[gptalk] Re: Do I need a custom adm, and/or where is the setting in the registry

  • From: Darren Mar-Elia <darren@xxxxxxxxxx>
  • To: gptalk@xxxxxxxxxxxxx
  • Date: Fri, 17 Oct 2008 16:39:34 -0800

Agreed. Dan's book is awesome and has lots of real-world examples from his 
extensive experience in large environments.

Darren

-----Original message-----
From: "Darrell Wiebesick" dwiebesick@xxxxxxxxxxxx
Date: Fri, 17 Oct 2008 15:09:02 -0400
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Do I need a custom adm, and/or where is the setting in 
the registry

> I highly recommend this book for managing User Data and Settings.
> 
>  
> 
> Dan Holme  Windows Administration Resource Kit: Productivity Solutions
> for IT Professionals
> 
>  
> 
>  
> 
>   "ProActive IT Solutions" 
> 
>                    www.netrixIT.com <http://www.netrixit.com/> 
> 
> 
> Darrell Wiebesick   MCSE
> Netrix Information Technologies, Inc.
> 1323 23rd Street South Suite H
> Fargo, ND 58103
> Phone (701) 298-0175
> Fax (701) 298-0189
> Toll Free (877) 638-7492
> HP Agent # 5871590001
> 
>  
> 
>  
> 
> The contents of this message are intended solely for the recipient(s)
> named above. If you are not the intended recipient, please alert the
> sender by reply e-mail and then delete this message.   
> 
>  
> 
> From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
> On Behalf Of Timothy J. Parker
> Sent: Friday, October 17, 2008 11:46 Morning
> To: gptalk@xxxxxxxxxxxxx
> Subject: [gptalk] Re: Do I need a custom adm, and/or where is the
> setting in the regsitry
> 
>  
> 
> Darren -- 
> 
>  
> 
> I am interested in learning more about your comment to avoid roaming
> profiles, not sure if you can point me to some references, or if you are
> willing we can take this off list if its been discussed too much before,
> etc. 
> 
>  
> 
> The reason I am interested is I had not really used them before my
> current position and they have them implemented, but I am guessing its
> not completely right. I have posted in the past looking for help on
> different redirects, etc. I can give specifics of my environment and
> agency "requirements" to hopefuly help me get everything flowing well. 
> 
>  
> 
> Thanks again for an excellent resource! 
> 
>  
> 
> Tim
> 
>  
> 
>       ----- Original Message ----- 
> 
>       From: Darren Mar-Elia <mailto:darren@xxxxxxxxxx>  
> 
>       To: gptalk@xxxxxxxxxxxxx 
> 
>       Sent: Friday, October 17, 2008 10:07 AM
> 
>       Subject: [gptalk] Re: Do I need a custom adm, and/or where is
> the setting in the regsitry
> 
>        
> 
>       Having worked with roaming profiles since NT 3.50, I think I
> would put it more succinctly...avoid them like the plague J
> 
>        
> 
>       Seriously though, in a previous position we actually wrote code
> that essentially did the same thing that roaming profiles did without
> using them, because they were so problematic. Whenever you are trying to
> synchronize lots of data across the network under a variety of
> circumstances, it will be fraught with peril. If you can avoid them, or
> avoid having your users store anything other than settings in them (via
> Folder Redirection) the better off you are.
> 
>       
>       Darren
> 
>        
> 
>        
> 
>       From: gptalk-bounce@xxxxxxxxxxxxx
> [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Nelson, Jamie
>       Sent: Friday, October 17, 2008 6:42 AM
>       To: gptalk@xxxxxxxxxxxxx
>       Subject: [gptalk] Re: Do I need a custom adm, and/or where is
> the setting in the regsitry
> 
>        
> 
>       Eh, that was only a bit longer than usual. J Good post though.
> I'll remember to reference this one for future "Roaming Profile"
> questions.
> 
>        
> 
>       Jamie Nelson | Operations Consultant | BI&T Infrastructure-Intel
> | Devon Energy Corporation | Work: 405.552.8054 | Mobile: 405.200.8088 |
> http://www.dvn.com <http://www.dvn.com/> 
> 
>        
> 
>       From: gptalk-bounce@xxxxxxxxxxxxx
> [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Cruz, Jerome L
>       Sent: Thursday, October 16, 2008 9:29 PM
>       To: gptalk@xxxxxxxxxxxxx
>       Subject: [gptalk] Re: Do I need a custom adm, and/or where is
> the setting in the regsitry
> 
>        
> 
>       Hi Booker,
> 
>        
> 
>       My answer is going to be a bit (okay, maybe a LOT) longer than
> the usual. Hopefully others will see the things you can run into with
> roaming profiles and not just assume the technology and it's support
> system are a breeze to implement. Folks, "Roaming Profiles" are one of
> those 'sounds easy' to do technologies that starts to eat all your time
> unless you are ready for it.
> 
>        
> 
>       Yes, you can update it by manually changing the ADM template
> (see MS KB article # 290324). Funny that the article "applies to Vista"
> but doesn't describe how to update the matching ADMX template (hmmm..
> I'll have to try that some time...or see if it's still an issue at all).
> Anyway, you do need to understand some of the behaviors you might run
> into. As noted in the "More Info" section of the article.
> 
>        
> 
>       UNDERSTATEMENT ALERT!
> 
>       "If you increase the maximum profile size to greater that 30 MB,
> it may take users longer to log on while the profile is loaded from the
> network."
> 
>        
> 
>       That 'can' be true for a user that 'really' roams from box to
> box on a daily basis. In practice, we found that our End Users tended to
> use the "same device" from day-to-day. So in our case, the most pressing
> issues began to be issues logging off at the end of their shift.
> 
>        
> 
>       Okay, we did have some issues with users logging onto devices in
> local Conference rooms...and experiencing long delays in getting to
> their Desktop while their 'large profile' downloaded. And try traveling
> to an office in a different city, logging onto your laptop in a Conf
> Room (using your company's LAN). There are all the meeting attendees
> looking at you and waiting for your presentation...for 20 minutes (or
> longer!)...talk about ouch! The solution was to train users to switch
> their profile to Local Mode 'before' leaving. We even gave them a
> desktop utility to easily switch...of course, then they'd conveniently
> 'forget' to switch back to roaming mode when they returned. Yeah..
> right....
> 
>        
> 
>       We expected that most users would have a profile way less than
> 20 MB and set out initial limits that way (just so you know, we based
> this on a scan of quite a few user profiles and 'most' were well within
> the limits before we updated their systems from Windows 2000 to Windows
> XP...things grow huh?). Additionally, we excluded a bunch of folders
> including the user's My Documents  folder. We slowly discovered all the
> applications that cause larger and larger profiles and had to exclude
> more and more of them.
> 
>        
> 
>       Example We had to talk to Google about their Google Earth
> application (love that app by the way). They were loading their cache
> file (and yes, it was just a single file) in the
> C:\Docs&Settings\Users_Profile\Application Data\Google\Google Earth\...
> folder and they didn't need to be placing it there. Their default cache
> file size was 100 MB and a user can get there by just running their demo
> tour a couple of times. All the user had to do was launch GE and the
> cache file was updated. SO there's a 100 MB file to sync at logoff. More
> recent versions of GE more correctly placed the cache file in the
> C:\Docs&Settings\Users_Profile\Temporary Files\Application
> Data\Google... folder tree. In the meantime, we were out of space (260
> char limit at the time) in the GPO to Exclude folders, so instead we
> wrote a custom ADM template to reset the Google Earth's cache to the
> minimum value of 16 MB... and as you can see, there went our 20 MB limit
> right out the door.
> 
>        
> 
>       Don't even get me started on why Roaming Profiles 'sometimes' go
> into a stupid state and only allow a user to access a temporary copy of
> a profile. And WATCH OUT for your Help Center. Sometimes they are too
> helpful (AND untrained). Consider this one. [EU - End User  HC - Help
> Center]
> 
>        
> 
>       EU: I need help...all my desktop shortcuts and documents are
> missing.
> 
>       HC: Okay, do you have a Roaming Profile?  [Side note, we built a
> web tool for our Help Center analysts to use to look this up and also
> trained them in the Profile support scripts we developed. Watch as they
> ignore all this. Also note that all End Users were given two full weeks
> to start using a Data Backup tool for their system devices. Multiple
> e-mails reminding them of this were sent out of this requirement. Sadly,
> not all used it as you're about to find out.] I see you have a laptop.
> [Oh, so the HC Tech finally start using their tools.]
> 
>       EU: I think so... is that what caused this problem?
> 
>       HC: Probably... You know that since you have a laptop, you
> really don't need a roaming profile don't you? [Oh yeah, thanks for that
> HC Tech. You haven't even looked at anything, have already diagnosed the
> problem, and have just 'dissed' the IT department.] Can I have your
> permission to do a remote takeover?
> 
>       EU: Yes, please, I need my stuff for a meeting in twenty
> minutes.
> 
>       HC: [Logs on...and wanders around the user's system.] Hmm, yes
> you do have a roaming profile. I think the system threw you into a
> temporary profile, but I can fix this for you... I did this kind of
> support at my previous job. All I have to do is copy your files over
> into this profile [into a "temporary" profile...what?... it's
> 'temporary...!!!!  What about using our support scripts?] and then I'll
> just switch a few registry entries around so the system thinks that this
> is your real profile. Then you just need to reboot.. [WHAT... HC Techs
> Are NOT allowed to access and change End User registry entries. NOT
> PROCESS! NOT PROCESS! The HC tech "moves, not copies, the user's files,
> makes registry changes, and then cleans up the "old" profile by deleting
> the old one. Then goes to the profile server and 'deletes' the copy up
> there so the EU can 'start cleanly'. I hope every IT person reading this
> is screaming "No, No, No" by now.]  Okay, you can reboot now.
> 
>       EU: Okay, well, it seems to be doing something. Okay I have my
> desktop back... wait, all my shortcuts and documents are missing again.
> My meeting is in 5 minutes. [So the user logged off and the system
> 'deleted' the temporary profile with all the files that the HC tech had
> moved there. Since the HC Tech had "moved" the files, there was no
> backup of them left on the device. Since we never roamed the Desktop in
> the first place, those files weren't up on the profile server in the
> first place, so not part of a server side data restoration from tape
> would help. Now it gets better...or worse L.]
> 
>       HC: Well, we can get the files back from the XXXXX tool [XXXXX =
> The tool the user's were supplied with to backup their device data.]
> 
>       EU: Is that that the tool those e-mails were talking about?
> Well, I haven't had time to load and run it. Don't you know how busy
> some of us are?
> 
>       HC: You haven't backed up your data? Ummm, well, I'm not sure
> we'll be able to get it back for you then. I think I'm going to have to
> escalate this to the IT Tech group.
> 
>       EU: Now you wait just a minute...WHERE's MY STUFF? Don't you
> know that I keep all my work data on my Desktop? That's two years worth
> of work and I NEED IT BACK RIGHT NOW! I have a meeting with some of the
> Company's directors... [Have we had enough now? Let's just say that
> you've GOT to have the HC staff trained to follow process and in
> whatever they do... "First Do No Harm"... And sadly, no, I didn't make
> this up. BY the time we were called to assist, a bunch of folks had
> tried all sorts of things..we immediately attempted to utilize some
> undelete utilities, but the damage was done and we were not able to
> recover anything significant for the End User...sigh. You can expect
> many IT managers heard an earful on this one.  And just in case you
> don't know... ~ 95% of these kinds of issues are resolved by a simple
> reboot-which by the way was fully documented in the HC support scripts
> we provided.]
> 
>        
> 
>       Moving on, how about profile server storage and access issues?
> We had 40,000+ roaming users. In a population like that, quite a few had
> VERY large (100+ MB) profiles whose logoffs were taking 30-40 minutes at
> the end of the day. Most users profiles were taking 2-7 minutes to
> perform a logoff and profile sync until we were able to optimize the
> traffic and hardware resources. The IT department was NOT very popular
> for awhile. Imagine each server having to handling the logoff profile
> sync for 4,000 - 6,000 users within a ten minute timeframe...and we had
> multiple "dedicated" roaming profile servers...and of course they were
> all on the same company network LAN. That'd be a Time/Date stamp lookup
> of approximately 5,000 users times of an average 3,500 files = an > access
> of 17.5 million files all within about 10 minutes, for each profile
> server. And then copying up the files that needed to be updated... Wow!
> Disk Queing Perf counters were easily in the 5 - 10 range (though at one
> point we actually recorded some in the mid-thirties.. WAY BIG Ouch...
> Most Server Admins will go into PANIC mode if they see Disk Queues
> higher than '2' (yes..only two)! We eventually tuned it back down to
> below that in general.
> 
>        
> 
>       For each server setup, we used servers with 2 GB RAM in 2 node
> clusters, Fibre-channel Controllers each with hardware buffers of 256 MB
> all set to 100% Write mode (obviously caching Reads is worthless with
> each user having their own files), RAID 5 on the hard disk drives (20
> drives with 460 GB available on each-the amount of disk space was almost
> never an issue), and Gigabit network connectivity. Needless to say,
> these were some significantly powerful boxes. And don't forget the
> possible impact of taking one cluster down for maintenance. That can
> easily cause any accessing user account to switch to a temporary profile
> on their local device and the Help Centers calls start pouring in.
> 
>        
> 
>       Very few folks have to support implementations of such scale,
> but there it is.
> 
>        
> 
>       Hints
> 
>       *         To support any deployments, go 'slowly' and be ready
> to help your "Help Center" analysts so that they can in turn help the
> End Users.
> 
>       *         And by the way, laptop users need their data backed up
> even more than a desktop user. Laptop users will say that they already
> roam because they have a laptop. That isn't the point. Most any hardware
> maintenance group will tell you that laptops have higher maintenance
> costs.
> 
>       *         As you ramp up profiles on a server, watch your Perf
> Counters VERY closely. We found out that once you start to hit the
> limits of the hardware, the bad perf numbers increase exponentially, not
> linearly.
> 
>       *         Monitor your Performance metrics.
> 
>       *         Deploy Microsoft's UPHClean to all Win2K and WinXP
> devices (it's built into Vista...yea!).
> 
>       *         If possible for 'any' Roaming Profile deployment,
> spread the load to multiple servers. In case of a power outage in the
> middle of the day, just watch every single user try to log back on at
> the same time off a single server. If that load isn't spread across
> multiple servers...ouch!
> 
>       *         Deploy Anti-virus to the desktops and seriously
> consider turning it 'off' for the profile server share folders (hey,
> it's the same data that was just on the PC and just got scanned there).
> That helps with server performance tuning. [Besides, we were starting
> weekly scans on Friday night and they were still running in the middle
> of the day on Monday...whew.)
> 
>       *         Watch out especially for Java application
> folders...usually the applications that use them are coded by Java
> developers who are less familiar with Windows profiles and boy do they
> tend to 'load up' the profile.
> 
>       *         User Profile data is NOT like other server storage
> data. It's typically a few big files and then literally thousands of 1KB
> - 2 KB files. (Remember about that 17.5 million file number? See
> above...). Most Server Admins have 'no experience' tuning servers to
> support this kind of data and will use the same process thinking to
> support a design for it. Your deployment team needs throw out all
> preconception and make sure everyone starts from scratch. 
> 
>       *         Test out your server data restoration processes and
> repeat testing them on a regular basis.
> 
>       *         Monitor your Performance metrics.
> 
>       *         Did I mention "Monitor your Performance metrics"?
> Pilot testing cannot be used as 'the' expectation. We had  400 pilot
> users on a single server whose logoff time increased by about 30
> seconds. When we ramped up for production and got to about 1,000 users
> on the server...wham!
> 
>       *         Go get and read Darren and Derek's (Melber) GPO book
> as well as Jeremy Moskowitz'es books on GPO's/Managed Desktops and read
> all you can about the various Roaming Profile scenarios.
> 
>        
> 
>       GPOs? We'll there's actually not too many.
> 
>       *         Use the 'Add the Administrators security group to
> roaming user profiles' setting
> 
>       *         We set the "Timeout for dialog boxes" setting to 1
> second (the minimum you can set it too. BTW: If you set it to '0', the
> messages stay visible until the user explicitly clicks it off...so '1's
> the ticket to set). This minimizes calls to the Help Center for stuff
> the User would click OK on anyway. And if the user "has" a problem, the
> data is logged in the App Event log for the Help Center to find anyway.
> 
>       *         We turned on Verbose UserEnv logging for all clients
> for debugging purposes, used tools to gather them from time to time, and
> wrote some parsers to extract certain types of data. The folks at
> SysProsoft have a 'free' and handy utility to look at individual UserEnv
> log files called: Policy Log Reporter
> http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.sh> tml
> 
>       *         Control the "Exclude directories in roaming profile
> setting" to exclude necessary folders. Here were some (not all) of ours:
> 
>       Desktop;My Documents;Recent;Application Data\Adobe;Application
> Data\AutoDesk;Application Data\Macromedia;Application
> Data\Microsoft\MSDAIPP;Application Data\Microsoft\Clip
> Organizer;Application Data\Roxio;Documents
> 
>       *         If you limit the size of profiles, then consider
> updating the text of the popup message with the "Limit Profile Size"
> setting and also redirect the users to local resources (like your Help
> Center).
> 
>       *         Consider controlling the "Prohibit User from manually
> redirecting Profile Folders" setting.
> 
>        
> 
>       So, can you successfully deploy Roaming Profiles to either
> small, medium, or large numbers of End Users? Sure, but be prepared to
> (1) go slowly, (2) spend some significant time supporting it (in terms
> of both hardware and personal time)...and more the larger numbers you go
> for, and (3) have some fun, it's a learning experience. It's a great
> feeling when you see the light come on for an End User who has almost
> everything back after logging onto a repaired system (after a system
> crash and reload). It 'can' and 'is' worth it.
> 
>        
> 
>       Jerry
> 
>        
> 
>       From: gptalk-bounce@xxxxxxxxxxxxx
> [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of
> Booker.Washington@xxxxxxxxxxxxxx
>       Sent: Thursday, October 16, 2008 3:07 PM
>       To: gptalk@xxxxxxxxxxxxx
>       Subject: [gptalk] Do I need a custom adm, and/or where is the
> setting in the regsitry
> 
>        
> 
>       For my labs, I have set the limit profile size to its maximum of
> 30000kb.  I want to raise it, but it gives me the error message that
> 30000kb is the max.  Can I override the max with a custom adm, and/or
> where is that limit found in the registry.  If I make the change t
> osomething higher than 30000kb will it even be recognized by policy?
> 
>        
> 
>        
> 
>        
> 
>        
> 
>       Booker T. Washington III
> 
>       Systems Support Specialist
> 
>        
> 
>       
> ________________________________
> 
> 
>       Confidentiality Warning: This message and any attachments are
> intended only for the use of the intended recipient(s), are
> confidential, and may be privileged. If you are not the intended
> recipient, you are hereby notified that any review, retransmission,
> conversion to hard copy, copying, circulation or other use of all or any
> portion of this message and any attachments is strictly prohibited. If
> you are not the intended recipient, please notify the sender immediately
> by return e-mail, and delete this message and any attachments from your
> system. 
> 
> 

***********************
You can unsubscribe from gptalk by sending email to 
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by 
logging into the freelists.org Web interface. Archives for the list are 
available at http://www.freelists.org/archives/gptalk/
************************

Other related posts: