User Profile Policies in Windows Server 2008 and Windows Vista

User Profile Policies in Windows Server 2008 and Windows Vista

  • Comments 6
  • Likes

Mike here. Windows Vista made numerous changes with how user profiles work. In fact, the changes are too numerous to describe here (you can read more about the changes with user profiles in the Managing Roaming User Data Deployment Guide (http://go.microsoft.com/fwlink/?LinkId=73435). However, the policy settings for user profiles from earlier versions of Windows remain and Windows Vista introduces five new policy settings.

Four of the five new policy settings for user profiles exist under Computer Configuration\Administrative Templates\System\User Profiles (the remaining policy setting uses the same path under User Configuration). These five policy settings apply only to computers running Windows Server 2008 or Windows Vista, however; these policy settings can co-exist in GPO's applicable to clients earlier than Windows Vista. Operating systems other than Windows Vista ignore the policy settings. Let me begin with the policy settings under the computer configuration and then close with the single user setting.

The first of these policy settings is Delete user profiles older that a specified number of days on system restart. This policy setting accepts a numeric value, represented in number of days. Windows uses this value to determine the how long it retains dormant user profiles. When you enable this policy, Windows deletes all user profiles older than the value provided. This policy setting measures one day as 24 hours since the last time Windows loaded the profile.

NOTE: Microsoft released a hotfix to correct problems specific to this policy setting. You can view more about the issue and related fix from Microsoft Knowledgebase article 945122 (http://support.microsoft.com/?kbid=945122).

Sometimes, in earlier versions of Windows, the registry portion of the user profile fails to unload. Many times this failure prevents the user from subsequent logons to the same computer. Windows Server 2008 and Windows Vista always unload the registry portion of the user profile, even if it must forcefully do so. The policy setting Do not forcefully unload the user registry at user logoff counters the default behavior of Windows Vista. When enabled, Windows Vista does not forcefully unload the registry and waits until no other processes are using the user registry before it unloads it.

The policy setting Set roaming user profile path for all users logging onto this computer provides you a way to create a shared user profile path for a specific computer. When you enable this policy, all users use the profile path specific in the policy when logging onto a computer receiving the policy. There is a small catch-there is an order of precedence. Windows reads profile configurations in the following order and uses the first configured setting.

  1. Terminal Services roaming profile path specified in the Terminal Services policy setting.
  2. Terminal Services roaming profile path specific in the user object.
  3. Per-computer roaming profile path specified in the above described policy setting.
  4. Per-user roaming profile path specified in the user object.

For example, if you configure the Terminal Services roaming profile path using the Terminal Services policy settings and, you also configure the per-computer roaming user profile policy setting, then Windows uses the roaming profile path from the Terminal Services policy. This result is due to the order in which Windows reads the roaming user profile path.

The last policy setting for user profiles under the Computer configuration is the Set maximum wait time for the network if a user has a roaming user profile or remote home folder. At logon, Windows Vista typically waits 30 seconds for an active network connection, when you configure the user with a roaming user profile or remote home directory. In cases such as wireless, VPN, or NAP-protected networks, it may take more time before the network connection becomes active. When enabled, Windows waits up to the number of seconds specified in the policy setting for an active network connection. Windows immediately proceeds with logging on the user as soon as the network connection is active or the wait time exceeds the value specified in the policy setting. Windows does not synchronize roaming user profile or use the remote home folder if the logon occurred before the network connection became active.

One policy setting for user profile exists under the User Configuration category. Actually, it is more of an Offline Files/ Folder Redirection policy setting. Windows Vista automatically marks all redirected folders as available offline. Windows Vista keeps track of all folders marked offline and synchronizes the contents of these folders between the local computer and the network location where you store the files. This synchronization process occurs at logon, periodically throughout the user session, and at logoff. You configure the policy setting by entering network paths that you only want synchronized during logon and logoff. Windows then places these specified network paths offline during the user session.

Windows Server 2008 and Windows Vista Service Pack 1 provide several new Group Policy settings that affect User Profiles. Many of these new policies settings help overcome profile limitations with earlier versions of the operating system. Be sure to evaluate these settings to see how can help with your environment.

- Mike Stephens

  • Mike here. Windows Vista made numerous changes with how user profiles work. In fact, the changes are

  • Hi,

    in my whitepaper about user profile management you can find an extensive discussion how profile problems can be addressed without purchasing a profile solution. But it also explains why these techniques do not suffice to manage user profiles in environments with modern application and desktop delivery scenarios. Check it out at http://blogs.sepago.de/nicholas/2008/05/21/future-development-of-the-user-profile-whitepaper/.

    Regards,

    Nicholas.

  • You mentioned the order that is check for a roaming profile, and that starts with a Terminal Server profile configuration (first the GPO setting, and then the user account configuration).  Wouldn't those settings only apply when establishing a Terminal Server session?  If I am logging on to the console (physicaly, using a KVM, or most VDI solutions) the Terminal Server configurations are never looked at.  I have tested this and this appears to be the case.