Q: What's the goal of the primary computer feature that Microsoft introduced in Windows Server 2012 Active Directory (AD)? How can I leverage this feature to better protect our corporate data?

A: The primary computer feature allows AD administrators to label AD computer objects as the primary computers of certain domain users. AD administrators can use this feature to specify the computers on which users' roaming profiles can be downloaded and specify the computers on which users can get access to their redirected folders. When users log on to computers that haven't been labeled as primary computers, they'll get a local profile and they won't get access to their redirected folders.

In this age of the consumerization of IT and trends such as bring your own device (BYOD), using the primary computer featureis a powerful way to associate or dissociate user data and settings with particular computers or devices. Designating primary computers reduces the security and privacy risks of downloading or leaving personal and corporate data on personal or public computers on which users have logged on.

The primary computer feature is based on a set of new Group Policy Object(GPO) settings and an AD schema extension. When a user logs on to a Windows 8 or Server 2012 machine, the logon logic will check the status of two GPO-controlled settings to determine whether the msDS-Primary-Computer attribute that's linked to the AD user account object of the user who is logging on should influence the decision to roam the user's profile or apply folder redirection. The two GPO settings are:

  • Download roaming profiles on primary computers only, which is located in the User Configuration\Policies\Administrative Templates\System\User Profiles GPO container
  • Redirect folders on primary computers only, which is located in the User Configuration\Policies\Administrative Templates\System\Folder Redirection GPO container

You can use the Active DirectoryAdministrative Center or Windows PowerShell cmdlets to populate an AD user object's msDS-Primary-Computer attribute with the distinguished names (DNs) of computer accounts that should be marked as a user's primary computers.

The support for the primary computer feature requires that your AD schema is upgraded to Server 2012. It can only be leveraged on domain-joined Server 2012 and Windows 8 machines. For more details on how to set this up, I recommend that you read the Microsoft Storage Team blog post "Configuring Primary Computers for Folder Redirection and Roaming Profiles in Windows Server '8' Beta."