Last week, I introduced explain text and User Account Control policies; which are two new features with Security Policy in Windows Vista. I decided this week to keep it brief (or at least try). This week, I will introduce new policy settings for User Profiles.

 

Windows Vista made numerous changes with how user profiles work. In fact, changes are too numerous to describe here (you can read more about the changes with user profiles in the Managing Roaming User Data Deployment Guide [http://go.microsoft.com/fwlink/?LinkId=73435]). However, the policy settings for user profiles from earlier versions of Windows remain and Windows Vista introduces five new policy settings.

 

Four of the five new policy settings for user profiles exist under Computer Configuration\Administrative Templates\System\User Profiles (the remaining policy setting uses the same path under User Configuration). These five policy settings apply only to computers running Windows Vista however, these policy settings can co-exist in GPOs applicable to clients earlier than Windows Vista. Operating systems other than Windows Vista ignore the policy settings. Let me begin with the policy settings under the computer configuration and then close with the single user setting.

 

The first of these policy settings is Delete user profiles older that a specified number of days on system restart. This policy setting accepts a numeric value, represented in number of days. Windows uses this value to determine the how long it retains dormant user profiles. When you enable this policy, Windows deletes all user profiles older than the value provided. This policy setting measures one day as 24 hours since the last time Windows loaded the profile.

 

Sometimes, in earlier versions of Windows, the registry portion of the user profile fails to unload. Many times this failure prevents the user from subsequent logons to the same computer. Windows Vista always unloads the registry portion of the user profile, even if it must forcefully do so. The policy setting Do not forcefully unload the user registry at user logoff counters the default behavior of Windows Vista. When enabled, Windows Vista does not forcefully unload the registry and waits until no other processes are using the user registry before it unloads it.

 

The policy setting Set roaming user profile path for all users logging onto this computer provides you a way to create a shared user profile path for a specific computer. When you enable this policy, all users use the profile path specific in the policy when logging onto a computer receiving the policy. There is a small catch. There is an order of precedence when setting the user profile path. Windows reads profile configurations in the following order and uses the first configured setting.

  • Terminal Services roaming profile path specified in the Terminal Services policy setting.
  • Terminal Services roaming profile path specific in the user object.
  • Per-computer roaming profile path specified in the above described policy setting.
  • Per-user roaming profile path specified in the user object.

 

The last policy setting for user profiles under the Computer configuration is the Set maximum wait time for the network if a user has a roaming user profile or remote home folder. At logon, Windows Vista typically waits 30 seconds for an active network connection, when you configure the user with a roaming user profile or remote home directory. In cases such as wireless networks, it may take more time before the network connection becomes active. When enabled, Windows waits up to the number of seconds specified in the policy setting for an active network connection. Windows immediately proceeds with logging on the user as soon as the network connection is active or the wait time exceeds the value specified in the policy setting. Windows does not synchronize roaming user profile or use the remote home folder if the logon occurred before the network connection became active.

 

One policy setting for user profile exists under the User Configuration category. Actually, it is more of an Offline Files/ Folder Redirection policy setting: Network directories to sync at Logon/Logoff time only. Windows Vista automatically marks all redirected folders as available offline. Windows Vista keeps track of all folders marked offline and synchronizes the contents of folder between the local computer and the network location of the actual files. This synchronization process occurs at logon, periodically throughout the user session, and at logoff. You configure the policy setting by entering network paths that you only want synchronized during logon and logoff. Windows then places these specified network paths offline during the user session.

 

User profiles in Windows Vista underwent some major restructuring. It is glad to see we get to keep the existing policy setting we had in earlier versions. And, if the improvements in the infrastructure were not enough; we get five new policies to help us keep roaming user data available to the user.

 

NEXT WEEK: Windows Logon Options

 

Mike Stephens, Technical Writer, Group Policy