Domain admin: How to set up roaming profiles

Pre-requisites:

A domain setup that works
A spare machine, preferably freshly installed (you don't want crap in your shiny new default profile)
At least a day spare, mainly for testing
You might want to have your own machine handy with a remote admin connection to the server. Makes quick changes much faster.

Note / Disclaimer - this guide is not to educate lamers who haven't done their homework and have weaseled their way into a job. This guide is for people who know what they're doing, but because doing roaming profile setups from scratch is something that is done rarely, I tend to (and I imagine other admins do too) forget bits.

Take your spare machine, configure the system to your requirements, go through your usual routines for connecting it to the domain/network, and any software which will be part of a default installation for a workstation on your network.

On your domain controller, create a directory structure for storing user profiles. If you're sensible, you'll have at least a dual partition filesystem structure on the DC, so for example I'd go for something like D:\services\usrprof, then store directories in there for each user, based on their username.

Permissions:

D:\services\usrprof: Admins:F SYSTEM:F

Sharing:

\\SERVER\USRPROF$ (everyone:F - let filesystem permissions take care of security)
Switch off document caching on that directory. Otherwise you get problems and errors.

Set up a test user on the domain with normal user privs. In the 'Profile' tab for the test user, point 'profile path' at \\SERVER\USRPROF$\TESTUSERNAME.

Permissions:

D:\services\usrprof\TESTUSERNAME: Admins:F TESTUSERNAME:F SYSTEM:F

On with the rest of the guide

Log in as that user on the workstation. You shouldn't receive any errors. If you do, you'll need to fix those first.

Log out, to make sure that the profile is being saved properly on the server. Check the usrprof\TESTUSERNAME directory on the server for contents. If all is good, carry on.

Log back in on spare workstation as test user. Change a few explorer settings for example, then log out. Make sure file modify dates for the server-side profile copy match the logout time.

TIP - occasionally you may want to log in on the workstation as local admin and delete the local copy of the roaming profile, to make sure it can roam properly. Go into My Computer properties, then Advanced > User Profiles, select user, delete. That only deletes the local copy of the roaming profile, nothing else.

Set up your to-be default profile how you want it. Log out. Do the test I described in the previous paragraph.

Log in as local admin, set up a Windows networking connection as domain admin to your DC, so you have write access to the NETLOGON share. Go into the 'user profiles' GUI as previously described under "** TIP", and COPY the user profile to \\SERVER\NETLOGON\Default User, and 'permitted to use' should be set to Everyone.

Now set up another test user on the domain with generally the same but respective settings to the first test user, log on the spare workstation as the second test user, and you should have your new default profile served up to you.

Also, HKCU > SOFTWARE > MS > WINDOWS NT > WINLOGON > EXCLUDEPROFILEDIRS may be of assistance.

Modified: 04/08/2004, Mike Coppins.
Tested on: Win2k, WinXP.
www.mikeymike.org.uk

mikeymike.org.uk