User Profiles best practices
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Allow for different hardware configurations.
Because user profiles can be used on various types of client computers, you should keep in mind that these client computers can have different hardware configurations, particularly different video cards and display monitors.
Because a user profile determines screen placement and window size, a workstation's display hardware affects how well the user profile works. For example, the window setup in a user profile created for a computer with a Super VGA monitor might not look correct when loaded on a computer with a regular VGA monitor.
Use the same type of video hardware when you create or edit a user profile for a single user.
When you create or edit a user profile for a single user, use a computer with the same type of video hardware as the computer that the user typically uses.
Create a single mandatory user profile for a group of users only if they all use computers with the same type of video hardware.
When you create a mandatory user profile for several users, create a single user profile for the whole group of users only if they all use computers with the same type of video hardware.
Do not use Offline Folder caching on roaming user profile shared directories.
It is important to turn off Offline Folder caching for shared directories where roaming user profiles are stored. If you do not turn off Offline Folder caching for a user's profile, you might experience synchronization problems when both Offline Folders and roaming user profiles try to synchronize the files in a user's profile. This does not affect your ability to use Offline Folders with redirected folders such as My Documents.
Do not use Encrypted File System (EFS) on files in a roaming user profile.
The Encrypted File System (EFS) is not compatible with roaming user profiles. If you encrypt profile folders or files in the user profile using EFS, the user's profile will not roam.
Do not set disk quotas too low for users with roaming user profiles.
If a user's disk quotas are set too low, roaming user profile synchronization might fail. Make sure enough disk space is allocated to allow the system to create a temporary duplicate copy of a user's profile. The temporary profile is created in the user's context as part of the synchronization process, so it debits the user's quota.
When creating a roaming profile shared directory, limit access to only those users that need access.
Because a users roaming profile can contain personal information such as confidential documents and EFS certificates, care should be taken to protect access to the shared directory. Restrict access to the shared directory to only those users that need access. You can also create a security group for users that have profiles on a particular shared directory, and limit access to only those users.
Only give users the minimum amount of permissions needed.
When creating the shared directory, hide it by putting a $ after the share name. This hides the shared directory from casual browsers, and it will not be visible in My Network Places.
Use at least Windows 2000 servers to host user roaming profile shared directories.
Because a users roaming profile contains personal information which is copied to and from a client computer, and the server hosting the roaming profile, it is important to ensure that data is protected as it travels over the network. Potential threats to the privacy and integrity of a user's data come from intercepting the data as it passes over the network, tampering with the data as it passes over the network, and spoofing the server hosting the user's data. Features such as Kerberos, IPSec, and Server Message Block (SMB) signing included in Windows 2000 and the Windows Server 2003 family can help to secure a user's data.
Always use the NTFS file system for volumes holding user's data.
Configure servers hosting roaming profiles to use the NTFS File System. Unlike FAT, NTFS supports Discretionary access control lists (DACLs) and system access control lists (SACLs), which control who can perform operations on a file and what events will trigger logging of actions performed on a file.