Windows IT Pro is the leading independent community for IT professionals deploying Microsoft Windows server and client applications and technologies.
  
  
  Advanced Search 


February 2008

Best Practices for Managing User Data and Settings, Part 1

An effective server-side back end will help you handle an otherwise intricate chore
From the February 2008 Edition
of Windows IT Pro
Dan Holme
Feature
InstantDoc #97841
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More User Management and Profiles Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

Create the Physical Namespace of Folders for UDS Stores
To support your security, mobility, availability, and resiliency business requirements, the redirected folders and roaming profiles have to go somewhere. The data will end up on a network server. That server must have a folder structure that supports UDS manageability. I recommend the folder structure that Figure 1 shows for each user on the server. Some of the structure’s features might surprise you.

Notice that the structure doesn’t use a flat namespace. Instead, all the typical user data stores—including Desktop and Documents— are contained within a parent folder called Data. You’ll use this Data folder when you decide to implement quotas for user data storage. A user’s quota should be universal: It should apply to data whether it’s stored in the Documents, Desktop, or media folders. To apply a quota to user data stores effectively, those stores must reside under one parent folder. However, you can’t use the user’s top-level folder (e.g., \jfine) for that quota, because there are other stores—the Backups and Profiles folders—that shouldn’t be subject to the same quota.

Having the Data folder gives you a management scope—a container that represents all day-to-day user data stores. You can use this folder to apply a quota for the user’s data. You can also use it to scope file screens that prevent certain types of data from being stored on the network. The concepts of quotas and file screens are familiar, and Windows makes them easy to implement and manage in Server 2008 and Windows 2003 R2. Check out the File Server Resource Manager (FSRM) Help documentation for details.

Figure 1 also shows two profile folders: \Profile and \Profile.V2. Vista appends a .V2 extension to the folder hosting the user’s roaming profile. So, if you configure a user’s profile path as \\namespace\%username%\profile, the roaming profile for a user will be in the Profile folder if the user logs on to an XP system, and in the Profile.V2 folder if the user logs on to a Vista system—automatically. Because of significant differences in registry and AppData structure, there’s no way to unify those two settings stores for Vista and XP users. They’ll be separate. That’s another good reason for ensuring that roaming profiles manage only those two stores.

The profile folders are first-level folders, not subject to the quota that is implemented on the Data folder. Profiles shouldn’t be subject to quotas because if the system encounters a quota limit during synchronization, the profile can become corrupted. In Part 2, you’ll see that in the UDS framework, profiles will contain only AppData and the ntuser.dat registry file, so you’ll eliminate profile bloat, manage profile size, and improve synchronization. Profiles simply won’t grow too large, so you’ll be better served by having profiles “quota free.”

The Backups folder solves a business-datamanagement scenario that Windows doesn’t address with redirected folders and roaming profiles. (You’ll see how useful it is in Part 2.) You can also use this folder to archive user-specific data (e.g., old .pst files) that isn’t needed regularly and therefore doesn’t need to be available offline for laptop users. You’ll manage which data goes in Backups and how it gets there with mechanisms other than roaming profiles and redirected folders. Backups isn’t a subfolder of the Data folder, so it can be configured with a quota that’s separate from the quota applied to normal day-to-day data stores.

Above these folders is a single parent folder for the user, and above the user folders is a single parent for all users on the server. In Figure 1, the top-level folder is called Users. Of course, all these folders must be secured according to your organization’s information security policy. On the Users folder, assign the permission System::Allow::Full Control, along with permissions that enable appropriate administrative and support access to user data stores. For example, you can grant a security auditing team Read permission for the user data stores, and you can give the Help desk permission only to the top-level user folders, but not to subfolders. The resource kit offers further information, as well as tools to help you secure the user data folder structure on the server.

One exciting byproduct of setting everything up correctly is that you won’t need to provide any permissions to normal users at the root Users folder. As long as each user has Full Control of his or her individual \%username% folder, no permissions at the Users folder level are necessary. The default user right to traverse folders will let the user “jump through” (without accessing) the Users folder, straight to his or her folder. Therefore, users have no permission to look in, browse through, or even see other users’ folders. Now that’s least-privilege security!

There’s a catch: You must provision the folder tree for each user before applying redirected folders and roaming profiles. That is, you must pre-create the folder structure that Figure 1 shows. Again, the resource kit can help you automate the provisioning of user data stores; it even provides a series of folder-provisioning script samples. You can also obtain the scripts from www.intelliem .com/resourcekit.

Create the SMB Namespace of Shared Folders for UDS Stores
SMB namespace is a fancy term for discussing the standard, server-based Universal Naming Convention (UNC) paths to the UDS stores. You’re certainly familiar with paths such as \ servername\users$\%username%. Such UNCs are navigating to a folder through an SMB namespace.

The correct SMB namespace for a UDS framework requires that the top-level folder, Users, be shared twice. The first share will be used in paths to user data stores. Most organizations share the top-level folder with a hidden share name such as Users$. SMB paths to users’ documents folders, for example, would be \ server\users$\%username%\data\documents.

On the Users$ share, be sure to assign the Full Control share permission to the group of users who have data stores on the server. The NTFS permissions on the root Users folder and on each user’s root folder will control effective access. Remember that users actually don’t have NTFS permissions on the Users folder, so the Everyone::Allow::Full Control share permission is fine for the Users$ share.

   Previous  1  [2]  3  Next 


Learning Path Windows IT Pro Resources
"Using IntelliMirror to Manage User Data and Settings"

"Managing User Profiles"

"10 Ways to Manage Desktops with Group Policy"

"Inside User Profiles"

"User-State Migration"


Microsoft Resources
"Windows Administration Resource Kit"

"User Data and Settings Management"
Top Viewed ArticlesView all articles
Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...

WinInfo Short Takes: Week of November 9, 2009

An often irreverent look at some of the week's other news, including some more Windows 7 sales momentum, some Sophos stupidity, Microsoft's cloud computing self-loathing, more whining from the browser makers, Zoho's "Fake Office," and much, much more ...

Understanding File-Size Limits on NTFS and FAT

A general confusion about files sizes on FAT seems to stem from FAT32's file-size limit of 4GB and partition-size limit of 2TB. ...
Related Events WinConnections and Microsoft® Exchange Connections

Check out our list of Free Email Newsletters!
Windows OSs eBooks Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys

SQL Server Administration for Oracle DBAs
Related Windows OSs Resources Introducing Left-Brain.com, the online IT bookstore
Looking for books, CDs, toolkits, eBooks? Prime your mind at Left-Brain.com

Discover Windows IT Pro eLearning Series!
Clear & detailed technical information and helpful how-to's, all in our trademark no-nonsense format


ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
EMC SAN vs. DAS Exchange 2007 Calculator
Calculate your savings now!

Let Your Users Reset Their Own Passwords: Free Download
Try a 30 day free trial of Desktop Authority Password Self-Service – it provides an easy-to-use, robust system for allowing users to reset their own forgotten passwords or locked accounts.


Disaster Recovery Strategies – Tips and Tricks
Determine how you can achieve your DR objectives as simply and cost-effectively as possible.

Get Windows IT Pro & Mark Minasi’s Favorite Power Tools Guide
Order Windows IT Pro now and get "More of Mark Minasi's Favorite Power Tools"--a in-depth guide to the most useful Windows commands --FREE with your paid order! Subscribe today, and save 58% off the cover price!

Migration, Virtualization, Availability, and Desktop Management
Realize the importance of a workload optimization strategy...it can affect your bottom line!

Deep Dive into VMware vSphere, eLearning Series
Join John Savill to explore the major functionality capabilities of the vSphere virtualization platform, including identification of the changes from ESX 3.5.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro DevProConnections IT Job Hound
Left-Brain.com Technology Resource Directory asp.netPRO ITTV Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 © 2009 Penton Media, Inc. Terms of Use | Privacy Statement