Guess we'll have to just agree to disagree on that one then, in my experience windows roaming profiles are devil-spawned. I've seen environments where they were set up well in line with best practices doing hundreds of profile resets per week.
Curious as to how big your profiles get? The ones I do with third-party tools are normally less than 1MB in size and rarely get bigger. Also do you redirect AppData? That's a whole other argument, just wondering. Cheers, JR Sent from my Blackberry, which may be an antique but delivers email RELIABLY -----Original Message----- From: Ken Cornetet <ken.corne...@kimball.com> Date: Fri, 22 Feb 2013 17:26:29 To: NT System Admin Issues<ntsysadmin@lyris.sunbelt-software.com> Reply-To: "NT System Admin Issues" <ntsysadmin@lyris.sunbelt-software.com>Subject: RE: Remote Desktop Server (Formerly known as Terminal Server) Hardly. We have a large mixture of users and applications running a mix of full desktops and published apps. I've got SAPGui, Office 2010, Office 2007, Minitab, Teamcenter, and a score of other apps. As long as your App servers are on the same LAN as your file server hosting profiles, and you are using folder redirection, roaming profiles just work. No bloat, no fuss, no muss. From: kz2...@googlemail.com [mailto:kz2...@googlemail.com] Sent: Friday, February 22, 2013 10:18 AM To: NT System Admin Issues Subject: Re: Remote Desktop Server (Formerly known as Terminal Server) Your apps must be simple and easy. I can assure you from personal experience on many different sites and systems that roaming profile issues are absolutely not FUD. Sent from my Blackberry, which may be an antique but delivers email RELIABLY ________________________________ From: Ken Cornetet <ken.corne...@kimball.com<mailto:ken.corne...@kimball.com>> Date: Fri, 22 Feb 2013 10:02:49 -0500 To: NT System Admin Issues<ntsysadmin@lyris.sunbelt-software.com<mailto:ntsysadmin@lyris.sunbelt-software.com>> ReplyTo: "NT System Admin Issues" <ntsysadmin@lyris.sunbelt-software.com<mailto:ntsysadmin@lyris.sunbelt-software.com>> Subject: RE: Remote Desktop Server (Formerly known as Terminal Server) I'm using roaming profiles in a XenApp 5 system with around 1000 users. No problems whatsoever. I think a lot of the common "wisdom" about not using roaming profiles is a combination of bad history and FUD spread by vendors of profile management software. Not using roaming profiles sounds good in theory, but may be problematic in practice. If you have a user base with very simple requirements, a mandatory profile can work well - you only need to back up and restore a few settings from the registry (Outlook profiles, default printer, etc). Otherwise, roaming profiles make life much easier. I'll try to highlight the group policy I have in place: User lockdown - implemented via loopback - Set security to deny apply of this GP for admin users. Turns off most of the things in control panel Hide Desktop "network locations" Hide network connection settings Disable offline files Disable connection wizard Remove shutdown, sleep, and hibernate from start button. Turn off "Getting Started". Hide A,B,C, and D drives in "My Computer". Hide the C drive in file dialog boxes (This can cause error messages in Office apps). Hide Windows update. System policies Turn off Customer Experience Improvement Program and error reporting. Add "Administrators" security to roaming profiles. Delete cached profiles. Do not check for ownership of roaming profiles. Turn on timezone redirection. Set the roaming profile path. Turn off Windows Defender. Registry settings policy Create HKLM\CurrentControlSet\Control\Print\DisableWERLogging DWORD 1 (if you don't do this, the print spooler will occasionally fill your C: disk up with error logs). Create HKLM\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate DWORD 1 - NOTE! You may not want to do this - research before implementing. DELETE this key HKEY_USERS\.DEFAULT\Software\Hewlett-Packard - Do this if you use HP printers. Trust me. DELETE this key HKCU\Software\Hewlett-Packard - Ditto User settings - implemented via loopback Set folder redirection Create HKCU\Softare\Policies\Microsoft\Office\12.0\Common\Toolbars\QuickAccessToolbarRoaming DWORD 1 See http://support.microsoft.com/kb/958062 for details. Create HKCU\Softare\Policies\Microsoft\Office\14.0\Common\Toolbars\CustomUIRoaming DWORD 1 See http://support.microsoft.com/kb/958062 for details. Create HKCU\ Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1A10 DWORD 1 - This sets IE privacy to default Application blacklist Blacklist all of the common updaters (Java, Adobe, etc) Blacklist VMWare tools (if you are running under VMWare) Blacklist your Antivirus user interface agent (you don't want users kicking off scans of your C: drive) Blacklist c:\windows\syswow64\IME\IMEJP10\IMJPDSVR.EXE - It eats CPU. I'd be happy to export my policies and email them to you, if you like. From: kz2...@googlemail.com<mailto:kz2...@googlemail.com> [mailto:kz2...@googlemail.com] Sent: Thursday, February 21, 2013 2:45 PM To: NT System Admin Issues Subject: Re: Remote Desktop Server (Formerly known as Terminal Server) Roaming profiles are terribly problematic in any modern environment in my experience. Profile bloat, profile corruption, load failures - these issues plague any SBC solution where they are implemented. As mentioned there are a nation of profile management tools that can address these issues. Citrix UPM provides a simple lightweight solution but if you're not using Citrix it's not really viable. There are many others but what you need to identify is how much time you are spending addressing profile issues based against the extra cost of a real solution. At the end of the day its all about how your apps perform and what settings need to roam. Without knowing much about your environment I can pretty much say the only GPO I'm sure you will need to configure is the Loopback Policy Processing. Are you publishing desktops, applications, or a combination of both? Sent from my Blackberry, which may be an antique but delivers email RELIABLY ________________________________ From: Kelli Sterley <kjsterley.li...@gmail.com<mailto:kjsterley.li...@gmail.com>> Date: Thu, 21 Feb 2013 12:32:14 -0500 To: NT System Admin Issues<ntsysadmin@lyris.sunbelt-software.com<mailto:ntsysadmin@lyris.sunbelt-software.com>> ReplyTo: "NT System Admin Issues" <ntsysadmin@lyris.sunbelt-software.com<mailto:ntsysadmin@lyris.sunbelt-software.com>> Subject: Remote Desktop Server (Formerly known as Terminal Server) I currently have a 2003 Terminal Server which is getting ready to be replaced with the 2008 R2 Remote Desktop Server. Currently we are using roaming profiles and redirecting some user folders. Does anyone use roaming profiles anymore? Why or why not? I am also in the process of editing a group policy for both the server and users. Are there any policies I should add for sure .. Anyone willing to share their GP's with me? Also, I have been searching the internet for some good "best practices" for the new setup but have found little with regards to 2008. I want it set up as simple as possible so any ideas would be great. Thanks so much - Kelli ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
