I highly recommend this book for managing User Data and Settings. Dan Holme Windows Administration Resource Kit: Productivity Solutions for IT Professionals "ProActive IT Solutions" www.netrixIT.com <http://www.netrixit.com/> Darrell Wiebesick MCSE Netrix Information Technologies, Inc. 1323 23rd Street South Suite H Fargo, ND 58103 Phone (701) 298-0175 Fax (701) 298-0189 Toll Free (877) 638-7492 HP Agent # 5871590001 The contents of this message are intended solely for the recipient(s) named above. If you are not the intended recipient, please alert the sender by reply e-mail and then delete this message. From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Timothy J. Parker Sent: Friday, October 17, 2008 11:46 Morning To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Do I need a custom adm, and/or where is the setting in the regsitry Darren -- I am interested in learning more about your comment to avoid roaming profiles, not sure if you can point me to some references, or if you are willing we can take this off list if its been discussed too much before, etc. The reason I am interested is I had not really used them before my current position and they have them implemented, but I am guessing its not completely right. I have posted in the past looking for help on different redirects, etc. I can give specifics of my environment and agency "requirements" to hopefuly help me get everything flowing well. Thanks again for an excellent resource! Tim ----- Original Message ----- From: Darren Mar-Elia <mailto:darren@xxxxxxxxxx> To: gptalk@xxxxxxxxxxxxx Sent: Friday, October 17, 2008 10:07 AM Subject: [gptalk] Re: Do I need a custom adm, and/or where is the setting in the regsitry Having worked with roaming profiles since NT 3.50, I think I would put it more succinctly...avoid them like the plague J Seriously though, in a previous position we actually wrote code that essentially did the same thing that roaming profiles did without using them, because they were so problematic. Whenever you are trying to synchronize lots of data across the network under a variety of circumstances, it will be fraught with peril. If you can avoid them, or avoid having your users store anything other than settings in them (via Folder Redirection) the better off you are. Darren From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Nelson, Jamie Sent: Friday, October 17, 2008 6:42 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Do I need a custom adm, and/or where is the setting in the regsitry Eh, that was only a bit longer than usual. J Good post though. I'll remember to reference this one for future "Roaming Profile" questions. Jamie Nelson | Operations Consultant | BI&T Infrastructure-Intel | Devon Energy Corporation | Work: 405.552.8054 | Mobile: 405.200.8088 | http://www.dvn.com <http://www.dvn.com/> From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Cruz, Jerome L Sent: Thursday, October 16, 2008 9:29 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Do I need a custom adm, and/or where is the setting in the regsitry Hi Booker, My answer is going to be a bit (okay, maybe a LOT) longer than the usual. Hopefully others will see the things you can run into with roaming profiles and not just assume the technology and it's support system are a breeze to implement. Folks, "Roaming Profiles" are one of those 'sounds easy' to do technologies that starts to eat all your time unless you are ready for it. Yes, you can update it by manually changing the ADM template (see MS KB article # 290324). Funny that the article "applies to Vista" but doesn't describe how to update the matching ADMX template (hmmm.. I'll have to try that some time...or see if it's still an issue at all). Anyway, you do need to understand some of the behaviors you might run into. As noted in the "More Info" section of the article. UNDERSTATEMENT ALERT! "If you increase the maximum profile size to greater that 30 MB, it may take users longer to log on while the profile is loaded from the network." That 'can' be true for a user that 'really' roams from box to box on a daily basis. In practice, we found that our End Users tended to use the "same device" from day-to-day. So in our case, the most pressing issues began to be issues logging off at the end of their shift. Okay, we did have some issues with users logging onto devices in local Conference rooms...and experiencing long delays in getting to their Desktop while their 'large profile' downloaded. And try traveling to an office in a different city, logging onto your laptop in a Conf Room (using your company's LAN). There are all the meeting attendees looking at you and waiting for your presentation...for 20 minutes (or longer!)...talk about ouch! The solution was to train users to switch their profile to Local Mode 'before' leaving. We even gave them a desktop utility to easily switch...of course, then they'd conveniently 'forget' to switch back to roaming mode when they returned. Yeah.. right.... We expected that most users would have a profile way less than 20 MB and set out initial limits that way (just so you know, we based this on a scan of quite a few user profiles and 'most' were well within the limits before we updated their systems from Windows 2000 to Windows XP...things grow huh?). Additionally, we excluded a bunch of folders including the user's My Documents folder. We slowly discovered all the applications that cause larger and larger profiles and had to exclude more and more of them. Example We had to talk to Google about their Google Earth application (love that app by the way). They were loading their cache file (and yes, it was just a single file) in the C:\Docs&Settings\Users_Profile\Application Data\Google\Google Earth\... folder and they didn't need to be placing it there. Their default cache file size was 100 MB and a user can get there by just running their demo tour a couple of times. All the user had to do was launch GE and the cache file was updated. SO there's a 100 MB file to sync at logoff. More recent versions of GE more correctly placed the cache file in the C:\Docs&Settings\Users_Profile\Temporary Files\Application Data\Google... folder tree. In the meantime, we were out of space (260 char limit at the time) in the GPO to Exclude folders, so instead we wrote a custom ADM template to reset the Google Earth's cache to the minimum value of 16 MB... and as you can see, there went our 20 MB limit right out the door. Don't even get me started on why Roaming Profiles 'sometimes' go into a stupid state and only allow a user to access a temporary copy of a profile. And WATCH OUT for your Help Center. Sometimes they are too helpful (AND untrained). Consider this one. [EU - End User HC - Help Center] EU: I need help...all my desktop shortcuts and documents are missing. HC: Okay, do you have a Roaming Profile? [Side note, we built a web tool for our Help Center analysts to use to look this up and also trained them in the Profile support scripts we developed. Watch as they ignore all this. Also note that all End Users were given two full weeks to start using a Data Backup tool for their system devices. Multiple e-mails reminding them of this were sent out of this requirement. Sadly, not all used it as you're about to find out.] I see you have a laptop. [Oh, so the HC Tech finally start using their tools.] EU: I think so... is that what caused this problem? HC: Probably... You know that since you have a laptop, you really don't need a roaming profile don't you? [Oh yeah, thanks for that HC Tech. You haven't even looked at anything, have already diagnosed the problem, and have just 'dissed' the IT department.] Can I have your permission to do a remote takeover? EU: Yes, please, I need my stuff for a meeting in twenty minutes. HC: [Logs on...and wanders around the user's system.] Hmm, yes you do have a roaming profile. I think the system threw you into a temporary profile, but I can fix this for you... I did this kind of support at my previous job. All I have to do is copy your files over into this profile [into a "temporary" profile...what?... it's 'temporary...!!!! What about using our support scripts?] and then I'll just switch a few registry entries around so the system thinks that this is your real profile. Then you just need to reboot.. [WHAT... HC Techs Are NOT allowed to access and change End User registry entries. NOT PROCESS! NOT PROCESS! The HC tech "moves, not copies, the user's files, makes registry changes, and then cleans up the "old" profile by deleting the old one. Then goes to the profile server and 'deletes' the copy up there so the EU can 'start cleanly'. I hope every IT person reading this is screaming "No, No, No" by now.] Okay, you can reboot now. EU: Okay, well, it seems to be doing something. Okay I have my desktop back... wait, all my shortcuts and documents are missing again. My meeting is in 5 minutes. [So the user logged off and the system 'deleted' the temporary profile with all the files that the HC tech had moved there. Since the HC Tech had "moved" the files, there was no backup of them left on the device. Since we never roamed the Desktop in the first place, those files weren't up on the profile server in the first place, so not part of a server side data restoration from tape would help. Now it gets better...or worse L.] HC: Well, we can get the files back from the XXXXX tool [XXXXX = The tool the user's were supplied with to backup their device data.] EU: Is that that the tool those e-mails were talking about? Well, I haven't had time to load and run it. Don't you know how busy some of us are? HC: You haven't backed up your data? Ummm, well, I'm not sure we'll be able to get it back for you then. I think I'm going to have to escalate this to the IT Tech group. EU: Now you wait just a minute...WHERE's MY STUFF? Don't you know that I keep all my work data on my Desktop? That's two years worth of work and I NEED IT BACK RIGHT NOW! I have a meeting with some of the Company's directors... [Have we had enough now? Let's just say that you've GOT to have the HC staff trained to follow process and in whatever they do... "First Do No Harm"... And sadly, no, I didn't make this up. BY the time we were called to assist, a bunch of folks had tried all sorts of things..we immediately attempted to utilize some undelete utilities, but the damage was done and we were not able to recover anything significant for the End User...sigh. You can expect many IT managers heard an earful on this one. And just in case you don't know... ~ 95% of these kinds of issues are resolved by a simple reboot-which by the way was fully documented in the HC support scripts we provided.] Moving on, how about profile server storage and access issues? We had 40,000+ roaming users. In a population like that, quite a few had VERY large (100+ MB) profiles whose logoffs were taking 30-40 minutes at the end of the day. Most users profiles were taking 2-7 minutes to perform a logoff and profile sync until we were able to optimize the traffic and hardware resources. The IT department was NOT very popular for awhile. Imagine each server having to handling the logoff profile sync for 4,000 - 6,000 users within a ten minute timeframe...and we had multiple "dedicated" roaming profile servers...and of course they were all on the same company network LAN. That'd be a Time/Date stamp lookup of approximately 5,000 users times of an average 3,500 files = an access of 17.5 million files all within about 10 minutes, for each profile server. And then copying up the files that needed to be updated... Wow! Disk Queing Perf counters were easily in the 5 - 10 range (though at one point we actually recorded some in the mid-thirties.. WAY BIG Ouch... Most Server Admins will go into PANIC mode if they see Disk Queues higher than '2' (yes..only two)! We eventually tuned it back down to below that in general. For each server setup, we used servers with 2 GB RAM in 2 node clusters, Fibre-channel Controllers each with hardware buffers of 256 MB all set to 100% Write mode (obviously caching Reads is worthless with each user having their own files), RAID 5 on the hard disk drives (20 drives with 460 GB available on each-the amount of disk space was almost never an issue), and Gigabit network connectivity. Needless to say, these were some significantly powerful boxes. And don't forget the possible impact of taking one cluster down for maintenance. That can easily cause any accessing user account to switch to a temporary profile on their local device and the Help Centers calls start pouring in. Very few folks have to support implementations of such scale, but there it is. Hints * To support any deployments, go 'slowly' and be ready to help your "Help Center" analysts so that they can in turn help the End Users. * And by the way, laptop users need their data backed up even more than a desktop user. Laptop users will say that they already roam because they have a laptop. That isn't the point. Most any hardware maintenance group will tell you that laptops have higher maintenance costs. * As you ramp up profiles on a server, watch your Perf Counters VERY closely. We found out that once you start to hit the limits of the hardware, the bad perf numbers increase exponentially, not linearly. * Monitor your Performance metrics. * Deploy Microsoft's UPHClean to all Win2K and WinXP devices (it's built into Vista...yea!). * If possible for 'any' Roaming Profile deployment, spread the load to multiple servers. In case of a power outage in the middle of the day, just watch every single user try to log back on at the same time off a single server. If that load isn't spread across multiple servers...ouch! * Deploy Anti-virus to the desktops and seriously consider turning it 'off' for the profile server share folders (hey, it's the same data that was just on the PC and just got scanned there). That helps with server performance tuning. [Besides, we were starting weekly scans on Friday night and they were still running in the middle of the day on Monday...whew.) * Watch out especially for Java application folders...usually the applications that use them are coded by Java developers who are less familiar with Windows profiles and boy do they tend to 'load up' the profile. * User Profile data is NOT like other server storage data. It's typically a few big files and then literally thousands of 1KB - 2 KB files. (Remember about that 17.5 million file number? See above...). Most Server Admins have 'no experience' tuning servers to support this kind of data and will use the same process thinking to support a design for it. Your deployment team needs throw out all preconception and make sure everyone starts from scratch. * Test out your server data restoration processes and repeat testing them on a regular basis. * Monitor your Performance metrics. * Did I mention "Monitor your Performance metrics"? Pilot testing cannot be used as 'the' expectation. We had 400 pilot users on a single server whose logoff time increased by about 30 seconds. When we ramped up for production and got to about 1,000 users on the server...wham! * Go get and read Darren and Derek's (Melber) GPO book as well as Jeremy Moskowitz'es books on GPO's/Managed Desktops and read all you can about the various Roaming Profile scenarios. GPOs? We'll there's actually not too many. * Use the 'Add the Administrators security group to roaming user profiles' setting * We set the "Timeout for dialog boxes" setting to 1 second (the minimum you can set it too. BTW: If you set it to '0', the messages stay visible until the user explicitly clicks it off...so '1's the ticket to set). This minimizes calls to the Help Center for stuff the User would click OK on anyway. And if the user "has" a problem, the data is logged in the App Event log for the Help Center to find anyway. * We turned on Verbose UserEnv logging for all clients for debugging purposes, used tools to gather them from time to time, and wrote some parsers to extract certain types of data. The folks at SysProsoft have a 'free' and handy utility to look at individual UserEnv log files called: Policy Log Reporter http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml * Control the "Exclude directories in roaming profile setting" to exclude necessary folders. Here were some (not all) of ours: Desktop;My Documents;Recent;Application Data\Adobe;Application Data\AutoDesk;Application Data\Macromedia;Application Data\Microsoft\MSDAIPP;Application Data\Microsoft\Clip Organizer;Application Data\Roxio;Documents * If you limit the size of profiles, then consider updating the text of the popup message with the "Limit Profile Size" setting and also redirect the users to local resources (like your Help Center). * Consider controlling the "Prohibit User from manually redirecting Profile Folders" setting. So, can you successfully deploy Roaming Profiles to either small, medium, or large numbers of End Users? Sure, but be prepared to (1) go slowly, (2) spend some significant time supporting it (in terms of both hardware and personal time)...and more the larger numbers you go for, and (3) have some fun, it's a learning experience. It's a great feeling when you see the light come on for an End User who has almost everything back after logging onto a repaired system (after a system crash and reload). It 'can' and 'is' worth it. Jerry From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Booker.Washington@xxxxxxxxxxxxxx Sent: Thursday, October 16, 2008 3:07 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Do I need a custom adm, and/or where is the setting in the regsitry For my labs, I have set the limit profile size to its maximum of 30000kb. I want to raise it, but it gives me the error message that 30000kb is the max. Can I override the max with a custom adm, and/or where is that limit found in the registry. If I make the change t osomething higher than 30000kb will it even be recognized by policy? Booker T. Washington III Systems Support Specialist ________________________________ Confidentiality Warning: This message and any attachments are intended only for the use of the intended recipient(s), are confidential, and may be privileged. If you are not the intended recipient, you are hereby notified that any review, retransmission, conversion to hard copy, copying, circulation or other use of all or any portion of this message and any attachments is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, and delete this message and any attachments from your system.