Configuring Roaming User Profiles

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Before you create a roaming user profile, you need to create each user account. Then, log on to a server as an administrator to create a network share to store the roaming user profiles, designate the groups of users to receive the roaming user profiles, and grant all users Full Control permissions.

Use the following procedures when you create and manage roaming user profiles.

For information about deploying Roaming User Profiles on newer versions of Windows, see Deploy Folder Redirection, Offline Files, and Roaming User Profiles.

Creating Roaming User Profiles

To perform the following procedure, you must be a member of the Account Operators group, Domain Admins group, or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. For enhanced security, consider using the Runas command to perform this procedure.

To create a roaming user profile

  1. Open Active Directory Users and Computers.

  2. Click the domain and the OU where the user account resides.

  3. Right-click the user account for which to set a roaming profile, and then click Properties.

  4. Click the Profile tab, and then type the profile path information in Profile path. (Use the full path in each user account. For example, type \\Server\ShareName\UserName*.)*

Another way to populate the profile path is to use an Active Directory® Service Interfaces (ADSI) script. ADSI provides a single set of interfaces for managing resources on the network. You can use ADSI in combination with Microsoft® Visual Basic® Scripting Edition (VBScript) or JScript scripts to manage Active Directory resources such as users and services.

For information about ADSI and ADSI scripts, see the Microsoft Platform SDK link on the Web Resources page at https://www.microsoft.com/windows/reskits/webresources.

Changing User Profile Type from Local to Roaming

Typically, a large organization has many users with local profiles. For ease of management, you might want to change many of the local profiles to roaming profiles. Moving user’s data and settings from the workstation to a server reduces the user’s dependence on the workstation’s availability, simplifies user data management, and allows centralized account management.

To create a roaming user profile for a user that has a local profile

  1. Open Active Directory Users and Computers.

  2. Click the domain and the OU where the user account resides.

  3. Right-click the appropriate user account for which to set a roaming profile, and then click Properties.

  4. Click the Profile tab, and type the profile path information in Profile path (for example, type \\Server\ShareName\UserName*)*.

Note

  • To change a user’s local profile to a roaming profile for a user who uses multiple computers simultaneously, the user must log off last from the computer that has the profile that the user wants to use.

Disabling Roaming User Profiles on Certain Computers

You can prevent computers from receiving roaming profiles by enabling the Only allow local user profiles policy setting, which blocks roaming profiles from being used on a computer. By default, when roaming profile users log on to a computer, the user’s roaming profile is copied to the local computer. If the user has previously logged on to this computer, the roaming profile is merged with the local profile. Similarly, when the user logs off from this computer, the local copy of the profile, including any changes the user made, is merged with the server copy of the profile.

If you enable the Only allow local user profiles policy setting, the following occurs on the affected computer: When the user first logs on, the user receives a new local profile instead of the roaming profile. At logoff, changes are saved to the local profile. All subsequent logons use the local profile.

If you enable both the Prevent Roaming Profile changes from propagating to the server setting and the Only allow local user profiles setting, roaming profiles are disabled for that computer. These policy settings are in the Computer Configuration\Administrative Templates\System\User Profiles node.

Creating Accounts That Possess roaming user profiles

You can save time and reduce the chances for error by scripting many repetitive tasks, such as creating user accounts. A script to automate the creation of user profiles for roaming user might look something like the sample script Listing 7.1, which shows a script for creating user accounts that have roaming profiles.

Listing 7.1   Creating User Accounts That Have Roaming User Profiles

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
 
set Args = Wscript.ArgumentsouName = Args(0)
usrName = Args(1)
RUProot = Args(2)
RUPpath = RUProot & " \"  & usrName
'Get the domain
Set dse = GetObject(" LDAP://RootDSE" )
Set domain = GetObject( " LDAP://"  & dse.Get(" defaultNamingContext" ))
set ou = domain.GetObject(" organizationalUnit" , " OU="  & ouName )
wscript.echo " Creating user in "  & ou.Name
set usr = ou.Create(" user" , " cn="  & usrName )
usr.Put " samAccountName" , usrName
usr.Put " userPrincipalName" , usrName
usr.Put " Profilepath" , RUPpath
usr.SetInfo
wscript.echo "  User "  & usrName & "  was created successfully in "  & ou.Name & " with a RUP Path of: "  & RUPpath

Every Windows Server 2003 user has a profile. If the operating system does not have a profile to apply to the user when the user logs on, a new local profile is created for the user, based on the defaults in place. Windows Server 2003 applies a generic user profile format by default.

Configuring a Default Profile

You can create a default profile to ensure that all users within a domain receive an identical profile the first time they log on. This option simplifies administrative control over the users’ desktops and settings.

To create a default user profile, you must be logged on as Administrator or a member of the Administrators group. Create a default profile for all new user accounts in a domain. Include any domain-specific customizations that you want in the profile. To create subsequent profiles, you can create a new user account as a template.

Before creating a new user account to use as a new user’s profile template, perform the following tasks:

  1. Log on to the domain as the new user, and then customize the desktop if appropriate.

  2. Optionally, install and configure any applications to be shared by user accounts made from this template.

  3. Log off, and then log on as the administrator.

For more information about creating a new user account, see "Create a new user account" in Help and Support Center for Windows Server 2003.

To configure a new user account to use as a new user’s profile template

  1. After you create a new user account template, in Control Panel, click System.

  2. On the Advanced tab, under User Profiles, click Settings.

  3. Under Profiles stored on this computer, select the user that you created in step 1, and then click Copy To.

  4. To create the default user profile for the domain, type the path to NETLOGON\Default User on the domain controller.

  5. In the Copy To dialog box, under Permitted to use, click Change.

  6. In the Select User or Group dialog box, enter the object name to select, and then type: Everyone.

Troubleshooting: Creating a Log File for User Profiles

User profiles log events in the Application event log. To aid in troubleshooting, administrators can also create detailed log files by using the following procedure.

Caution

  • Do not edit the registry unless you have no alternative. The registry editor, regedit.exe, bypasses standard safeguards, allowing settings that can damage your system, or even require you to reinstall Windows. If you edit the registry, make sure to back it up first and see the Windows Server 2003 Resource Kit Registry Reference on the Windows Server 2003 Deployment Kit companion CD or at https://www.microsoft.com/reskit.

To create a detailed log file for user profiles

  1. In the Run dialog box, type regedit, and then click OK.

  2. Locate the following subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon.

  3. Create a new entry named UserEnvDebugLevel of data type REG_DWORD, and set its value to 0x30002.

The log file is stored in this location: %windir%\Debug\Usermode\Userenv.log.