How to convert roaming users to redirected folders in active directory
Particular users in an active directory environment were have long login times anywhere between 5 - 15 minutes. While troubleshooting this issue, from the server to the client, switches, cables, and network cards were all replaces with no success. Upon further investigation the common thing that the users having the logon issues had in common were large profiles. This AD environment was already in place and setup with roaming user profiles which when get to large cause issues much like long login times and file syncing issues. To mitigate these issues I determined that a conversion to redirected folders was in order to resolve the issues.
Now depending on your companies data policies, the clients technical level, what is wanted or required by the client and level of trust given to you this can be easy or hard. The scope of the project I was working on needed to include the transfer of the user data from the roaming profile to the new redirected folder setup.
There are really 2 ways to transfer the data.
- The administrator could move/migrate the user data after the new redirected user directories are created. (Still involves users backing up bookmarks, some files from 3rd party apps like firefox)
- The user can backup and restore their files.
The organization I was working with chose to go with option 1. They are small and some extra time can be used to verify redirected folder policy and data verification. Users were required to backed up Firefox, Chrome and other third party app data into a backup folder in their directories folder the day the notice that their data migration would be. The data migration would be the next day and they got what their new password would be. This was done to ensure AD properly applied the redirected folders policy.
Example of Notice:
Hi $USER,
To ensure the best and most efficient working experience possible, the IT has been working on improving our infrastructure and it required us make some changes with how your login profile works. We would like to make the changes to your profile $DATE after hours so this will be in effect for $DATE2.
Please feel free to contact IT services by email, phone or chat with any issue or concerns you might have regarding IT.
Your username has remained the same but your new temporary password will be $NEW_TEMP_PASSWORD
To login to a staff computer, login as you normally would but put in your new temporary password $NEW_TEMP_PASSWORD. Then you will be prompted to change your password; before you are able to continue
To login a staff computer:
your username is $USER or $USER@DOMAIN.CA your password is $NEW_TEMP_PASSWORD
After your first login, you will be prompted to change your password.
You can change your password any time by pressing ctrl + alt + del on your keyboard and select "change password".
Converting Roaming users to Redirected Folders
This part is easy, the trick is doing it and allowing the users to keep access to their data. Now at least in this situation our roaming users paths are in two places in AD.
Location 1 for the data is \\servername\data\$user
Location 2 for the profile: \\servername\profile\$user
Now if the server goes down that kinda makes using the DFS in AD useless. So we want the redirected folder to use a local based profile, and point to the domain for the user pathing so that if the server does go down it uses DFS until the server comes back online.
The profile path is easier to fix, you right click on the user and get the Properties, here we want to blank the profile path. Also make sure you remove any AD settings that move the users data to another place other then where you want it to be.
Location 1 for the data is \\servername\data\$user
Location 2 for the profile: \\servername\profile\$user
Now if the server goes down that kinda makes using the DFS in AD useless. So we want the redirected folder to use a local based profile, and point to the domain for the user pathing so that if the server does go down it uses DFS until the server comes back online.
The profile path is easier to fix, you right click on the user and get the Properties, here we want to blank the profile path. Also make sure you remove any AD settings that move the users data to another place other then where you want it to be.
Once we reset the user profile path.
So we reset the user. Remove the pathing for the profile and the data directory because we have already set our pathing in our ad settings to avoid conflicts. To have more control of our ad setting I created additional OUs to apply AD settings per department.
The OU layout is setup as follows
The OU layout is setup as follows
- Human Resources (HR)
- Information Technology (IT)
- Customer Service 1 (CS1)
- Customer Service 2 (CS2)
- Customer Service 3 (CS3)
- Laptop Users (LU)
- Purchasing and Receiving (PR)
- Board Members (MB)
- New Users (NU)
- Test OU (TOU)
The AD settings for the OU are setup as follows.
Computer
Configuration
Administrative
Templates -> Network -> Offline Files
Subfolders
always available offline =
Enabled | No additional Settings
Administratively assigned offline files = Enabled | Files and Folders -> Value Name = \\domain\dfs\$USERDATA\%username%
| Value = “BLANK”
Configure Background
Sync = Enabled
Background Sync Configuration |
Limit Disk space used by offline files = disabled
Allow or disallow use
of Offline Files Feature = enabled
Action on server
disconnect = enabled | Set Action = Work offline
Enable Transparent
Caching = enabled | Network latency value in milliseconds = 32000
Turn on economical
application of administratively assigned Offline Files = enabled
Synchronize all
offline files before logging off = enabled
Synchronize all
offline files when logging on = enabled
Synchronize offline
files before suspend = enable | Action = full
User Configuration
Network -> Offline
Files
Administratively
assigned offline files = enabled |
Files and Folders | Value Name = \\domain\dfs\$DATA\%username%
| value = “blank/nothing”
Administratively Assigned Offline Files |
Non-default server
disconnect actions = enabled
Customize actions | Value Name = Work offline = 0
Action on Server
Disconnect = enabled | Action = Work Offline
Synchronize all
offline files before logging off = enabled
Synchronize all
offline files when logging on = enabled
Synchronize all offline
files before suspend = enabled | Action = Full
Administrative
Templates -> Policies -> Windows Settings -> Folder Redirection
AppDATA = \\Domain\dfs\$DATA
DESKTOP = \\Domain\dfs\$DATA
Documents = \\Domain\dfs\$DATA
Pictures | Music |
Video = Follow Documents Folder
Favorites = \\Domain\dfs\$DATA
Contacts = \\Domain\dfs\$DATA
Downloads = \\Domain\dfs\$DATA
Links = Not
Configured
Searches = \\Domain\dfs\$DATA
Redirected Folders Pathing |
Now with these settings in place we can make the changes to the user profiles. I like to run a gpupdate on the server and on the client (if it's a current in use workstation the user uses regularly) just to make sure the policy gets applied. I then login as the user and have the AD recreate all the proper folders in the new $DATA directory.
Then logout of the client computer. On the server you need to take ownership of the old directories and the new directory (in this case I am using an administrator account) and then copy the data from the old directories into the new one. Once your finished then give ownership back to the user; update your group policy on the server and on the client.
The user should now be setup using roaming profiles and at least in my AD environment all users that have been moved over to redirected folders have a typical login time of 5 to 10 seconds and commonly used files are synced and available in offline mode in case the system does have to work in an offline capacity.