Microsoft: User State Virtualization

Problem : Working with roaming profiles, getting corrupted profiles saying “User profile service service failed to logon”? The company’s users are getting upset and angry because they can’t get in and work? Users say it take’s ages to logon, while loading their profiles?

We have experienced that, and today we are changing the User State Virtualization tactics. We will no longer offer central profiles for our users. We will no longer have to reset their corrupted profiles, because we are leaving it!

Today’s scenario :

User with HomeFolder + Central Profile with 30MB area.  What’s in the profile? Well, Outlook signatures, Desktop items, IE favorites, and other Windows settings (Appdata).

Tomorrows scenario :

Users with HomeFolder + NO CENTRAL PROFILE, instead we are going to use Folder-Redirection. This means all of the users content get’s moved to wherever we chose in our group policy with Folder redirection. In this case we are going to use their homefolder. This will give us faster logon, since no central profile will be loaded, it will give the users the possibility to save very large files on their desktop since it’s not bounded to their profiles any more. And it will give the IT department less headache when administrating corrupted central profiles.

Configuration: 

  1. Create a GPO within the domain, with Folder Redirection
  2. Select a group of users witch the GPO will be applied to
  3. Create PowerShell script for removing profiles
  4. Schedule the script
  5. And wait!

1.  The first thing we will do is to create the GPO with folder redirection and Attachment Security, so create the GPO in your domain:

Edit settings and navigate: User Configuration > Windows Settings > Folder Redirection, and edit as followed:

This will create and move the users Central AppData when they login to a new map in their homefolder and redirect it. By using the %HOMESHARE% windows will understand that it should put it in the users homefolder specified on the object in the AD. Do this for all of the objects you would like to get redirected (Desktop,favorites etc).  The next step is optional but you would probably like to configure it, since it’s pain for the end users, this will make items located in the taskbar (pinned items) warn the user that they are opening items from unsafe areas. There are two types of doing this, either way you configure IE settings with GPO or you configure Attachment security policy’s. I will show you how to configure Attachment’s. Navigate to User Configuration > Policies > Administrative Templates > Windows Components > Attachment Manager. Edit the “Inclusion list for low file types” . And set it as followed:

This will make exclusions for the task bar shortcuts. Set:  .exe;.lnk  and save it. 2. Create a group within your domain, this group is linked to the GPO.

Ok so, as soon as the users logon to their computers, the Group Policy will create and move files to the users homefolders. In this example i am applying it to 100 User accounts. I know for certain that they will not sign in the next 10 days, so i set a limit of 30 days. After 30 days i will remove the users profiles. Then i know at least 95% of my users will have logged on at least once. And those who haven’t will get Folder redirection but it won’t move their old files so i will have to do it manually.

3. Create the Powershell script to remove users profiles:

function ProfileWipe([string]$adgroup)

{

if(!$adgroup){$adgroup = Read-Host “AD group name”}
Import-Module ActiveDirectory
get-adgroupmember -identity “No Profile Users” | select samAccountName | foreach {
# select user from AD with default-properties + profilepath och lastlogon
$user = get-aduser $_.samaccountname -properties profilepath, lastlogon
Add-Content “C:\profilepaths.txt” $user.profilepath
set-aduser $_.samaccountname -profilepath $null
}
}

This will get members from the ad group “No Profile Users”. It will remove the profile-path of every user, and it will replace it with “$null”. It will also export a text document of the profile paths so you can Ctrl + F a user if something would go wrong and put it back. Please have in concern that you should not run this script until you know that all of the users specified in the group have been logged on at least once since you activated Folder Redirection.

The last thing we will do is to create a schedule task and a .bat file. Create the .bat and paste:

 powershell.exe -command ProfileWipe No-Profiles

Schedule this to any time you would like. And we are done. This will maybe create other problems than we are experiencing with central profiles, but it’s worth a try and i will come back with feedback.

// Karl

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s