How to Configure a File Server for Hosting User Profiles

This article is part of Helge’s Profile Toolkit, a set of posts explaining the knowledge and tools required to tame Windows user profiles.

Setting up a network share on a file server for hosting user profiles is not too difficult if you follow the steps outlined in this article. The recommendations I give here apply to both Windows roaming profiles and Citrix Profile Management (UPM) profiles.

Server Load

Roaming Profiles

Roaming user profiles can place a considerable load on the file server. As is the nature of roaming profiles, the maximum load typically occurs during peak logon hours. If your organization has 1,000 users who log on every day, 800 of those might be logging on in a very small time window between 8:30 and 9:00 am. While that is a trivial observation, it causes a great amount of stress for the file server, because 800 profiles need to be served in only 30 minutes, which is one profile every 2.25 seconds. If each profile consists of 1,000 files the file server needs to serve one file every 2 milliseconds, which is pretty tough. Consider that when planning file server capacity and make sure to take measurements during peak logon hours.

Citrix Profile Management

Citrix Profile Management with on-demand streaming enabled reduces the load during peak logon hours considerably since files are loaded only when actually accessed, but it creates a constant load for the entire duration of the user sessions, which needs to be taken into account, too.

Roaming Profile File Share

Permissions

Set these permissions on the root of a profile share to enable it for roaming profile storage. When Windows creates a new roaming profile it acts on behalf of the user, it “impersonates” that user. Therefore we must make sure that on the one hand each user may create new folders while on the other hand ensuring that each user may access only his own profile folder.

These permissions apply both to traditional Windows roaming profiles as well as to the user store where Citrix Profile Management keeps its profiles.

NTFS permissions:

  • Administrators: full control
  • SYSTEM: full control
  • Authenticated users: list folder/read data & create folders/append data, this folder only
  • Creator/Owner: full control, subfolders and files only

Share permissions:

  • Everyone: change
  • Administrators: full control

You should use SetACL Studio to manage permissions, of course.

Related Configuration Settings

Enable these group policy settings for all computers where users log on with roaming profiles, namely physical and virtual client PCs and terminal servers.

  • Do not check for user ownership of Roaming Profile Folders
    in Computer Configuration \ Administrative Templates \ System \ User Profiles
    Disabling this check speeds up logons slightly and may greatly reduce profile problems.
  • Add the Administrators security group to roaming user profiles
    in Computer Configuration \ Administrative Templates \ System \ User Profiles
    When a new roaming profile directory is created, Windows disables permission inheritance and grants SYSTEM and the profile’s user account full control. That makes user profiles inaccessible to administrators which prevents them from performing maintenance. If this policy setting is enabled the group “Administrators” is given full control on new profile folders, tool.
    Note that this applies to new profiles only. Profiles created before this policy settings was in place lack the entry for “Administrators”.

, , , , ,

8 Responses to How to Configure a File Server for Hosting User Profiles

  1. Jeroen December 22, 2011 at 14:28 #

    Helge,

    Share permissions: Everyone: full control

    It’s beter to change it to Domain Admins Full Control and Everyone Change.

    ;) Jeroen.

    • Helge December 22, 2011 at 23:08 #

      Good point. I just updated the article.

  2. Jonathan Pitre January 27, 2012 at 14:38 #

    Share permissions:Authenticated Users: full control

    http://www.windowsecurity.com/articles/Share-Permissions.html

    “As a best practice, it is most efficient to configure share permissions with Authenticated Users having Full Control access. Then, the NTFS permissions should configure each group with standard permissions. This provides excellent security for local and network access to the resource. It also provides excellent protection of the resource for when it is backed up and when the resource name is changed or relocated. As I said earlier, the NTFS permissions will protect the resource even if the share permissions are set to Full Control access.”

  3. Mike November 5, 2013 at 17:14 #

    Thank you for sharing this valuable information with the community.

    I was wondering if there is a quick and easy powershell script that can be used to create the named folder and apply the share and NTFS permissions? I am trying to build a lab environment which I can deploy automatically and having such a script would come in very handy.

    To make it easy it would be good to have a few variables that could be changed for portability i.e.

    File server name
    Folder Name, hidden or not

    • Helge Klein November 6, 2013 at 10:05 #

      There will be such a script once you write it ;-)

  4. Peter van der Laarse April 7, 2014 at 13:33 #

    Helge,
    Do not check for user ownership of Roaming Profile Folders
    in Computer Configuration \ Administrative Templates \ System \ User Profiles
    Disabling this check speeds up logons slightly and may greatly reduce profile problems.

    So this one should be set to enabled to disable the check?
    Does this check takes place every time a users logs on or logs of?

  5. Lee Sentell December 24, 2014 at 05:24 #

    Is there a recommendation or calculation for sizing of servers that will host roaming profiles/folder redirection? The site I’m looking at is currently using nothing in this regard, but they want to switch. I have no point of reference with them, since they not using those features now, so I’m not completely sure what kind of hardware to recommend. They are going to have 30-60 users.

  6. Thomas Roes January 14, 2016 at 12:06 #

    I have one site where user prolile’s were hard limited to 30Mb. This is recently updated to 40Mb.

    Without user training and/or carefull use of redirected folders (i.e. use of the Desktop as a file-folder), 40Mb can still be a problem. You should also consider your applications. They are not alway’s perfect in there choice of where to store what data.

    This takes some tuning.

Leave a Reply