New to Windows Server

[Wyndru]

Up until now, I've been working in Novell, and recently our school has decided to move to a Windows Server, (2008).

I won't be the person administrating it, but I have been asked to gather some info about how we should set up accounts (group policy, user profiles, etc...). I have a basic question about how Server 2008 handles user profiles, specifically on the user PC's.

From our initial testings we noticed that each account that logs into a computer gets it's own profile on the computer (their own documents and settings folder) built from the default user local account. Because we have labs, this will end up cluttering our workstations with the 2000 students logging into the machines. With Novell this didn't happen, we just had 1 local account and after they logged into the Novell server, they automatically logged into this account. It was clean and easy to manage. Is there a way in Server 2008 to set it up so that each log-in doesn't get their own local profile on the PC?

I've looked at a few options for profile management on server 2008, but I'm not sure what would be the best option for us. Roaming would be too much network overhead and I'd be worried about what happens when student's profiles get corrupted. Mandatory profiles also re-download a new profile each time, I assume also causing a lot of network overhead. Local profiles creates a new profile each time someone logs in, in a lab environment where a ton of kids will be logging in, I'm worried that all of the local profiles will eventually clutter and slowdown the workstation.

Ultimately we are just looking to have accounts log in, have mapped drives, use the default profile on the computer itself, and lock down certain aspects of the computer with the account's associated organizational unit group policy. Anyone have suggestions on how this can be achieved, or how this is done in environments such as labs where multiple people are logging into the same computers?

Thanks.

 

[tomt4535]

If you don't want to run roaming profiles, you could also use folder redirection through group policy. The users will still get a local profile on the PC(no way to get rid of that AFAIK), but you can redirect things like the desktop and my documents, etc to a network drive.

 

[imagoon]

Tell the machines to discard the profile on log out. It is in group policy.

Google fu:

http://support.microsoft.com/kb/274152

edit:

Another method:

Configuration\Administrative Templates\System\User Profiles for Deleting a user profile older than a specified number of days

Yet another method is to build a single mandatory profile and set all the student accounts to use it.

 

[Wyndru]

If you don't want to run roaming profiles, you could also use folder redirection through group policy. The users will still get a local profile on the PC(no way to get rid of that AFAIK), but you can redirect things like the desktop and my documents, etc to a network drive.

That's what I figured, I spoke with a network consult we work with and he basically said the same. I just understand how other schools do it without having to reclone their computers every couple of months. I can only imagine how many students log onto any given PC in a day. It seems they would get loaded up and the registry would be huge after a while.

Tell the machines to discard the profile on log out. It is in group policy.

Google fu:

http://support.microsoft.com/kb/274152

edit:

Another method:

Configuration\Administrative Templates\System\User Profiles for Deleting a user profile older than a specified number of days

Yet another method is to build a single mandatory profile and set all the student accounts to use it.

I saw the first and last option you posted, but we want to avoid roaming profiles completely if possible, it looked like both of these options require that the profile be pulled down from the server at each logon.

I'll try out the 2nd method and just set it to delete anything older than a day (if it works without requiring roaming profiles).

We were really hoping that we could just have a logon screen that logs into a single local profile (that would be on every computer in the lab), yet applies the permissions from the GPO associated with the account.

 

[imagoon]

I saw the first and last option you posted, but we want to avoid roaming profiles completely if possible, it looked like both of these options require that the profile be pulled down from the server at each logon.

I'll try out the 2nd method and just set it to delete anything older than a day (if it works without requiring roaming profiles).

We were really hoping that we could just have a logon screen that logs into a single local profile (that would be on every computer in the lab), yet applies the permissions from the GPO associated with the account.

No it doesn't. You can't get around having a profile, if there is no roaming profile (there isn't by default,) you must enable and build roaming profiles in AD before roaming would even come in to play. Default is copy from local workstation's default profile.

 

[Wyndru]

No it doesn't. You can't get around having a profile, if there is no roaming profile (there isn't by default,) you must enable and build roaming profiles in AD before roaming would even come in to play. Default is copy from local workstation's default profile.

It will always create a new copy of the default profile for each user that logs in on that computer though, correct? We are just worried if we had 200 students log into the computer in 1 month, that those 200 profiles on 1 computer start to cause issues, or even slow down the computer. Maybe we are over-thinking it.

The way novell worked was it was 2 part: log into the novell server (which mapped drives and assigned permissions) then the next screen they would log into a local profile (which we created already for them). There was only 1 profile on every computer.

[edit]I just tested those options you posted, but it didn't delete the local profile when logging off. We may have to configure it like tomt mentioned above and just assign save locations to the network. We already had the desktops locked down so they couldn't save files there at all, so all we need to do is make their my documents point to their network drives, and possibly their favorites too if it's possible. The profiles created are only around 10megs a piece, hopefully it won't slow the PC down too much after a lot of kids log on.

 

[imagoon]

Which OS? The delete on log off is one of the older (2k / xp) methods. Also did you wait about 45 minutes (or force a group policy update) after you made the change? The windows 7 one will delete them on reboot.

 

[Wyndru]

Which OS? The delete on log off is one of the older (2k / xp) methods. Also did you wait about 45 minutes (or force a group policy update) after you made the change? The windows 7 one will delete them on reboot.

XP SP3, I did an gpupdate /force and also rebooted. I selected the "Delete cached copies of roaming profiles" option, although I'm not using a roaming profile. Everything else I have tested in the policy works fine, so I the know user is getting the changes I make. For some reason it won't delete the local profiles in documents and settings. I have been testing with 3 different users, I still have 3 folders in there.

 

[imagoon]

Ah see I was dumb... and realized that local isnt roaming and that XP doesn't do it the same way as Vista/7. For XP I would do this then:

You can use Microsoft's Delprof.exe, as long as it is ok that all
existing profiles are deleted, including the Administrator profile
(no big deal really, it will be recreated automatically when you log
on with the Administrator account, getting the settings from the
Default User profile" ).

Put Delprof.exe in a computer startup (with a GPO) that runs as part
of the boot up process (before the user logs in). Run the command
using the /Q switch (Delprof.exe /Q), it will delete all existing
profiles on a computer.

It will not touch any other folders in the "C:\Documents and Settings"
folders, such as "All Users", "Default User, "LocalService" and
"NetworkService", it will only delete "real" user profiles.


Delprof.exe is in the free Windows Server 2003 Resource Kit.



I used to use it to clean up PC's prior to Vista / 7. Basically on reboot it wipes out anything that is there. Using that and then using AD to schedule a lab reboot on say Monday at 2AM would handle it.

 

[dawks]

You can set it up so users only use mandatory profiles, where any changes are lost when a user logs off. You'd want to map network drives so they can have files follow them. Good for a school environment, since every student gets the same look/settings/options, only difference is the files on the network drive/share that they have access too. And changes are lost when a user logs off (not to the network share though).

http://support.microsoft.com/kb/307800

Note: When a user with an assigned a mandatory profile logs off from a computer, any changes to the profile are lost.

 

[Wyndru]

Ah see I was dumb... and realized that local isnt roaming and that XP doesn't do it the same way as Vista/7. For XP I would do this then:

You can use Microsoft's Delprof.exe, as long as it is ok that all
existing profiles are deleted, including the Administrator profile
(no big deal really, it will be recreated automatically when you log
on with the Administrator account, getting the settings from the
Default User profile" ).

Put Delprof.exe in a computer startup (with a GPO) that runs as part
of the boot up process (before the user logs in). Run the command
using the /Q switch (Delprof.exe /Q), it will delete all existing
profiles on a computer.

It will not touch any other folders in the "C:\Documents and Settings"
folders, such as "All Users", "Default User, "LocalService" and
"NetworkService", it will only delete "real" user profiles.


Delprof.exe is in the free Windows Server 2003 Resource Kit.



I used to use it to clean up PC's prior to Vista / 7. Basically on reboot it wipes out anything that is there. Using that and then using AD to schedule a lab reboot on say Monday at 2AM would handle it.

Awesome, I've seen some people mentioning this process, but not going into as much detail as you did. Thanks, I'll try it out tomorrow.

 

[Wyndru]

You can set it up so users only use mandatory profiles, where any changes are lost when a user logs off. You'd want to map network drives so they can have files follow them. Good for a school environment, since every student gets the same look/settings/options, only difference is the files on the network drive/share that they have access too. And changes are lost when a user logs off (not to the network share though).

http://support.microsoft.com/kb/307800

I was thinking about this, but was not sure about the network overhead associated with it. If I understand it correctly, it's basically a static roaming profile that sends itself each time a user logs in. I'm worried about when a new period starts in our high school and 500-600 kids are all logging on within 10 minutes.

Also I wasn't real clear about if it actually removes itself from documents and settings when a user logs off either.

 

[postaled]

Mandatory profiles are amazing. For all of the student accounts at one building they all share the same mandatory profile. Mine are 1.7MB? And they are hosted from a Windows server box. That way I can make a change and have it hit all students without issue.

We also redirect all start menus by groups in AD, in addition to their "My Documents"

It works really well. Even with 32+ laptops in one room logging on over wifi.

Also, we use Compuguard? Cornerstone to wipe the machines every reboot.

 

[Wyndru]

Mandatory profiles are amazing. For all of the student accounts at one building they all share the same mandatory profile. Mine are 1.7MB? And they are hosted from a Windows server box. That way I can make a change and have it hit all students without issue.

We also redirect all start menus by groups in AD, in addition to their "My Documents"

It works really well. Even with 32+ laptops in one room logging on over wifi.

Also, we use Compuguard? Cornerstone to wipe the machines every reboot.

Interesting. So your PC's don't have a bunch of folders for each user under documents and settings after a lot of students have logged into the same computer?

I guess if all you are doing is copying the registry and initial profile folders over, it wouldn't be a large transfer and maybe mandatory profiles would work for us. Could I just take an existing NTUSER.dat file and profile from a WinXPSP3 PC we already have configured, then just copy it over to the server and re-extension it to .man, or do I have to follow the instructions and build the account right on the server? We have windows XP SP3 clients and the server is 2008. I wasn't sure if that is a problem or not, would I still be able to build a WinXPSP3 profile on this box?

I started playing around with pointing the "My Documents" to a server, but I'm trying to point it to \\SERVER\%usename%, similar to how I map their home drive, but I'm having a hard time with that. It doesn't seem to want to assign my documents to a mapped drive, or to a UNC with a %username% variable. I still have to read up on that though. The mapping works great though, and goes to their correct folder with the %username% variable.

 

[postaled]

Interesting. So your PC's don't have a bunch of folders for each user under documents and settings after a lot of students have logged into the same computer?

I guess if all you are doing is copying the registry and initial profile folders over, it wouldn't be a large transfer and maybe mandatory profiles would work for us. Could I just take an existing NTUSER.dat file from a WinXPSP3 PC we already have configured, then just copy it over to the server and re-extension it to .man, or do I have to follow the instructions and build the account right on the server? We have windows XP SP3 clients and the server is 2008.

I started playing around with pointing the "My Documents" to a server, but I'm trying to point it to \\SERVER\%usename%, similar to how I map their home drive, but I'm having a hard time with that. It doesn't seem to want to assign my documents to a mapped drive, or to a UNC with a %username% variable. I still have to read up on that though. The mapping works great though, and goes to their correct folder with the %username% variable.

Interesting. So your PC's don't have a bunch of folders for each user under documents and settings after a lot of students have logged into the same computer?


They would if the computer didn't reset to the configuration that I setup before enabling Cornerstone.

I guess if all you are doing is copying the registry and initial profile folders over, it wouldn't be a large transfer and maybe mandatory profiles would work for us. Could I just take an existing NTUSER.dat file from a WinXPSP3 PC we already have configured, then just copy it over to the server and re-extension it to .man, or do I have to follow the instructions and build the account right on the server? We have windows XP SP3 clients and the server is 2008.

Not sure, I've always built my profile from the ground up(clear it locally and on server, setting it up how i want it, then changing it to .man)

I started playing around with pointing the "My Documents" to a server, but I'm trying to point it to \\SERVER\%usename%, similar to how I map their home drive, but I'm having a hard time with that. It doesn't seem to want to assign my documents to a mapped drive, or to a UNC with a %username% variable. I still have to read up on that though. The mapping works great though, and goes to their correct folder with the %username% variable.

All of our users(staff/stu) their My documents is actually just their home folder

I haven't looked at how all of our stuff is scripted, but its been like this for probably 8-9 years. Ever since XP at least, possibly before.

If I remember I can check tomorrow.

Staff profiles have a tendency to get big until we excluded LOTS and lots of App data folders.

I see users with 4-5GB profiles all the time until we exclude whatever new folder is doing it.

 

[Wyndru]

Interesting. So your PC's don't have a bunch of folders for each user under documents and settings after a lot of students have logged into the same computer?

They would if the computer didn't reset to the configuration that I setup before enabling Cornerstone.

I guess if all you are doing is copying the registry and initial profile folders over, it wouldn't be a large transfer and maybe mandatory profiles would work for us. Could I just take an existing NTUSER.dat file from a WinXPSP3 PC we already have configured, then just copy it over to the server and re-extension it to .man, or do I have to follow the instructions and build the account right on the server? We have windows XP SP3 clients and the server is 2008.

Not sure, I've always built my profile from the ground up(clear it locally and on server, setting it up how i want it, then changing it to .man)

I started playing around with pointing the "My Documents" to a server, but I'm trying to point it to \\SERVER\%usename%, similar to how I map their home drive, but I'm having a hard time with that. It doesn't seem to want to assign my documents to a mapped drive, or to a UNC with a %username% variable. I still have to read up on that though. The mapping works great though, and goes to their correct folder with the %username% variable.

All of our users(staff/stu) their My documents is actually just their home folder

I haven't looked at how all of our stuff is scripted, but its been like this for probably 8-9 years. Ever since XP at least, possibly before.

Cool, thanks for the info, I have lots to play around with tomorrow. I'm still learning, but it's actually a bit easier than I thought it would be. A lot different than Novell, but not too confusing so far. I figured I wouldn't even be able to set up the DNS and ADDS. It's actually been fun. I'm sure I will be cursing at the box before we go live though.

If I remember I can check tomorrow.

Staff profiles have a tendency to get big until we excluded LOTS and lots of App data folders.

I see users with 4-5GB profiles all the time until we exclude whatever new folder is doing it.

I think our students will be the only computers with the mandatory profiles, our staff and admin we will just leave local. They rarely move around, so it will be rare to have more than 2 accounts on each PC.

Faculty I'm not sure about though, our teachers move a lot, and they tend to be the ones with 10gb of movies in their folders.

 

[postaled]

Faculty I'm not sure about though, our teachers move a lot, and they tend to be the ones with 10gb of movies in their folders.

It won't be just loading them with their profile though, so its not really that bad? As in their home folder doesn't download to their PC so it won't clog up the network.

What kind of network between sites do you guys have?

 

[Wyndru]

It won't be just loading them with their profile though, so its not really that bad? As in their home folder doesn't download to their PC so it won't clog up the network.

What kind of network between sites do you guys have?

Yeah after I thought about that, I realized that the data would be stored in their folders on the file server, not their profile. Unless they stick a folder with large files on their desktop? I don't know how the whole thing works yet.

Internal network we have gig fiber to the closets, then 100 to the clients, external (building to building) it's all fiber, I'm not sure how big a pipe though.

 

[postaled]

Unless they stick a folder with large files on their desktop? I don't know how the whole thing works yet.

We actually exclude their Desktop from their roaming profile. Some people hate it, but they've learned over the last few years.

It was just too much data to back up.

 

[imagoon]

Wyndru, remember there is a difference between redirection and remapping in the Windows World. If you redirect it simply makes the My Docs link (example) point to a network share rather than local. All the files sit on the share. The remapping tries to sync the local profile with the server (XP, vista and 7 use offline files for this). This works great with laptop users but obviously sucks for people that move around to lots of PCs.

The main issue is the people that store 50GB of crap on their desktop / my docs.

edit: * please read the descriptions, it is entirely possible I got remapping and redirection backwards.

 

[postaled]

The main issue is the people that store 50GB of crap on their desktop / my docs.

I know that in "My Documents" alone we have probably 10TB of space used, at the very least.

And that is only staff, not students.

It's kinda nuts.

 

[imagoon]

I know that in "My Documents" alone we have probably 10TB of space used, at the very least.

And that is only staff, not students.

It's kinda nuts.

What is even better.... if you didn't redirect... it would all be on local drives where it could be lost / stolen.

 

[Wyndru]

We actually exclude their Desktop from their roaming profile. Some people hate it, but they've learned over the last few years.

It was just too much data to back up.

We already don't allow students to save anything to the desktop (we remove non admin rights from that folder). It's actually been great, it keeps the desktops clean. I guess we could apply the same thing to Staff and Faculty, I'm sure they will be pissed at first, but get used to it.

Today I didn't get much done, had meetings all day, but I did play around with home directories. Got it to work, much cleaner than direct mapping to a folder using %username% (although I suspect it does the same thing in the actual GPO). What was nice was that I could just redirect "Documents" to their "home" and not have to pass a path.

I'm thinking it works great, then I realize it's forcing a synchronize (even when a local user logs in/out). I started reading up about disabling offline files, not having luck.

There are 3 different spots in the GP I am disabling offline files and it doesn't work (Computer/Network/Offline, User/Network/Offline and Folder Redirection). I can disable the exact same group policy rules on the local machine manually and it works, but if I do it from the server it doesn't disable (it just greys them out, but they are still enabled). I even got the blue sync arrows to disappear and it still tries to synchronize even though the offline files list shows there are no files eligible for sync. I see a lot of people on different forums with this issue, so I think this might be a tough one to figure out.

For now I just disabled caching server side on the shared folders, that stops it, but I want the ability to apply it with a group policy in case I need to enable it for some.

I hope I have time tomorrow to sit down and work more with the roaming and mandatory profiles.