Reevaluating your desktop-management strategy
Desktop computers are an integral component of most businesses. Consider the increasing dependence on the desktop platform and the value of the data that resides on your desktop machines, and ask yourself whether you need to reevaluate your desktop-management strategy. When one of your users suffers a hard disk failure, how quickly can you get that user back online? How will you recover the data, and how can you restore the operating environment so that the user can regain access to the tools that user needs to do his or her job? Using Windows 2000 Server's IntelliMirror features with Windows XP and Win2K clients, you can design and implement an effective strategy to manage user data and settings without breaking the bank or your back.
IntelliMirror is a technology for which you might receive five different descriptions from five different IT professionals. But in a nutshell, IntelliMirror is a set of tools that provides user data management, user settings management, computer settings management, and Group Policy–based software installation and maintenance. The enabling technologies for these components are Active Directory (AD) and Group Policy. Let's concentrate on user data management and user settings management—specifically the roaming user profiles, folder redirection, and offline files features.
Why and How
Data is typically the lifeblood of a user's job. You must protect this data and ensure that it remains highly available to the user. By redirecting the My Documents folder to a server share that's part of a regular backup routine, you can keep user data safe.
The offline files capability, also known as client-side caching, can store a local copy of the redirected files. This feature adds a level of redundancy for user data and makes that data available even when network connectivity is nonexistent or, with XP, slow (XP's Slow Link Threshold feature directs the system to use offline files when the connection speed is inadequate).
User profiles contain settings that users configure for applications and the UI to create a customized work environment. To maximize user productivity, this environment should follow users if they need to use another computer of if they receive a replacement machine. Roaming user profiles store copies of user profiles on a network share, so the profiles remain available regardless of where users log on.
By employing all three of these technologies—folder redirection, offline files, and roaming user profiles—you can deliver to the end user the best combination of data protection, performance, and availability. Theoretically, the order in which you apply these features doesn't matter, but when starting from scratch (i.e., none of these technologies are enabled), my preference is to employ folder redirection first to get the lion's share of the data out of the user profile before you enable roaming profiles and an offline files synchronization occurs.
Because of the reach of these tools and the importance of user data, I recommend that you try these techniques in a test environment first. Monitor the performance of client systems and server disk use in your test bed before you turn your user population into unwitting guinea pigs. You might determine that upgrades to storage or network infrastructure are required for a successful implementation.
You can use Group Policy to specify which My Documents folders to redirect. If you're managing XP clients, see the Microsoft article "Upgrading Windows 2000 Group Policy for Windows XP" (http://support.microsoft.com/?kbid=307900) to learn how you can ensure that all XP Group Policy settings remain available to you in a Win2K Server environment. Keep in mind that the exact locations and names of Group Policy settings might vary between XP and Win2K; the settings I refer to pertain to XP.
Create a new Group Policy Object (GPO), then expand the User Configuration, Windows Settings, Folder Redirection objects. You'll see the four folders that you can redirect: Application Data, Desktop, My Documents, and Start Menu. You also have the option of including or excluding the My Pictures folder, which is within My Documents. When configuring the properties for folder redirection, you can select Basic or Advanced settings (or, if you want to disable folder redirection, you can select No administrative policy). The Basic setting lets you redirect the folder for all users who process the policy to one share. The Advanced setting lets you assign redirected folders to different shares according to security group membership.
You must perform the steps I describe for each folder that you want to redirect. To configure folder redirection, right-click the folder and choose Properties. On the properties page for the selected folder, you'll see the Target and Settings tabs, which Figure 1 shows. From the Setting drop-down list on the Target tab, choose Advanced - Specify locations for various user groups. Next, click Add to configure redirection settings for a particular Security Group. On the Specify Group and Location screen, browse to and select the Security Group to which these settings will apply. In the Target Folder Location field, enter the path to the server share to which you want to redirect the folders.
The Advanced settings let you specify different locations for redirected folders according to Security Group membership. Let's use Security Groups called Main Office Users, Branch A Users, and Branch B Users to help localize network traffic between client systems and servers. I recommend that you let the system create the target folder. To simplify this process, use the username variable and supply a name for the final destination folder. For example, if you're redirecting My Documents to a share named UFolders, specify the path \\ServerX\UFolders\%user-name%\MyDocs for the target folder. You can rename the MyDocs portion of the path to whatever suits you, but note that you must create a different folder for each folder you redirect. So, the My Document folders would redirect to the MyDocs subfolder, Application Data would redirect to the AppData subfolder, and so on. Figure 1 shows some typical entries for redirecting the My Documents folder. From this example, you can determine that the My Documents for a user named JSmith, a member of the Main Office Users Security Group, would redirect to \\Server-E1\RFolders\JSmith\MyDocs.
Users with large amounts of data will experience a delay the first time they log on while the system transfers their files to the redirected location. During this process, an Applying your personal settings message will display.
Thus far, you haven't had to take any special steps to accommodate the differences between working with XP and Win2K client systems. However, the two OSs handle configuring offline files in conjunction with redirected folders differently. XP Professional Edition automatically makes redirected folders available offline at the time they're redirected. With Win2K Professional clients, however, you must configure the offline file settings either manually or through Group Policy. You can use the Win2K client's Offline Files Wizard to configure the parameters, or you can use the Group Policy setting Administratively assigned offline files, which is in User Configuration\Administrative Templates\Network\Offline Files, to configure the change to apply to many clients. Whether you use the Offline Files Wizard or Group Policy, the paths you specify for the offline folders must match those you specified when you redirected the folders. Setting a system variable for the destination server can be useful when applying this policy to a group of users or computers that store their redirected folders on different servers. Figure 2 shows how you can use Group Policy to administratively assign offline folders—in this case by using the Udataserv variable in place of a server name. You probably won't want to change XP's default behavior, but should the need arise, you can use the Do not automatically make redirected folders available offline Group Policy setting under Administrative Templates\Network\Offline Files.
Roaming User Profiles
If you've experienced the nightmare of using roaming profiles under Windows NT 4.0, you might be cursing my name for even broaching the subject. Although Microsoft has improved the basic functionality of roaming user profiles, the most dramatic usability gains result from using folder redirection to get user data out of the profile. Roaming profile synchronization methods can adequately handle the relatively small amount of remaining data that makes up the profile.
To use roaming profiles in your environment, you must create a share on a server that will hold user profile data and grant all users full control of the share. Next, in the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in, open the properties for the users for which you want to configure roaming profiles. Click the Profile tab and, in the Profile path field, enter the path in which you want to store the user profile by using the syntax \\server\share\%username%, as Figure 3 shows. The next time the user logs on, the system will create a folder with the user's name in the specified share. The system will copy profile data for the user to the new folder, then synchronize the data between the folder and the client system the next time the user logs off.
Group Policy isn't required to make roaming profiles work, but Group Policy settings let you better manage profile size and behavior. You can find the Group Policy settings that relate to roaming user profiles in the following locations:
- User Configuration\Administrative Templates\System\Logon/Logoff
- Computer Configuration\Administrative Templates\System\Logon
Under User Configuration, you can find settings for limiting the size of roaming user profiles and excluding directories within the profile from the roaming portion. By default, when you enable the Exclude directories in roaming profile policy, the system populates the list of directories to exclude Local Settings, Temporary Internet Files, History, and Temp.
Under Computer Configuration are roaming profile settings that let you delete cached copies of roaming profiles, add the Administrators security group to roaming user profiles, and specify how the system should respond to slow network connections. Deleting cached copies of profiles can be useful for limiting disk use on computers that many users log on to. If you think you might need access to the contents of the user profiles on the server, enable the policy that adds administrator access rights to the permissions set for new profiles. You can limit the size of stored user profiles by enforcing a quota, but weigh your reasoning for enforcing such quotas against the potential administrative burden of responding to calls from users whose profiles exceed the quota. A wide range of options are available for configuring the behavior of roaming profiles under slow or disconnected network conditions. You can tailor these configurations to your environment, but be sure to test them to ensure that you don't hamper user productivity. Also, be aware that if you enable the Do not detect slow network connections setting, the system ignores all settings that relate to slow connection detection.
Ensuring a Smooth Implementation
Several other policies and practices can help ensure a smooth implementation of the user settings and data management technologies we've discussed. Here are some suggestions:
- Apply the Synchronize all offline files before logging off policy under User Configuration\Network\Offline Files to provide the best performance for offline files.
- Don't redirect folders to a Microsoft Dfs volume because synchronization problems will likely occur.
- Enable the Always wait for the network at computer startup and logon policy under Computer Configuration\System\Logon for XP clients to provide the best user experience with roaming profiles. No changes are necessary for Win2K clients, whose default behavior is to use synchronous logons.
- Don't use Encrypting File System (EFS) to encrypt any data that resides within a roaming user profile because the certificate required to decrypt a file won't be available on other computers to which the user might roam.
- Fine-tune the settings that pertain to slow links for both roaming user profiles and folder redirection to arrive at an optimal solution for your mobile users. You'll have to perform some testing to determine the minimum usable bandwidth that still provides a workable solution for roaming profiles and offline folders. You can then enter the appropriate minimum speed for offline files for the Configure Slow link speed setting under Computer Configuration\Administrative Templates\Network\Offline Files (XP only). Roaming user profiles use a timeout setting to abort loading a profile remotely over slow connections. When you've determined a workable value, you can set the Slow network connection timeout value under Computer Configuration\Administrative Templates\System\User Profiles.
A Powerful Combination
Folder redirection, offline files, and roaming user profiles all have merit as standalone features. However, when you combine these features into a comprehensive user data and settings management solution, you'll realize the greatest benefit.