Receptionists

have his or her own dedicated computer?

Yes

No

roam?

Unlikely

Possibly

use a standardized desktop configuration with a standard suite of applications?

Unlikely

Yes

require Roaming User Profiles in the short term, for testing an application?

Yes

No

desire Roaming User Profiles for other reasons?

Yes

Yes

Determining Server Sizing

To determine server sizing, ITG considered the number of users expected to take advantage of Roaming User Profiles as well as how much storage each user would require. ITG also considered how the majority of employees would benefit from the technology.

One factor in this process is the support of Microsoft Windows 2000 quotas on profile size as well as folder exclusion, and network performance. ITG combined those capabilities to determine that on average users could have profiles as large as 25 MB. ITG determined this quota based on the following factors:

Folder exclusions enable smaller user profiles. The default behavior of Roaming User Profiles is to synchronize the profiles directory and contents so that settings "follow" the user to other computers. By default folders such as "Temp" and "Temporary Internet Files" are excluded from this process. ITG recognized that folder exclusions were of value to limit the amount of data from the synchronization process. Standard folder exclusions used by ITG include Temporary Internet Files, Temp, My Documents, Start Menu, and Windows. To restrict a profile's maximum size , ITG applied a 25MB quota to each user, using a Windows 2000-based group policy. Internal testing revealed that a 25MB limit on profile size would sufficiently support users who roam within Microsoft.

Network performance affects user satisfaction. Roaming User Profiles information is copied from a back-end server to a given personal computer when the user logs on to it, and copied back to the server when the user logs off. The speed of the internal network was an important consideration because ITG believed that users would be more satisfied with the fastest synchronization possible. Roaming User Profiles is capable of detecting slow networks, provided slow link detection is enabled. ITG enabled slow link detection to prevent synchronization of Roaming User Profiles on networks, which are slower than 500 Kbps. In most cases, at Microsoft a 25-MB user profile is small enough to synchronize quickly while also being large enough to provide users the Roaming User Profiles benefits.

Users benefit from both folder exclusion and per-user quotas. By combining folder exclusion with a 25-MB quota, users can "roam" their desktop contents and wallpaper, Quick Launch Bar, cookies, and settings for Microsoft Outlook, Microsoft Internet Explorer, Microsoft Office, and Auto complete. Although other settings can be made to roam also; at Microsoft these settings are of greatest value to most employees. ITG also determined that an existing 40-GB network share would support roughly 1,600 "roaming users", provided that each user profile does not exceed 25 MB.

Deploying a Windows 2000-Based Infrastructure

Before deploying Windows 2000-based Roaming User Profiles, ITG first deployed the following Windows 2000-based technologies:

Active Directory™ services — to create, apply, and benefit from needed group-policy settings such as folder exclusions and quotas.

Windows 2000 Professional — to support roaming Start bar contents (available only on workstations running Windows 2000 Professional).

Windows 2000 Advanced Server — to store Roaming User Profiles information on the server. ITG created a 40-GB partition on the server running Windows 2000 Advanced Server and initialized it to take advantage of Windows NT® File System (NTFS) for increased security.

ITG then applied appropriate NTFS permissions to allow group policy to function properly. Permissions were initially applied to allow the group "everyone" to have full control. Users were later added to a group policy object, and were then granted access to their own specific folder, automatically, the first time they logged on. Although Roaming User Profiles does not require the Active Directory service, it is required by ITG to take advantage of folder exclusions and quotas on profiles size.

Figure 1 illustrates the basic Windows 2000-based infrastructure used by ITG prior to the deployment of IntelliMirror Roaming User Profiles.

Bb742503.roampr02(en-us,TechNet.10).gif

Figure 1: Basic infrastructure used to deploy Roaming User Profiles

Configuring "Roaming"User Accounts

To make user accounts "roaming," ITG created a Windows 2000-based global group, applied a group policy and added individual users to it, and then modified the default profile location for each user.

Creating a Windows 2000 Global Group

ITG used the Users and Computers Microsoft Management Console (MMC) snap-in, included in Windows 2000 Advanced Server, to create a Windows 2000 global group. The global group serves as an Active Directory container to which ITG applied a group policy enforcing the 25-MB user-storage quota, and excluding a pre-determined list of folders from the synchronization process.

Adding Users to the Global Group

ITG also used the Users and Computer MMC to then add individual users to the global group, and to modify user's default profile locations so as to make them "roaming users."

Users were asked to logoff the network and then logon again so that those changes would be applied. After logging on again, an icon appears in the Windows 2000-based System Tray allowing users to view files in their profile. This information is valuable for troubleshooting and for determining which settings are configured to roam with individual users. Figure 2 illustrates the user interface associated with the utility.

Bb742503.roampr03(en-us,TechNet.10).gif

Figure 2: Profile storage space utility

Adding Automation

Initially, ITG deployed Roaming User Profiles to areas of the company—the receptionist staff, for example—where the technology was clearly needed. Later, as requests for the technology came in from other areas, ITG added automation that would enable employees to deploy Roaming User Profiles themselves, in keeping with ITG's policy of reducing operating costs by automating processes.

Today, Microsoft employees can access an intranet site for creating and submitting requisitions to become roaming users. The automation enabling this is based on off-the-shelf technologies, including Windows 2000 Advanced Server with Internet Information Services, and Microsoft SQL Server™ 7.0. It works as follows: Internet Explorer submits Roaming User Profiles requisitions to a SQL Server–based database, which invokes transact-SQL stored procedures to export needed data, and then calls the Active Directory service Interface to add the requestor, making him or her a roaming user.

Specification

The client side of the application enabling this automation uses the Hypertext Markup Language (HTML), the Dynamic Hypertext Markup Language (DHTML), and the Microsoft Visual Basic® Scripting language (VBScript). However because ITG based the application on standard, off-the-shelf technology, it could have been written in any scripting language supported by Internet Explorer 5.0.

The application is hosted on Windows 2000 Advanced Server running Internet Information Services. It writes data to a Microsoft SQL Server database. Employees use Internet Explorer, integrated in Windows 2000 Professional, to query the Web server in order to write to the SQL Server database. This database stores information about the user and his or her request to become a roaming user. Then, SQL Server exports the information to a secured ASCII file by a transact-SQL stored procedure that is processed by an internally developed application (see the Appendix for sample code) that reads the file, then updates Windows 2000 Active Directory using the Active Directory Services Interface (ADSI).

Requirements

The automation application was designed to be easy-to-use and to support and respond quickly to a variety of employee requisitions. To fulfill this design goal, ITG mapped out a number of functional requirements, which now serve as the basis to an extremely effective application. For example, employees can choose from a list of commonly requested IntelliMirror management technologies and can view and print documentation or Frequently Asked Questions (FAQs) as they are making a decision.

Deployment Environment

To deploy the automation application, ITG relied on three computers running Windows 2000 Advanced Server: one to run Windows 2000 Advanced Server Internet Information Services, one server to run Task Scheduler, and one server to run Microsoft SQL Server 7.0.

Figure 3 illustrates the architecture used for the application automating the administrative setup of Roaming User Profiles at Microsoft.

Bb742503.roampr04(en-us,TechNet.10).gif

Figure 3: Physical Architecture

Architecture

The application is administered centrally, which reduces the need for users to upgrade components on their personal computers. As long as users are running Internet Explorer version 5.0 or later, they can add or remove themselves to a Roaming User Profiles account by accessing the Intranet-based application.

The Intranet-based application used to automate the administrative setup process was developed using off-the-shelf Microsoft technologies. Active Server Pages (ASP) running on Internet Information Server communicates with a SQL Server–based database using ActiveX® Data Objects (ADO). As the application displays pages to the user, it accesses its database server and retrieves a list of IntelliMirror management technologies to which the user has subscribed. It then presents this list to the user so that he or she knows what technologies can be added or removed. Roaming User Profiles is one such IntelliMirror management technology that users may subscribe to using this approach.

The application uses PCB_DASH, a tool developed internally by ITG, that schedules the execution of batch files. After scheduling, the tool copies the files to a Windows 2000 Advanced Server–based server running the Task Scheduler service, which then runs the batch files remotely. When the batch job is complete, PCB_DASH records a history of the run.

The Task Scheduler runs using a special "service" account, which is authorized to access information residing in either the SQL Server 7.0–based database or the Windows 2000 Active Directory directory service. The batch job submitted to the Task Scheduler exports data from the database into an ASCII file and configures the console environment using "set" commands based on information read from the file.

As soon as the console environment contains the domain name and user name, the batch job invokes a Win32® application programming interface program written internally with the Visual C++® development system. The Win32 program first reads the "environment" to obtain its "parameters," and then establishes a session with Active Directory using the ADSI Component Object Model interface. The Win32 program then programmatically adds the user to an appropriate global group (based on the user's domain), and then modifies the user's default profile location to an appropriate server. Figure 4 illustrates the logical application architecture.

Bb742503.roampr05(en-us,TechNet.10).gif

Figure 4: Application architecture

User Interface

The application was designed with simplicity in mind. Users navigate Dynamic HTML (DHTML) Web pages that guide them through the selection of available IntelliMirror management technologies ITG has deployed. The Web pages enable users to add or remove Roaming User Profiles from their accounts, to read a list of FAQs, and to view a list of other users who have recently signed up for the service.

ITG considered it especially important to present users with these FAQs, because they are ideal for helping users to avoid known issues specific to the Microsoft environment. So far, ITG has found this form of self-help to be invaluable in reducing support costs as well as improving user satisfaction. Figure 5 illustrates the user interface of the application ITG developed to automate most of its administration of Roaming User Profiles.

Bb742503.roampr06(en-us,TechNet.10).gif

Figure 5: User Interface of application developed by ITG

Monitoring and Maintenance

ITG simplified its monitoring and maintenance of Windows 2000–based Roaming User Profiles through a combination of built-in Windows 2000 capabilities such as global groups, group policies, and the Active Directory Services Interface (ADSI). These capabilities enabled ITG to customize its environment by developing an application to automate administrative tasks that are typically performed manually.

Global groups, for example, allow ITG to apply a policy restricting the number of folders included in every user's profile. Group Policies simplifies the management of Roaming User Profiles by enabling ITG to manage individuals in groups, as opposed to a case-by-case approach. ADSI—and in particular the ADSI Component Object Model (COM) interface—greatly simplified the development of custom applications used for automating the administration of Roaming User Profiles.

One benefit of having a custom application is its ability to record information about users who add Roaming User Profiles to their accounts. Through this information ITG can determine the number of people who are using Roaming User Profiles at any given time. In the future, ITG may use the information to help capacity planning and for the purpose of possibly charging individual departments for the service.

To help maintain performance and ensure against capacity problems, ITG uses the Performance Monitor, included in Windows 2000 Advanced Server and Windows 2000 Professional. For example, if Performance Monitor indicates that server processor utilization is higher than 80 percent for a sustained period of time, ITG can simply add another processor. For further insurance against capacity limitations, ITG deployed software from NetIQ on the back-end file server. This software is configured to generate an administrative alert in the event that physical storage on the server ever becomes depleted. In addition to these tools, ITG developed its own set of nightly run batch files, that obtain statistics on individual profile sizes. Information obtained from the batch file processes can easily be imported into Microsoft Excel for reporting.

ITG backs up almost seven terabytes of data every twenty four hours using more than 200 tape drives, a process that requires nearly 400 Digital Linear Tapes (DLT) each day. Roaming User Profiles, accounts for a small fraction of this data. For speed and hardware portability, ITG implemented compression at the hardware layer. The volume of data backed up each day required that a consistent process be applied to ensure that data is archived consistently. This process also applies to the backup of Windows 2000–based Roaming User Profiles.

Two integral components of the backup strategy are Veritas Backup Executive Network Storage Executive, for backing up and restoring data, and Arcus Data Security, for storing tapes securely off-site.

To keep support costs low and user satisfaction high, ITG developed six tape-retention categories specifying the duration of time that an individual department might choose to retain its data.

As a best practice, ITG records the names of all network shares it creates along with the contacts and owners of each share. ITG uses this information if it needs to contact shareowners to determine how long they want their data to be retained. ITG solicits information from shareowners because they have detailed knowledge of the data contained in their shares. To classify their data in one of the six tape-retention categories, shareowners are asked to visit an intranet site.

ITG performs its backups at the partition level, rather than at the share level, because network partitions change only infrequently, while network shares may be added or removed at any time.

Network share owners may specify one of six tape-retention categories as illustrated in Table 2.

Table 2 Tape-retention categories used by ITG

Retention Category

Duration tapes are retained

Administrative

Three years

Business Continuance

Three years

Financial

10 years

Historical

Life of company

Infrastructure

One year or less

Legal

Six years

User profiles needed by each roaming user are stored locally as well as on a back-end file server running the Windows 2000 Advanced Server operating system. From the perspective of the backup team, the back-end server is regarded as just an ordinary file server.

Results

To develop its strategy for deploying Roaming User Profiles at Microsoft, ITG gained a detailed understanding of how employees work. Two results stood out in particular:

Personal user settings follow users. Thanks to Roaming User Profiles, mobile employees enjoy consistency in their personal user settings—no matter what building they are working in on any given day. For example, if an employee located in "Building A" must work temporarily from "Building B", the employee can be assured with the confidence that his or her settings and preferences will appear on the computer used in that building, just as it would elsewhere.

Machine replacement is simplified. Roaming User Profiles simplifies any needed machine replacement. As ITG replaces personal computers, it needs only to configure them with standard applications, because Roaming User Profiles will save personal user settings and preferences on the back end. This approach helps to maintain quality assurance that new computers are configured to an individuals liking through the configuration of personal settings and preferences. Machine replacement is further simplified by combining the power of other IntelliMirror capabilities such as a redirected My Documents folder with Roaming User Profiles. (Refer to "For More Information" to obtain information on My Document folder redirection.)

Lessons Learned

The team responsible for deploying IntelliMirror Roaming User Profiles at Microsoft learned a good deal about streamlining the Microsoft environment through the development of automation and supporting the deployment on a day-to-day basis. The following are some of their key observations:

For a successful deployment, think hard about how employees actually do their work. The average Microsoft employee who works at various locations does not share his or her personal computer, but instead takes along a laptop. For this reason ITG determined it was unnecessary for all employees to become roaming users. So, ITG profiled a target audience as the "ideal candidates" to use Roaming User Profiles technology, and deployed it on their accounts. To simplify deployment for users who do not need Roaming User Profiles now, but may in the future, ITG created an application that automates the sign-up process.

Self-help-based automation is best. ITG designed this application to be usable by the majority of employees, so that when any of them should decide to become a roaming user, he or she will would be able to implement the process without ITG assistance and without compromising system security.

Security can be maintained while allowing users to add Roaming User Profiles to their accounts. The intranet-based application that ITG created to enable users to sign up for Roaming User Profiles was found to be secure. ITG used the security built into Windows 2000 Advanced Server to restrict access to the application while enabling it to function properly. In addition, by deploying the Task Scheduler on its own dedicated server, ITG could secure the application's middle tier by running it using a special service account with the minimal access needed to export data from a SQL Server–based database. ITG also discreetly delegated administrative authority to Active Directory service, resulting in a very secure environment.

It is important to cache user profiles locally. Even though Roaming User Profiles will store a profile on the back end, ITG determined that many internal users would benefit from caching those profiles locally as well. ITG decided to cache user profiles locally so that users would be able to log on even if server maintenance should happen to prevent the user from accessing a profile stored on the back end. Users who do not have a profile cached locally are presented with a message explaining that a local copy of the profile is not available and that they will be assigned a temporary one. Any changes made to the temporary profile will not be available later. Only locally cached profiles will save changes until later, temporary profiles will not.

It is essential to have standard applications installed on the computers that roaming users access. Roaming from computer to computer can be particularly challenging for users if those computers do not share a common set of applications. For example, desktop shortcuts roam with a user even though applications associated with those shortcuts may not be deployed consistently across the various computers. For a consistent user experience, there must be a common suite of applications deployed to each computer that the user is expecting to access. This standardized desktop is possible by combining the power of IntelliMirror software installation and group policy.

Desktop wallpaper should be saved under the profile directory. By default, desktop wallpaper is saved to %systemdrive%\winnt. In the event that a user roams to a computer having Windows 2000 Professional installed to a non-system drive, the desktop wallpaper will be unavailable. In this scenario, desktop wallpaper will roam, provided it has been saved to a directory associated with the user account under \Document and Settings\.

The Windows Script Host helped to automate work that previously had been performed manually. Modifications to profile paths, and adding profile paths to user accounts, were easily scripted using the Windows Script Host. Microsoft provides both Visual Basic® Scripting Edition (VBScript) and JScript® scripting engines with the Windows Script Host. The Windows Script Host (Wscript.exe) is integrated in Windows 98, Windows 2000 Advanced Server, as well as Windows 2000 Professional. The Windows Script Host is also available for the Windows 95 operating system. The Windows Script Host is of benefit to administrators who prefer to automate repetitive administrative tasks, through scripting.

Technical training on the use of group policy was essential to helpdesk. Training helpdesk support staff on the basics of group policy troubleshooting was an essential part of supporting internal users. Helpdesk support technicians needed to have a basic understanding of symptoms associated with user accounts that did not have group policies applied to them. ITG used group policy to specify folder exclusions and to specify a quota to physical size of user profiles. Technicians needed to be educated on that group policy strategy, so that they could leverage the training to perform any needed troubleshooting.

User education and awareness was of benefit to employees and helpdesk. Training internal users to avoid common pitfalls is one approach ITG has taken to increase internal satisfaction and reduce support costs. For example, when ITG learned that quotas on profile size were exceeded due to employees placing large documents on their desktops, ITG educated those employees to send shortcuts to the desktop, instead. The education resulted in fewer employees who exceeded their quota. Developing a list of frequently asked questions provided the bulk of the education. (Refer to the appendix, for a list of frequently asked questions, as well as a communiqué from ITG to internal users)

Developing a common helpdesk troubleshooting methodology was key. Helpdesk technicians benefited from a common troubleshooting methodology. The methodology consisted of training helpdesk technicians on the basics of group policy, training to first check for network connectivity and speed, training on the use of Event Viewer to check client side activity, and training on the use of GPResult.exe, included in the Windows 2000 Resource Kit, to gather more extensive diagnostic information. (Refer to the appendix, for a sample batch file that utilizes GPResult.exe)

Conclusion

The deployment of IntelliMirror Roaming User Profiles at Microsoft is but a single step in the continual improvement of Microsoft's internal computing environment. Roaming User Profiles has made it more convenient for employees, and has simplified the administrative burden of machine replacement for administrators within ITG.

In the coming months ITG will continue to share Windows 2000–based deployment stories with customers. ITG hopes that customers who are interested will learn from these stories and, if applicable use them to help in a successful deployment of Windows 2000 in their own organizations.

For More Information

You can find the latest information on Microsoft Windows 2000 Advanced Server and Windows 2000 Professional at https://www.microsoft.com/windows2000.

For additional IT Showcase material, visit https://www.microsoft.com/technet/itsolutions/msit/default.mspx.

Information specific to deploying Roaming User Profiles may be obtained within the following additional white papers:

Windows 2000 Desktop Management Overview https://www.microsoft.com/windows2000/library/howitworks/management/ccmintro.asp

Introduction to IntelliMirror https://www.microsoft.com/windows2000/library/howitworks/management/intellimirror.asp

Introduction to Windows 2000 Group Policy https://www.microsoft.com/windows2000/library/howitworks/management/grouppolicyintro.asp

Preparing for the Global Deployment of Windows 2000 Technologies: Strategic Pilot Testing at Microsoft www.microsoft.com/technet/prodtechnol/windows2000serv/case/win2kdep.mspx

For any questions, comments, or suggestions regarding this document or to obtain additional information about Microsoft IT Showcase, please e-mail showcase@microsoft.com.

Appendix

Automation: Sample Source Code

ITG automated the processes of adding internal users to a global group so that each roaming user would have a consistent group policy applied. Group policy was then applied to the global group to effect folder exclusion and per-user quota. The policy resulted in a limit to profile size, and enforcement of that limit.

The following code fragment was used by ITG to programmatically add users to a Windows 2000 global group. The code was taken from a Win32 console application developed by ITG. The application is called from a batch file that is executed by a Windows 2000–based Task Scheduler.

// get group from AD 
   hr = ADsGetObject(lpwzDN, IID_IADs, (void**)&ipGroup); 
   if(FAILED(hr)) { 
       wprintf(L"Error Getting Group From AD, hr: 
         %08lx\n", hr); 
         goto Cleanup; 
   } 
   hr = ADsBuildVarArrayStr(bszArray, dwCount, &vMembers); 
   if(FAILED(hr)) { 
       wprintf(L"Error Creating Member Array, hr: 
         %08lx\n", hr); 
       goto Cleanup; 
   } 
   wprintf(L"Putting Members In Group...\n"); 
   hr = ipGroup->Put(L"member", vMembers); 
   if(FAILED(hr)) { 
       wprintf(L"Error Putting Value, hr: %08lx\n", hr); 
       goto Cleanup; 
   } 
   wprintf(L"Setting Info On Group...\n"); 
   hr = ipGroup->SetInfo(); 
   if(FAILED(hr)) { 
       wprintf(L"Error Setting Info, hr: %08lx\n", hr); 
       goto Cleanup; 
   } 
   iReturn = 0; 
Cleanup: 
   for(i=0;i<dwCount;i++) { 
       SysFreeString(bszArray[i]); 
   } 
   if(bszArray) { 
       HeapFree(GetProcessHeap(), 0, bszArray); 
   } 
   VariantClear(&vMembers); 
   if(ipGroup)      ipGroup->Release(); 
   return iReturn; 
}

Frequently Asked Questions

ITG included a list of frequently asked questions to its internal web site, for the purpose of user education. Employees who sign up for Roaming User Profiles have the ability to view the list of frequently asked questions as part of the sign up process. User education is one approach that ITG is taking to lower its support costs, by reducing the number of calls to helpdesk. User education has the added benefit that it improves internal user satisfaction as well. Following are frequently asked questions that are available to employees who sign up for Roaming User Profiles within Microsoft.

What happens if my roaming profile server isn't available?

Then you will receive a message stating that Windows 2000 was unable to find your roaming profile and it is attempting to load a local one. If it can't find a local profile then it will give a message stating that it can't find a local profile and that it is logging in with a temporary profile and any changes made will not be saved.

What happens to my profile when I log into and off two different machines?

Windows 2000 uses a new algorithm that merges your profiles (at the file level) and the last writer wins. This means that new files and files which have been updated will not be deleted or overwritten. The new algorithm will now check the time date stamp of the destination file against the source file. If the destination file is newer, it will NOT be overwritten. To keep the delete "sticky" we also synchronize the cached version of the profile with the profile server at logon time by deleting all files from the local cache that are not present in the server and were not modified since the last logoff time.

How do I disable my roaming profile on a machine?

You can disable your profile once you've logged into the machine at least once with your roaming profile. Preventing your profile from loading on a machine is not currently supported.

I get an error stating that I have exceeded my profile limit, how do I move files out of my profile?

All the files in the Documents and Settings\ folder get copied to your roaming profile server. (Except the My Documents, Local Settings, and Start Menu folders.) Steps to move files out of profile:

  • Note the location of the largest file. (See Figure 2)

  • Click START, then choose RUN, type %userprofile%, press ENTER.

  • Follow the path shown in the File Name list (See Figure 2), Right click the file, choose CUT.

  • Click START, then choose RUN, type C:\, press ENTER.

  • Right click on desired folder/location, choose PASTE. (repeat if necessary)

The wallpaper on my main machine doesn't roam to my other computers, how do I get it to work?

More than likely you have your wallpaper set to a picture file that is not stored in your roaming profile path. It must be saved within the C:\Document and Settings\'youralias' folder.

Communiqué: Welcome to Roaming User Profiles

As part of its user education and awareness campaigns, ITG e-mails a communiqué to internal users who sign up for Roaming User Profiles. The communiqué helps to reduce the number of helpdesk support calls through user awareness and education. Following is the communiqué ITG uses in its user education and awareness campaigns:

Roaming User Profile (RUP) allows your profile to be stored on a file server so you have the same application settings and desktop experience from any Windows 2000 machine. The following are included in your roaming profile:

  • Desktop wallpaper (only if a default Windows 2000 background, or if picture stored within profile)

  • Outlook settings (auto signature, forms, exchange profiles)

  • Desktop contents (any folders, shortcuts)

  • IE Favorites and Quick Launch bar

  • Cookies & AutoComplete (settings on various websites)

  • Office settings (custom dictionary, stationary, etc.)

Things to Note

  • For Support, or to provide feedback or questions, please contact helpdesk

Actions Required

Step 1 Save the correct user profile settings to the network server

  1. Log off *ALL* of your computers.

  2. Restart only the computer which contains the settings you want to roam with you. This guarantees that the group policy settings are correctly applied to your account and your roaming profile will be enabled once you log back in to this "primary" desktop.

  3. Now, log off and back on to your "primary" system. This action ensures that your updated profile is correctly saved to the Roaming Profile server.

  4. You can now log on to any Windows 2000 machine to get your updated Roaming User Profile. Remember, whenever you are using multiple machines, the last machine you log off from is the last machine to save its settings to the Roaming Profile server and those settings will overwrite all other settings on the server.

Step 2 Verify that your roaming profile settings have been correctly set up

  1. Log in again and verify your profile has been copied to the Roaming Profile server.

    (You may have to log in and then out again after waiting several minutes)

    You should see a small computer icon in your System Tray (by the system time.)

    This is the ProQuota manager and it indicates that your profile has been set to roaming, double-clicking on that icon will show you your files and how much server space you have remaining on your profile

    • If it doesn't exist or is empty, please contact helpdesk

  2. Now every machine you log into should merge any existing data, and overwrite any application settings with the settings from your roaming profile.

Frequently Asked Questions (FAQ)

Q: I get an error stating that I have exceeded my profile limit, how do I move files out of my profile?

A: All the files in the Documents and Settings\<your alias> folder get copied to your roaming profile server.

(Except the My Documents, Local Settings, and Start Menu folders.)

Steps to move files out of profile

  • Note the location of the offending large file. (largest files will be at top of list)

    roampr07

  • Click START, then choose RUN, type %userprofile%, press ENTER.

  • Follow the path shown in the File Name list, Right click the file, choose CUT.

  • Click START, then choose RUN, type C:\, press ENTER.

  • Right click on desired folder/location, choose PASTE. (repeat if necessary)

Q: Is the My Documents folder included in my roaming profile?

A: No, if you want your My Documents folder to be stored on the server, you can automatically sign up by using the Sign up tool.

Q: Is the Start Menu included in my roaming profile?

A: No, the Start Menu has been excluded from the roaming profile. It will default to the local machine's Start Menu.

Scripted Diagnostics

The follow script was developed by ITG to obtain information to support troubleshooting Roaming User Profiles. The script takes advantage of "command extensions", included in Windows 2000. The command extensions greatly enhance the built-in power of batch file programming in Windows 2000. The following script also takes advantage of utilities included in Windows 2000 as well as utilities included in the Windows 2000 and Windows NT Resource Kits. These utilities include:

GPRESULT.exe — included in the Windows 2000 Resource Kit, displays the result of group policy for the current user and computer.

CACLS.exe — included in Windows 2000, displays or modifying access control lists (ACLs) of files

FIND.exe — included in Windows 2000, searches for a text string in a file or files

REG.exe — included in the Windows NT Server 4.0-resource kit

:::::::::::::::::::::::::::: 
:: RUP diagnostics script :: 
:::::::::::::::::::::::::::: 
:: NOTE: This script requires that 
:: 
:: 1) command extensions be enabled 
:: 2) the value of %SERVER% refer to valid server and network share 
:: 3) the location specified by %SERVER%\bin contains needed binaries 
@FOR %%i IN ( %* ) DO @IF /i "%%i"=="/d" GOTO :SkipEchoOff 
ECHO OFF 
CLS 
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: 
:: Initialize Environment Variables and Directory Structure 
:: 
:: Server = Generic Path where logfiles/binaries/script stored 
:: GP-CON = Group Policy Naming convention to identify IntelliMirror GPO's 
:: GPR = Full path to GpResult.exe [AK] 
:: REGEXE = Full path to Reg.exe [RK] 
:: REG = Registry Path, allows for shorter line in code 
:: NOTIFY = UserNames or ComputerNames to notify by NET SEND 
:SkipEchoOff 
SET SERVER=C:\TEST 
SET GP-CON=GP-SDT 
SET GPR=%SERVER%\Bin\GpResult.exe 
SET REGEXE=%SERVER%\Bin\Reg.exe 
SET REG=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon 
SET NOTIFY=AdminAlias Users2Notify 
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: 
:: Creates Folder Structure on Server  
:: (Give Everyone Modify Rights to \\%SERVER%\RupLog folder) 
::  
MD %SERVER%\RupLog >NUL 2>&1 
MD %SERVER%\RupLog\%USERNAME% >NUL 2>&1 
MD %SERVER%\RupLog\%USERNAME%\%COMPUTERNAME% >NUL 2>&1 
SET LOGFILE=%SERVER%\RupLog\%USERNAME%\%COMPUTERNAME% 
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: 
:: Initialize Environment Variables and Directory Structure 
:: 
:: Records User environment into EXTRA.TXT including  
:: %CLIENTNAME% checking for Terminal Server Clients 
:: 
ECHO %USERDOMAIN%\%USERNAME%   %COMPUTERNAME%   %DATE%;%TIME% 
[%CLIENTNAME%] > %TEMP%\Extra.txt 
ECHO  Roaming User Profile Diagnostics> %LOGFILE%\Report.txt 
ECHO -------------------------------------->> %LOGFILE%\Report.txt 
ECHO This is NOT an error message, but a>> %LOGFILE%\Report.txt 
ECHO display of your current Roaming>> %LOGFILE%\Report.txt 
ECHO Profile settings.  This information>> %LOGFILE%\Report.txt 
ECHO is automatically stored on the network>> %LOGFILE%\Report.txt 
ECHO for Helpdesk to trouble shoot. There >> %LOGFILE%\Report.txt 
ECHO is no need to respond to helpdesk with>> %LOGFILE%\Report.txt 
ECHO this information. >> %LOGFILE%\Report.txt 
ECHO.>>%LOGFILE%\Report.txt 
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: 
:: Main Script - Makes subroutine calls to labels. 
:: 
ECHO. &ECHO. &ECHO  Running RUP Diagnostic Script... 
ECHO. &ECHO    This may take several mintues... &ECHO. 
CALL :GpResult 
CALL :RoamingP 
CALL :Logs 
:: Delete all temporary files created 
:: Notifies Admins script was executed via. NET SEND 
:: Displays Results 
:: Cleans out all environment variables 
DEL /F /Q %TEMP%\*-$$.txt >NUL 2>&1 
CALL :NotifyUser %NOTIFY% 
IF EXIST %LOGFILE%\Report.txt Start Notepad %LOGFILE%\Report.txt >NUL 2>&1 
FOR %%i IN (Debug ProQuota UserEnv LogFile Reg RoamProfile File) DO SET %%i= 
GOTO :EOF 
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: 
:: Group Policy 
:: 
:: Runs RK tool GPRESULT, checks for ITG naming  
:: convention of GP-SDT (this will not work if your IT doesn't 
:: start your group policies with a standard naming convention) 
:GpResult 
ECHO    * GPResult 
ECHO ## Group Policies [%GP-CON%] ## >> %LOGFILE%\Report.txt 
%GPR% | Find.exe /i "%GP-CON%" > %TEMP%\GP-$$.txt 2>NUL 
FOR /F %%i IN (%TEMP%\GP-$$.txt) DO CALL :CleanEcho %%i Report 
GOTO :EOF 
  ::::::::::::::::::::::::::::::::: 
  :: Creates Left Justified Output 
  :: 
  :CleanEcho 
  ECHO %1>>%LOGFILE%\%2.txt& GOTO :EOF 
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: 
:: Roaming Profile 
:: 
:RoamingP 
FOR /F "DELIMS=: TOKENS=2" %%i IN ('%GPR% ^| Find.exe /i 
"Roaming Profile"') DO IF NOT "%%i"=="" CALL :CleanRUP %%i 
ECHO    * Roaming Profile 
ECHO. >>%LOGFILE%\Report.txt 
ECHO ## Roaming Profile ## >> %LOGFILE%\Report.txt 
ECHO Path: %ROAMPROFILE% >> %LOGFILE%\Report.txt 
:: Exits If NO RUP detected 
IF "%ROAMPROFILE%"=="" GOTO :EOF 
IF "%ROAMPROFILE%"=="(None)" GOTO :EOF 
ECHO.>> %LOGFILE%\Extra.txt 
  ::::::::::::::::::::::::::::::::: 
  :: Checks User Permissions on RUP 
  :: 
  ECHO ## Roaming Profile - Permissions ## >> %LOGFILE%\Extra.txt 
  %SERVER%\Bin\Cacls.exe %ROAMPROFILE% >> %LOGFILE%\Extra.txt 2>NUL 
  %SERVER%\Bin\Cacls.exe %ROAMPROFILE% | Find.exe /i  
"%USERDOMAIN%\%USERNAME%" | Find.exe /i "F" >NUL 2>&1 
  IF ERRORLEVEL 1 SET RUPPERM=INCORRECT>> %LOGFILE%\Report.txt 
  IF NOT ERRORLEVEL 1 SET RUPPERM=OK>> %LOGFILE%\Report.txt 
  ECHO Permissions: %RUPPERM% >> %LOGFILE%\Report.txt 
%REGEXE% QUERY "HKLM\%REG%\ProQuotaDebugLevel" >NUL 2>&1 && SET  
PROQUOTA=FOUND 
%REGEXE% QUERY "HKLM\%REG%\UserenvDebugLevel" >NUL 2>&1 && SET USERENV=FOUND 
IF "%PROQUOTA%%USERENV%"=="" Echo Verbose Logging: OFF >>  
%LOGFILE%\Report.txt 
IF NOT "%PROQUOTA%%USERENV%"=="" Echo Verbose Logging: ON >>  
%LOGFILE%\Report.txt 
Echo ################ LOCAL - TREE ############## >> %LOGFILE%\Extra.txt 
Tree /F "%USERPROFILE%" >> %LOGFILE%\Extra.txt 2>NUL 
ECHO ################ SERVER - TREE ############## >> %LOGFILE%\Extra.txt 
Tree /F %ROAMPROFILE% >> %LOGFILE%\Extra.txt 2>NUL 
ECHO.>> %LOGFILE%\Extra.txt 
GOTO :EOF 
  ::::::::::::::::::::::::::::::::: 
  :: Removes Surrounding spaces 
  :: from RUP Path 
  :: 
  :CleanRUP 
  SET ROAMPROFILE=%1& GOTO :EOF 
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: 
:: Group Policy 
:: 
:: Copies all LOG files in the DEBUG folders for Windows 2000 
:: 
:Logs 
MD %LOGFILE%\Logs >NUL 2>&1 
@FOR %%i IN (%SYSTEMROOT%\Debug %SYSTEMROOT%\Debug\UserMode) DO COPY  
%%i\*.log %LOGFILE%\Logs >NUL 2>&1 
@FOR %%i IN (%SYSTEMROOT%\Debug %SYSTEMROOT%\Debug\UserMode) DO COPY  
%%i\*.bak %LOGFILE%\Logs >NUL 2>&1 
GOTO :EOF 
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: 
:: Notify User 
:: 
:NotifyUser 
IF "%1"=="" GOTO :EOF 
NET.exe SEND %1 %USERDOMAIN%\%USERNAME% executed RUP Diagnostic debug 
Script! See log at %LOGFILE% >NUL 2>NUL 
SHIFT 
GOTO NotifyUser