0

I work for a SMB. Our central office houses our servers, and users in that office have accounts with roaming profiles. In the near future, we are looking to invest in branch AD servers, which will then be configured to house roaming profiles for their respective branches. All branches are a part of the same domain.

However, occasionally a manager may go to another branch, and log in to a workstation there. At that point, their roaming profile (which might several GB large) will try to pull down to that workstation. Even across decent WAN connection, this can all day.

I've looked at Group Policy (Computer\Policies\Admin Templates\System\User Profiles). Nothing there, by itself, seems to be quite what I am looking for.

Ideally, what I would like to do is have GPOs linked to each branch's parent OU that tells each branch workstation to only roam profiles that have a Security Group that targets that branch. (Eg. Our New York workstations only allow roaming profiles for users who are members of the "New York Roamers" security group, so that when someone from Seattle sits down at a workstation in New York, their profile does not try to roam from the server in Seattle.)

Does any one know how to implement such a solution? Or, have a recommendation on how to achieve the goal in another fashion?

Thanks in advance.

ltwally
  • 315
  • 2
  • 7
  • 23
  • Roaming profiles when configured via GPO are Computer Configuration settings. You can't filter or apply Computer Configuration settings based on a security group that contains users as members. I'm at a loss to see how you can accomplish this. – joeqwerty Apr 04 '17 at 16:19
  • Right. What I'm looking for isn't necessarily that exact solution, but one that allows me to set up our systems so that a roaming profile only roams if the user is logging in to a workstation of the branch that the user in question is associated with. Put another way, I am looking to block roaming profiles for logins from users that belong to branch A but are logging into a workstation at branch B. I don't want to altogether disable roaming profiles, just keep them from over the WAN. – ltwally Apr 04 '17 at 19:16
  • Have you considered using Folder Redirection instead of roaming profiles? Or setting up a Remote Desktop Server in your headquarters for traveling managers to RDP back to while they're on the road. Those types typically have laptops and do not need a roaming profile… – Clayton Apr 05 '17 at 14:15
  • I'm wondering whether there's a hacky workaround involving DFS - so the profile path is set to \\MyDomain\Profiles\, which exists in each branch and has a dummy folder (containing no data) for each user. – Matt Apr 05 '17 at 23:50

1 Answers1

0

You might be able to do something like this... You probably assign the profile path directly on the user account. You could clear the account profile attribute, and replace it with a profile path assigned through GPO.

Computer Configuration/Administrative Templates/System/User Profiles
Set roaming profile path for all users logging onto this computer

Create a GPO for NewYork profiles, link it to your NewYork workstation OU, and assign a value like: \\NEWYK_PROF_SERV\Profiles\%USERNAME%
Create a GPO for Seattle profiles, link it to your Seattle workstation OU, and assign a value like: \\\\SEATL_PROF_SERV\Profiles\%USERNAME%

This way, profiles are assigned per OU or branch location, not per user. Do not create a GPO for locations without a local server to store a roaming profiles, and then nobody has a roaming profile when they login to workstations at that locaton. When a user logs into a NewYork workstation he gets his NewYork profile. Same user logs into a Seattle workstation, they get their Seattle profile, or a new blank profile.

Clayton
  • 4,523
  • 17
  • 24