Configuring Specific Features
Updated: May 3, 2004
Applies To: Windows Server 2003 with SP1
This section describes the various features configured in the common scenarios GPOs.
Roaming User Profiles
A user profile is a group of settings and files that define the user’s environment. A profile includes program items, screen colors, network connections, window sizes and positions, and so on. Roaming User Profiles (RUP) enable the server-based storage of user profiles, which means that users can move between computers and see an identical environment. The RUP is downloaded to the user when s/he logs on and, by default, is stored back on the server when the user logs off. This feature is one component of the concept of “free-seating” – the capability for users to roam between computers yet maintain an identical environment.
Scenarios in Which Roaming User Profiles are Used
Due to the order in which logon, profile creation/loading, and the application of GPOs occurs, it is not possible to specify the location of a user profile using Group Policy. For this reason, specifying the user profile location is a distinct and separate step from the application of GPOs. Therefore, to ensure that a user is configured correctly, it is important to move that user into the appropriate OU and, additionally, configure the user object as described below.
The common scenarios leverage Roaming User Profiles as follows:
Used: Lightly Managed, Highly Managed, Multi-User, AppStation, and TaskStation
Optionally Used: Mobile User
Not Used: Kiosk
Roaming User Profiles Configuration Steps
For the purposes of illustration, this document assumes a server named CommonServer is available to store user profiles. The following steps are necessary to create a share for user profiles and configure user accounts appropriately.
On the CommonServer computer, create a folder called profiles.
Share this folder as profiles$.
Set share permissions to Full Control for the Everybody group (security will be enforced by NTFS permissions when the user profile folders are created).
Ensure that caching for this folder is disabled (only use caching for folders where you do not store profiles).
For each account for which Roaming User Profiles is required, set the profile path in the user object to \\CommonServer\profiles$\%user name% (the Active Directory Users and Computers MMC snap-in is the most common way to edit this parameter). At the time the user profile is created, the %user name% environment variable will be resolved to the name of the user.
Roaming User Profile Notes
It is a best practice to allow the user-specific accounts (in the Profiles folder) to be automatically created at the time the user profile is first established. This ensures that the appropriate set of NTFS permissions and ownership are set on the folder.
|Roaming User Profiles have their own caching mechanism, which can interfere with Offline Files synchronization and can lead to unexpected behavior and loss of data. Therefore, make sure that caching is disabled for the shares where you store profiles.|
Folder Redirection allows the contents of a folder in the user’s profile to be redirected to a location on the network. For example, you can move My Documents, which is typically part of the user’s profile and cached on the local drive, to a folder in the user’s home directory on the network. Enabling this feature is useful because the My Documents and Application Data folders often contain large amounts of data. Enabling Folder Redirection helps speed up logon and logoff time because the contents of the redirected folders are not copied along with the rest of the user profile.
In most cases when you use Folder Redirection, you will combine it with Offline Files so that users can access cached copies of the redirected folders when disconnected from the network. In fact, with Windows XP, all redirected folders are also cached locally by default (this is not the case with Windows 2000).
If you have a high volume of users that use a single computer, consider enabling the At logoff, delete local copy of user’s offline files Group Policy setting to prevent the local hard drive from filling up with cached files from multiple users. This setting is located under Computer Configuration\Administrative Templates\Network\Offline Files.
|You should use this policy setting with caution. If a user has been working offline and has not synchronized their changes, their changes will be lost at logoff when their offline files are deleted.|
When you implement Folder Redirection, the destination folders are automatically created, and security is configured on these folders automatically. You can change the security of redirected folders by checking or clearing Grant the user exclusive rights to foldername,which is located in this path: User Configuration\Windows Settings\Folder Redirection\foldername - Settings tab.
For example, if you redirect the My Documents folder to \\CommonServer\Docs\%User name%, do not create a User Name folder in advance. If the folder exists in advance and the current user is not the owner of the folder and its contents, the redirection process fails. If the folder does not exist prior to folder redirection, however, it is created and the user is made the owner of that folder. If you use the Create a folder for each user under the root path option in the Target Folder Location dropdown box, Folder Redirection automatically appends %user name% to the root path you specify.
|If you must create the folder in advance, ensure that the user is the owner of the folder and its contents. To change the ownership of a file or folder, use Windows Explorer or the Subinacl.exe utility. For more information, see the Microsoft Web site (http://go.microsoft.com/fwlink/?linkid=18341).|
|When Group Policy Folder Redirection settings go out of scope, by default, they leave the redirection in place. The Settings tab has an option that allows you to redirect the folders to the local computer; however, avoid using this option. The default setting is the safest because no data is moved when a Folder Redirection policy falls out of scope. Any new Folder Redirection policy then redirects as appropriate.|
Scenarios in Which Folder Redirection is Used
The common scenarios leverage Folder Redirection as follows:
My Documents and Application Data Redirection: Lightly Managed, Highly Managed, Mobile, Multi-User, AppStation and TaskStation
Redirected Folders Configuration Steps
Because a server name is specified when configuring redirected folders, the GPOs provided with this CommonScenarios.msi do not specify Folder Redirection properties. To fully implement the scenarios in your environment, you must carry out the following steps.
On the CommonServer computer, create a folder called redirected.
Share this folder as redirected$ (the full share name would therefore be \\CommonServer\redirected$).
Set share permissions for the redirected$ share to Full Control for the Everyone group (security will be enforced by NTFS permissions when the user profile folders are created).
For both the Lightly Managed (User) and Highly Managed (User) GPOs, do the following:
In GPMC, right-click the GPO, and then click Edit.
Within the Group Policy Object Editor, go to User Configuration/Windows Settings/Folder Redirection.
Right-click the My Documents node and click Properties.
In the Properties dialog box, change the Setting list to Basic – Redirect everyone’s folder to the same location.
Leave the Target Folder Location list set to Create a folder for each user under the root path.
Set the Root Path field to \\CommonServer\redirected$, and then click OK. Folder Redirection automatically appends %user name% to the path specified.
Right-click the Desktop node and click Properties.
In the Properties dialog box, change the Setting dropdown box to Basic – Redirect everyone’s folder to the same location.
Leave the Target Folder Location list set to Create a folder for each user under the root path.
Set the Root Path field to \\CommonServer\redirected$\, and then click OK. Folder Redirection automatically appends %user name% to the path specified.
Close the GPO.
- In GPMC, right-click the GPO, and then click Edit.
Redirected Folders Notes
The steps above ensure that all scenarios – except the Kiosk scenario – implement redirected folders. Because the Kiosk scenario is a child of the Highly Managed scenario, it is necessary to disable the Folder Redirection setting specified in the Highly Managed (User) GPO. This is achieved – through the supplied Kiosk GPOs – by redirecting the appropriate folders back to the local user profile location; this is, in essence, the same as disabling Folder Redirection.
Internet Explorer Configuration
There are two types of Internet Explorer Group Policy settings: the standard Windows registry settings and a collection of registry settings and files used to configure Internet Explorer. The standard settings are located in the Group Policy Object Editor under Administrative Templates\Windows Components\Internet Explorer, and the configuration settings are located in User Configuration\Windows Settings\Internet Explorer Maintenance.
The Internet Explorer Maintenance settings can be set in two modes: policy mode or preference mode. Policy mode is enforced and automatically resets any settings users might change (if they have the appropriate permissions) when Group Policy is applied.
|Like all registry-based Group Policy settings, Internet Explorer Maintenance policy mode settings reapply only when the GPO changes. Unlike most registry-based Group Policy settings, configuring an Internet Explorer Maintenance setting does not prevent the user from changing that setting.|
Preference mode sets initial default values that the user can change, subject to other Group Policy settings that affect the user. The preference settings are only applied again when the administrator makes changes to the preference settings. To allow users to change these preferences, they must be able to access Internet Options on the Tools menu. You allow users access by configuring settings in the Group Policy Object Editor under Computer (or User) Configuration\Administrative Templates\Windows Components\Internet Explorer.
You cannot use policy and preference modes together in a single GPO. If you need both modes, you must use two separate GPOs. The included scenarios are configured using policy mode, so you might need to create an additional GPO using preference mode for your environment.
Kiosk Scenario Configuration
The Kiosk scenario uses a single account that is a member of the Domain Users group (all new accounts in a domain are added to this group) with no special privileges. To enable the use of this account with no user intervention, the AutoLogon feature is used. At startup, the operating system logs on automatically using the account and password specified in the registry key below.
Kiosk User Account Configuration
The account used by the Kiosk scenario should be configured as follows:
Password never expires
User cannot change password
To configure the account for auto logon, a tool that is part of the Windows XP PowerToys can be used to specify the user name and password. For more information about the PowerToys, see http://go.microsoft.com/fwlink/?LinkId=101706.
Specifying the Kiosk Application
The packaged GPOs specify Internet Explorer as the auto launch application for both the TaskStation and Kiosk scenarios. This is handled by enabling the \User Configuration\Administrative Templates\System\Custom User Interface Group Policy setting. The value used for this policy (for both scenarios) is:
%programfiles%\internet explorer\iexplore.exe –k
This has the result of automatically launching Internet Explorer (in full screen mode because of the –k switch) when a user logs on. In effect, the policy is used to replace Windows Explorer as the shell. By updating the Custom User Interface Group Policy setting, you can dictate the application to be launched in the TaskStation and Kiosk scenarios in your own environment.
Resetting Kiosk Settings to a Default State
In some cases, you might want to reset the Kiosk environment to a known state. Although Kiosk users are prevented from making most changes to a Kiosk-based computer, a few application-specific settings cannot easily be managed by using Group Policy settings. For example, if a user resizes the Internet Explorer window, the window starts up in that size for all subsequent users.
You can use a mandatory user profile to reset the Kiosk settings. To do this, use the following procedure:
Log on to the user account and configure the appropriate settings.
Log off of the user account and then log on as an Administrator.
Copy the profile to a local or network directory and then rename the profile root to OldName.man.
Modify the user object and specify this directory as the profile path.
After you carry out this procedure, if a Kiosk user logs on, the computer settings reflect the settings defined in the mandatory profile.
Applications used on a Kiosk-based computer can write data to the disk drive. To prevent the disk drive from filling up, set a disk quota that leaves at least 100 megabytes (MB) free on the system disk.
You should consider using the disk quota in conjunction with a scheduled script that removes older temporary files each night. If the Kiosk application creates a lot of temporary files, the script might also need to run disk defragmentation to maintain system performance.
Disabling Logoff Capability for Kiosk Users
Kiosk users cannot log off the Kiosk account by pressing Ctrl+Alt+Del or by using the Start menu. When the computer starts up, it automatically logs on to the Kiosk account.
|In the Kiosk scenario, Kiosk users are prevented from logging off; however, in the Kiosk GPOs provided with this white paper, logoff capability is enabled because it makes testing easier. Therefore, before deploying the scenario, you need to disable the logoff feature.|
A disadvantage of disabling the logoff feature is that an administrator cannot easily log on to the computer. The administrator cannot restart the computer from the console because shutdown and restart are disabled for the kiosk user. To resolve this, you can use one of the following solutions:
Restart the computer by doing one of the following:
Execute a remote restart using shutdown.exe.
Perform a hardware reset or power off of the computer (this solution is not recommended because it could lead to data loss or system malfunction).
- Execute a remote restart using shutdown.exe.
When the computer restarts, hold down the Shift key to bypass the automatic logon feature and access the standard logon dialog box.
In this option, the logon feature remains enabled. The administrator logs off from the Kiosk account and then holds down the Shift key to bypass the automatic logon feature. The disadvantage to this method is that a user could do the first part of this operation. Although they would be unable to log on, this would leave the logon dialog box displayed and render the Kiosk computer unusable until it is restarted.