2

I'm working on converting my users from local machine based profiles to network profiles stored on a centralized fileserver.

The majority of my users are "local", in that they work in the office 75% of the time. I think I will get some resistance from them, but I can minimize the pain using the folder redirection technique.

The real problem is going to be my salespeople, who are in the office 25% of the time, and who really need access to their files. But of course, they really want their files backed up. And of course, they're the most likely to require a loaner machine. Really, I think salespeople might be my problem in general, but that's an entirely different issue.

Anyway, here's the deal. Since my salespeople roam away from the network, they frequently log in using cached credentials, then gain access to network resources via an SSL VPN connection. This seems problematic if I switch them to network-based profiles. They won't have access to many of the profile contents until they connect to the VPN, but they'll probably need something on their network shares (i.e. the contents of their start menu, or desktop?) to do it.

It seems like a catch-22. I know that the profiles attempt to sync at user logoff. If the user is away from the network at logoff, does everything remained cached? When they come back in to the office, will things magically resync and cause a 20 minute login?

What do you do keep your truly roaming users tied into the domain?

Evan Anderson
  • 141,881
  • 20
  • 196
  • 331
Matt Simmons
  • 20,396
  • 10
  • 68
  • 116

5 Answers5

3

We've had great luck with using Offline Files to provide access to redirected "My Documents" folders in just the scenario you describe.

Getting synchronization of those files when the user is connected to the VPN is a bit of a pain (such that a backup can hit those files) because the user will need to be sure that such a synchronization is occurring. Any type of "background" synchronization functionality has proven to be problematic, at best, for us. (Users complain that connectvity is slow, syncs don't happen when they should, etc.) We've resorted to having the users manually initiate Offline Files synchronizations when they are on the VPN.

When the users come back into the office and reconnect to the LAN logon will not be substantially affected unless they haven't been synchronizing their Offline Files while connected to the VPN (and even then, it shouldn't be too bad-- how much data are they making?).

Offline Files in Windows XP gets very "pear shaped" when the user's "My Documents" directory grows over 2GB. Offline Files in Windows Vista and Windows 7 is a lot better for this.

You'll also want to encrypt the Offline Files cache, so read up on using EFS and, specifically, on getting recovery agent keys removed from the client computers.

An aside: The "Desktop" folder is a BIG problem. Users love to save gigs and gigs of crap onto the desktop folder. If you redirect it and use Offline Files all the desktop icons disappear when an Offline Files sync runs under Windows XP. The user has to right-click / Refresh (or press F5 with the desktop window active) to get the icons back. It's a dumb misfeature that's been in every release of Windows XP and it'll probably never be fixed. On one hand, I think that a redirected "Desktop" is the "right thing" because it protects the user's data, but on the other hand it works poorly. You need to decide what's right for you.

Evan Anderson
  • 141,881
  • 20
  • 196
  • 331
1

I would not, under any circumstance run roaming profiles in conjunction with VPN-based access.

Just to clear up the terms: The user "profile" is ALL the stuff that goes under the docs and settings / users folder: ntuser.dat, local settings, temp all that stuff.

ntuser.dat stores the user's registry hive (all the content in HKLM) and it would be absolutely disasterous if this file became out of sync on various computers. Because of this, the file is locked when a user is logged on and it is not possibly to do any kind of offline files / backgrouns syncing with it, because you CAN NOT write to it interactively as long as you are logged on as that user.

To counter this, Microsoft has made several attempts using offline files for certain of the folders that make up a user profile, e.g. "My documents", "Desktop" and so on.

After years of working in exactly these kind of projects, here's my "NOC LIST" for roaming/offline use, built up by trial, error, frustration and massive amounts of perspiration:

Use Roaming Profiles for: -Terminal server farms -Standardised "kiosk" pcs -desktop enviroments where computers are shared (universities and so on)

-do NEVER EVER use roaming profiles if there is a chance the user will log on through a slow link (e.g. VPN).

-do NEVER EVER use roaming profiles for laptops

-If you need to backup the user's profile look into the work done by login consultants (google flex profile kit) to get some inspiration.

Regarding Offline files: -If a user will only use one PC and offline files are for making sure docs are backed up to the server, Windows XP is fine.

-If a user shifts between several computers and needs an up-to-date replica of his/hers docs on all computers the Offline "engine" in XP is not good enough. Go vista/win7 or buy third party stuff.

Last word of advice: If yo ugo ahead with a project that involves roaming profiles/offline files or similarities; TEST TEST TEST as much as you can before making the switch.

Trondh
  • 4,201
  • 24
  • 27
  • 3
    You're being utterly alarmist and, in some statements, completely wrong (NTUSER.DAT contains the HKCU registry hive, for example). We've been using roaming user profiles on laptop and desktop computers alike, including heavily VPN-based laptop computers, for years. The user's profile *is* data, like it or not. Their personalized registry settings, etc, are important things that people miss if they're gone. Once you've redirected out "My Documents" (and possibly "Desktop" and "Application Data") the remaining romaing portion of the profile is pretty small and easy to deal with. – Evan Anderson Jul 27 '09 at 22:24
  • http://en.wikipedia.org/wiki/Windows_Registry#HKEY_CURRENT_USER_.28HKCU.29 – Trondh Jul 28 '09 at 05:10
0

The offline folders feature of Windows XP/Vista Pro/Business will keep things synced. Depending on how much data is changed offline, the time to sync will increase (obviously) but it does not occur "at logon" but rather after the user logs on in the background. This will solve your issues of users having offline and remote access to their files as well as how to sync them back when they're back in the office.

Kevin Kuphal
  • 9,134
  • 1
  • 35
  • 41
0

Another option might be to you tortoise SVN if you want a more manual approach to the document management. They can keep their copies offline and check them in as needed, you don't really need to be to technically gifted to use it.

When using Offline Files, just remember that certain files are not cached or synced ( db sort of files). Most notable of them would probably be .pst (outlook) files. Here is a technet article on this. Just mentioning this because others have references offline files, and not knowing this can bite you in the butt in the case of backups :-)

Kyle Brandt
  • 83,619
  • 74
  • 305
  • 448
0

My recommendations are to suggest deploying 'My Documents' 'Desktop' in addition to Implementing Roaming Profiles.

For sales or other departments whom have a need to access personal documents setup their home folders in ADUC user properties panel to map to a drive letter and path of the user ie. \fileserver\users\%profilename% and permissions will automatically be created to restrict other users for complaince and privacy reasons.

As another alternative for document sharing with security, Sharepoint even the free WSS is a great resource.

Nick O'Neil
  • 1,771
  • 11
  • 10