Best Practices for User Profiles
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
To get the best experience possible from roaming user profiles, it is important to read all the documentation and plan your implementation thoroughly. This section presents best practices for using roaming user profiles.
Turn off the fast logon enhancement
With the fast logon enhancement in Windows XP when users change from a local to a roaming profile, it will take two logons on each machine for profile changes to be registered. This is because the user always logs on with cached credentials; therefore it takes one logon for the network to notice that the user has become roaming and the second logon to apply these settings.
To ensure the best possible experience, enable the setting Always wait for the network at computer startup and logon, located at Computer Configuration\Administrative Templates\System\Logon.
Redirect the location of the My Documents Folder outside of the users Roaming Profile.
To decrease initial logon time to a new computer, it is recommended that you redirect the location of the My Documents folder outside of the users roaming profile. The best way to do this is with Folder Redirection. If you don't have Active Directory enabled, you can do this with a logon script or instruct the user to do so manually.
Let the system create profile folders for each user.
To ensure that Roaming user profiles work optimally, create only the root profile share on the server, and let the system create the folders for each user. If you must create folders for the users, ensure that you have the correct permissions set. For details on the required permissions see Security Considerations when Configuring Roaming User Profiles.
Don't use Offline Folders on Roaming Profile Shares.
Make sure that you turn off Offline Folders for shares where roaming user profiles are stored. If you do not turn off Offline Folders for a users profile, you may experience synchronization problems as both Offline Folders and Roaming Profiles try to synchronize the files in a users profile.
Note
This does not affect using Offline Folders with redirected folders such as My Documents.
Do not use Encrypted File System (EFS) on files in a Roaming User Profile.
The Encrypted File System is not compatible with files within Roaming User Profiles. If you encrypt profile folders or files using EFS the users profile will not roam.
Note
This does not affect encrypting files on remote shares.
Do not Set Disk Quotas too low for users with Roaming Profiles.
If a users disk quotas are set too low, roaming profile synchronization may fail. Make sure enough disk space is allocated to allow the system to create a temporary duplicate copy of a users profile. Because the temporary profile is created in the users context as part of the synchronization process, it debits his or her quota.
Use Group Policy loopback policy processing sparingly if you use roaming profiles.
Group Policy loopback processing enables a different set of user type Group Policies to be applied based on the computer being logged onto. This policy is useful when you need to have user type policies applied to users of specific computers. There are two methods for doing this. One allows for the policies applied to the user to be processed, but to also apply user policies based on the computer that the user has logged onto. The second method does not apply the users settings based on where the user object is, but only processes the policies based on the computers list of GPOs.
Use caution when using loopback policy processing and roaming profilesespecially when users may roam between Windows 2000 or Windows XP-based computers and Windows NT 4.0-based computers. You may see some tattooing applications can store policy settings in HKCU\Software\Policies regardless of operating system version. Windows NT 4 also stored some explorer policy settings in HKCU\Software\Microsoft\windows\currentversion\explorer\policies. Windows 2000 and Windows XP clears these keys each time before re-applying current policy, but because Windows NT 4 does not clear them, you will get settings left if you roam from a Windows 2000-based machine.
Roaming between the same operating system versions
Because the contents of the users registry are opaque to roaming user profiles, you should minimize as much as possible significant differences between operating system installations on computers the users will roam between. When using roaming profiles, try to ensure that:
The same application versions are installed.
Applications are installed to the same path and drive.
The operating system is installed on the same %systemdrive% and in the same %windir%.
The operating system language and system locale are the same.
Roaming between different operating system versions
Although roaming between Windows 2000 and Windows XP should be a smooth process, there are some precautions you can take to minimize possible issues:
If you can avoid roaming between versions of the operating system, then do so. There's nothing inherent in roaming that will cause problems, but the data that applications put in the profile may have unintended side effects on other versions of the operating system.
Make sure that you have the same application versions installed.
Make sure that applications are installed to the same path and drive.
Make sure that the different versions of the operating system are installed on the same %systemdrive% and in the same %windir%.
If Users roam between Windows NT 4.0-based clients and Windows XP- Windows 2000-based clients, consider setting the Profile Path during install on Windows XP or Windows 2000. Differences in the default profile path (%windir%\Profiles vs. %systemdrive%\Documents and Settings) may cause problems for users roaming between Windows NT 4.0-based clients and Windows XP- or Windows 2000-based clients. To minimize the chance of problems, make sure the path to the profile is the same on both clients.