Group Policy Recommendations for Roaming User Profiles

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Use the following guidelines for setting Group Policy for roaming user profiles to help to ensure optimum functionality.

Reducing disk space use, profile size, and logon processing

To save disk space, you can use the Delete cached copies of roaming profiles policy setting to specify that locally cached versions of roaming user profiles be deleted when the user logs off. This setting is in the Computer Configuration\Administrative Templates\System\User Profiles node of the Group Policy Object Editor snap-in.

To manage the user profile size, use the Limit profile size policy setting. This setting is in the User Configuration\Administrative Templates\System\User Profiles node of the Group Policy Object Editor snap-in. You can set the maximum size of the roaming user profile and determine the system’s response when the limit is reached. When you set this policy, the Proquota.exe program is enabled. This program alerts users when their user profile exceeds a predefined limit, and it prevents users from logging off until the size of the profile files is reduced.

To reduce both profile size and logon processing time, you can use the Exclude directories in roaming profile setting to designate certain folders to exclude from the user’s profile. This setting is in the User Configuration\Administrative Templates\System\User Profiles node of the Group Policy Object Editor.

Turning off the fast logon enhancement

With the fast logon enhancement in Windows XP, when users change from a local to a roaming profile, two logons on each computer are required for profile changes to be registered. This is because the user always logs on with cached credentials. Therefore, it takes one logon for the network to detect that the user has become a roaming user and a second logon to apply the new settings.

To ensure the best user experience, enable the Always wait for the network at computer startup and logon policy setting. This setting is in the Computer Configuration\Administrative Templates\System\Logon node of the Group Policy Object Editor.

Limiting use of Group Policy loopback processing if you use roaming profiles

The User Group Policyloopback processing mode policy setting is an advanced option that is intended to keep the desktop configuration the same regardless of who logs on. This option is appropriate for use in certain closely managed environments, such as classrooms, public kiosks, reception areas, servers, and terminal servers. When you enable the loopback processing policy setting in a GPO, you can configure user-based policy settings within that GPO, and those settings are applied regardless of which user logs on to the computer, meaning that those settings override individual user settings. When you use the User Group Policyloopback processing mode policy setting, you must ensure that both the computer and user portions of the GPO are enabled. The User Group Policyloopback processing mode policy setting is available in the Computer Configuration\Administrative Templates\System\Group Policy node of the Group Policy Object Editor.

By default, the user’s Group Policy objects determine which user settings apply. When you enable this policy setting, you also specify either the Replace mode or the Merge mode, which determines the policies that are applied.

Replace mode   The user settings that are defined in the computer’s Group Policy objects replace the user settings that are typically applied to the user.

Merge mode   The user settings that are defined in the computer’s Group Policy objects and the user settings that are typically applied to the user are combined. If the settings conflict, the user settings in the computer’s Group Policy objects take precedence over the user’s policy settings.

If you disable or do not configure the User Group Policyloopback processing mode setting, the user’s Group Policy objects determine which user settings apply.

Caution

  • Use caution when using loopback policy processing and roaming profiles, especially if roaming users use two or more computers that run different versions of the Windows operating system, including Windows Server 2003, Windows 2000, Windows XP, and Windows NT 4.0. You might see some settings persist in the registry because applications can store policy settings in the HKEY_CURRENT_USER\Software\Policies subkey regardless of the operating system version. Windows NT 4.0 also stores some Internet Explorer policy settings in the HKEY_CURRENT_USER\Software\Microsoft\windows\currentversion\explorer\policies subkey, and those settings persist in the registry. Windows Server 2003, Windows 2000, and Windows XP clear these registry subkeys each time before re-applying the current Group Policy object settings. However, Windows NT 4.0 does not clear the registry subkeys, which causes some settings to persist if you roam from a computer that runs Windows Server 2003, Windows 2000, or Windows XP.

Tables 7.5 and 7.6 list additional Group Policy settings that you can set for user profiles. These policy settings are available in Group Policy Object Editor inthe User Configuration\Administrative Templates\System\User Profiles and Computer Configuration\Administrative Templates\System\ User Profiles respectively. For more information about the policy settings, click the Explain tab on each policy’s Properties page.

Table 7.5   Policy Settings for User Profiles: User Configuration

Policy Setting Description

Connect home directory to root of the share

Restores the definitions of the %HOMESHARE% and %HOMEPATH% environment variables to those that are used in Windows NT 4.0 and earlier. If you enable this setting, the system uses the Windows NT 4.0 definitions. Along with %HOMEDRIVE%, these variables define the home directory of a user profile. The home directory is a persistent mapping of a drive letter on the local computer to a local or remote directory.

Table 7.6   Policy Settings for User Profiles: Computer Configuration

Policy Setting Description

Delete cached copies of roaming profiles

Determines whether the system saves a copy of a user’s roaming profile on the local computer’s hard disk drive when the user logs off. This policy and the related policies in this folder define a strategy for managing user profiles that reside on remote servers. Specifically, these policies indicate to the system how to respond when a remote profile is slow to load.

Slow network connection timeout for user profiles

Defines a slow connection for roaming user profiles. If the server on which the user’s roaming user profile resides takes longer to respond than the thresholds that are set by this policy permit, the system considers the connection to the profile to be slow. This policy and related policies in this folder together determine how the system responds when roaming user profiles are slow to load.

Add the Administrators security group to the roaming user profile share

This setting adds the Administrator security group to the roaming user profile shared folder. After an administrator has configured a user’s roaming profile, the profile is created at the user’s next login at the location that is specified by the administrator.

For Windows 2000 and Windows XP operating systems, the default file permissions for the newly generated profile are full control, or read and write access for the user, and no file access for the administrators group. By configuring this setting, you can alter this behavior. If you enable this setting, the administrator group is given full control to the user’s profile folder.

Prevent roaming profile changes from propagating to the server

This policy determines if the changes a user makes to their roaming profile are merged with the server copy of their profile. If this policy is set, at logon users receive their roaming profile, but any changes users make to their profile are not merged to the users’ roaming profile at logoff.

Only allow local profiles

This setting determines if roaming user profiles are available on a particular computer. By default, when roaming profile users log on to a computer, their roaming profile is copied to the local computer. If they have previously logged on to this computer, the roaming profile is merged with the local profile. When the users log off this computer, the local copy of their profile, including any changes they have made, is merged with the server copy of their profile.

If you enable this setting, the following occurs on the affected computer: At first logon, the user receives a new local profile, rather than the roaming profile. At logoff, changes are saved to the local profile. All subsequent logons use the local profile.

Prompt user when slow link is detected

Notifies users when their roaming profiles are slow to load, letting a user decide whether to use a local copy or to wait for the roaming user profile.

If you disable this policy or do not configure it, the system does not notify the user when a roaming user profile is slow to load. The system loads the local copy of the profile. If you enable the Wait for remote user profile policy, the system loads the remote copy without prompting the user.

Maximum retries to unload and update user profile

Applies to Windows 2000 only. This setting determines how many times the system tries to unload and update the registry portion of a user profile. When the number of trials that is specified by this policy is exhausted, the system stops trying. As a result, the user profile might not be current, and local and roaming user profiles might not match.

Do not detect slow network connections

Disables the slow link detection feature. Slow link detection measures the speed of the connection between a user’s computer and the remote server that stores the roaming user profile. When the system detects a slow link, the related policies in this folder tell the system how to respond.

Wait for remote user profile

Directs the system to wait for the remote copy of the roaming user profile to load even when loading is slow. The system waits for the remote copy when the user is notified about a slow connection but does not respond within the time allowed.

Timeout for dialog boxes

Determines how long the system waits for a user response before it uses a default value. The default value is used when the user does not respond to messages.

Use this setting to override the system’s default value of 30 seconds.