1. Configuring user profiles
Look now at the C drive, and we’re going to go into the users folder. Okay. So zoom in on that, and we’ll go to the users folder here, and you’re going to see that we have some different folders. OK? So these different folders represent a lot of different users that have logged on to this machine before. OK? For example, I have a user named John Smith. If I double-click on John Smith, and if you have hidden files being shown, you’ll see a file called “user data.” Now, if you don’t have hidden files being shown, just click the view menu, and you can click hidden files. If you don’t have that click, you’ll notice that file does not show up.
Okay? So the end-user data file is the actual registry area for this user. The registry stores a bunch of your user settings involving this user state, and that into user file is going to be the current user area of the registry for this user. Okay? So all their settings and things that they’re doing, and if they change their wallpaper or whatever they do, it’s all going to get stored inside the registry, which is managed by that file. At least the user-state portion of the registry is. Okay, so also, as you’ll notice, you have desktop documents. Anything you do here is going to show up on their desktop or in their downloaded documents downloads.
For example, right now I’m logged in as “instructor,” correct? So if I go to the desktop folder here and create a folder and call it Hello World, this is going to show up on the desktop, as you can see here, and it is right here for the instructor. Okay? So anything I do to these profiles could affect the users. that when they log on, right? The other thing I want to mention is that if a user has never logged on before, or if they are logging on for the first time, they do not have a profile unless they use something called a roaming profile, which I’ll explain in a moment. Okay? So when a user initially logs on for the very first time, they have a folder called “default” here that’s hidden.
Again, you have to have hidden files turned on, but that is where the initial profile comes from. For example, if I were to go into that folder and create something on the desktop of that folder that said welcome kit for new users, then as soon as a new user logs on for the very first time, they’re going to have this on their desktop. Now the user I’m logged on to right now does not have that because the instructor has logged on previously. Okay? So that would only show up on a new user’s desktop. Okay? Now if I go to the folder called “Public,” this is going to represent all users. So anything you do here will show up on everybody’s desktop or in everybody’s documents, downloads, or wherever you put it here.
So I’m going to go to the public desktop. Watch this. I’m going to create a folder here. We’ll call it the company handbook. Okay. Now this is going to show up on everyone’s desktop, including mine, as the instructor, okay? So new users and existing users are all going to get it, okay? Now the next thing I want to go over with you is making changes to profiles, okay?
So it’s important to know that if you are a regular user, when you log on and get your profile, you are able to make changes to the stuff in your profile but not other people’s. Now, of course, if I’m an administrator, I can make changes to other people’s profiles. Okay? But here’s the thing: Imagine this. Consider the following scenario: you have a hotel, perhaps a business centre hotel, with some computers and a printer set up. And you don’t want users messing with the desktop. So somebody comes into that hotel, they sit down at this kiosk, and you don’t want them messing with the wallpaper and changing things.
So what you can do is create a profile, which is called a mandatory profile. To make a profile mandatory, you log on as that user and then log back on as an admin. Let’s say that this user here called John Smith is our kiosk computer account, all right? Granted, you probably name it something like “Guest,” “Kiosk,” “Business Center,” or something like that. But I understand that making the profile mandatory is insane. You’d think there’d be a checkbox somewhere. But, in reality, you’re going to rename this file to User Man, okay? So by making it into UserMan, you’re now making it so that the profile settings for this user account won’t be saved. Anything that’s done—if somebody’s logged on to this account—can’t be changed. So even if you have one, this is like an anonymous guest account where somebody could log on. They are not required to enter a password.
They wouldn’t be able to save any other changes. Okay? Now one other thing, though. Currently, though, this computer will cache their password and all of that. Even if they don’t have a password, it would just allow them to log on anonymously. What if you don’t want users to logon to this account if there’s no network connection so that the domain can control it? Okay, so you can make this what we call a mandatory profile. You’d think you’d rename it Superman, wouldn’t you? but no, it does not. It is, in fact, V five. You put “Man V. Five,” and this makes it super mandatory. The only thing that “super mandatory” really means is that the profile requires the network to be present. So if you’re part of a domain, it’s going to require that the domain be present.
So that is how you create a mandatory profile. Another thing I want to emphasise is that all profiles are local profiles. That means that when a user like John Smith logs onto this machine, it creates the profile on this machine. And if John Smith were to log onto another machine, his profile settings, documents, and all that wouldn’t go where he went. Okay? So, to create a profile, basically move around with you. One option that we’ve got, and this is sort of the older option that’s been around now for well over 20 years, is that we can do something called a roaming profile. Okay? So here’s what we’re going to do. We’re going to jump over to our domain controller.
Now we’re going to take a look at making this profile roaming. So here I am; I’m on my domain controller. I’m going to go to the Tools menu and click on Server Manager here. and I’m going to go to Active Directory. Users and computers So we’ll open up Active Directory users and computers, and we’ll be able to locate that user account, and then we’ll be able to set the profile settings for that user account. So coming down here now, we have Active Directory users and computers.
I’m going to zoom in on that for you. Okay, so taking a look at Active Directory users and computers All right, I’m going to go here and I’m going to look at New York. The New York organizational unit, which is just a container, contains the users. And right there is John Smith. So, if I wanted John Smith to have a roaming profile, all I have to do is double-click on him, then go to the Profiles tab and configure his profile to be a roaming profile. Okay, so here it is, right here. zooming back in on that for you. I’m going to click Profile and put in the profile path. So when you first order businesses, you need a place for that profile to be stored.
So this is usually going to be on a server. Okay. So I put in the name of a server, backslashing the name of a server. Let’s add a server called NYC server One. There is server one, followed by the name of a shared folder. Maybe the shared folder is called “Profiles.” And then I’m going to do a backslash input percent and a username percent. That will create a folder with his username in it, where the profile will be saved. The great thing about this is that if you were to copy this John Smith user and create a new user out of it, it would create a new folder under that new name. So if I created another user named Bob Jones, for example, his user name folder would be Bob Jones, not John Smith. OK, so that is going to give you a roaming profile. Wherever the user goes, it’s going to copy down that profile, and all of their documents and settings and all that stuff are going to go with them, okay? Of course, the downside of this is that users can store a tremendous amount of data in their profiles.
And, of course, if you’re not careful, you’ll end up with a two-terabyte folder full of user data that’s been collecting for 15 years of this employee’s work with the company. So one thing we need to be able to do is be able to police the amount of storage that profiles take up. Now we can do that through group policies. We came into group policies on our domain controller, and we’re going to go to group policy management here. It’s going to bring up that little group policy tool, okay? We’re going to bring that up on the screen and zoom in on it. Okay? And then from there, we would create a GPO. We would just call it something like “profile settings,” right? for lack of a better name. You just spelled that correctly. Okay? So we’re going to edit that now. Edit that GPO. The policy that we’re looking for is actually going to be under User Configuration Policies. Then it’s going to be under Administrative Templates, then System, and then we’re going to find user profiles. And here it is, right here. It’s called limiting profile size. So I can enable it; let me move this over for you. I can enable this policy and limit the size of the profile.
So the maximum size right now is done in kilobytes, as you can see. You also can have a message that warns the user: “Hey, you’ve exceeded yourquote of storage,” et cetera. You need to free up some disc space, okay? And we can have it remind the user every 15 minutes if we want. We can adjust that if we want as well. But that’s how you can limit the profile size. Now there’s one other way you can limit the profile size, okay? You could do this on the server where the roaming profile is, or you could even do it on the local client. You can set what’s called a “disc quota.” Let me jump back over to Windows 10 here, and I’m going to show you real quick. Setting the disc quotas So if I right-click my C drive, let’s say that this is where the profile is stored. I can go to this tab called “Quota.” I can enable this, I can enable quota management here, and then I can limit the disc space to whatever. As you can see, I set a quota of two gigs and set the warning limit to 1.7 gigs.
So it’s just going to warn the user when it gets to that 1.7-gig limit. Now, keep in mind that even if I turn this on, it’s not going to stop the user. Unless you assign the nine disc spaces to users who have exceeded their quota. That way, when it gets to that two-gig limit, it would actually prevent the user from storing any more data. Okay. You can also set exceptions to this. If you go to Quota and then click “New Quota Entry,” you can add a user. So, for example, if I didn’t want to limit somebody, like, maybe I don’t want to limit the user name Jane Doe, I can say, “Don’t limit Jane Doe if I want.” Okay? So that’s another way. However, keep this in mind when setting quotas. Quotas are not just going to deal with profiles. Quotas are going to limit everything the user does. Once I’ve got this set up, all I’ve got to do is hit apply. and that’s going to enable it. And so that’s how you can do quotas. Hopefully, that gives you guys a better understanding of profiles: local profiles, mandatory profiles, supervisory profiles, and roaming profiles.
2. Configuring Folder Redirection Including OneDrive
On top of being able to conserve how much space user profiles can actually utilize, we can also redirect user profiles if we want. OK, so remember that a user profile is going to contain documents, their videos and music, and all of the files that they use on a day-to-day basis. We can actually have those files redirected somewhere else, such as a server, okay? And then they won’t take up any space on the client computer. Of course, they will take up space on the server. But there is a benefit to that. And one of the main benefits is that, well, we normally back up our servers, so the user’s data is getting backed up as well. whereas if the user stores it locally, unless they’re using something like OneDrive, chances are their data is not getting backed up.
So here I am on a domain controller now, and I’m going to look at creating a group policy that’s going to allow me to redirect the user’s data through folder redirection. So we’re going to go to Tools and then group policy management here, okay? And then I’m going to zoom in on that for you. And we’re going to create a GPO, and I’m just going to call it “folder redirection,” okay? We’re going to edit that folder redirection GPO, and we will go underneath user configuration because this is a user setting policy. We’re going to go under Windows settings. And then you’ll see folder redirection right here. So if I expand that out, I can actually redirect every one of these folders you see here. although you have to do it individually by going to the properties of each one of these. You can’t do them all at once, but you can redirect these folders.
Okay, so let’s say that I wanted to redirect the Documents folder for the user. So all I’ve got to do is right-click that Documents folder, go to Properties, and then I can choose either Basic or Advanced. Now if I do Basic, this is going to redirect everyone’s folder that gets hit by this GPO to the same place. So any users that are receiving this group policy object are all going to be redirected to the same place. Now don’t take that the wrong way because I want to give you an example. Watch this. It’s going to show an example. If we had a user named Claire, watch this. I’m going to say backslashnycserver one, and we’ll call this Docs. Now look, if you had a username like “Claire,” “Claire’s Documents” would go on NYC server 1 as “docsclairdocs.” So, if I had the username John Smith, it would go into John smith documents, correct? So when I say it’s going to redirect to the same place, I’m not saying it’s going to store everybody’s documents in the same folder. They’ll each have a user folder. But with Basic, everyone’s documents are going to go to the same place, the same server, and the same shared folder called Docs. Now what if I didn’t want that to be the case? What if I wanted to base it on groups?
I can go up here to Advanced, and I can now actually select groups. If I wanted to, I could add the sales group and specify that sales will be redirected to NYC server onerous. Okay? So now sales is going to go here, and then let’s add a marketing group, okay? We’ll also do NYC server two slash Docs. So the marketing people are going to send theirs to server two. And then, maybe, we’ll do managers. Managers have a different server where they store their data. So NYC. Server threads. So as you can see, if all of these users were receiving this group policy object, they’re going to actually deploy their folder re-directionally on a different server. Okay? So at that point, I’m going to click, OK? The only thing I don’t really like about this is that once you do this, there’s no real indication that you did it over here. You kind of have to right-click and go to properties. But once I’ve done that, I can now go, and I can link this GPO.
So if I wanted to link this GPO to Atlanta, for example, I could. And now the people that are in Atlanta would receive that folder redirection GPO, and well, once it refreshes, remember, policies will get refreshed every 922 minutes. Okay? So that’s how that’s going to work. Now one more thing I just want to mention is another option: we can actually have this happen to one drive as well, OK? You can actually go out if you go to Microsoft’s website knowledge base and you look up OneDrive group policy templates. There will actually be a policy inside a GPO that will allow you to redirect to OneDrive, and that way it’s going out to the cloud. OK, so that’s another option for you. For example, if I go to my Windows 10 computer right now, you’ll notice that if I go to File Explorer, you’ll see that I have OneDrive.
Okay? So I’ve got my documents and my pictures synchronized through OneDrive. Now that is another feature that you’re going to manage through group policies. But you do have to download these little things called ADMX templates for that. So if you go out there and search for OneDrive ADMX templates, you can download those and they can be imported into a GPO. And then at that point, you have the ability to have your users synchronize all of their documents and pictures to OneDrive. Okay? So that’s a really neat little feature you can also utilize. And of course, once that’s done, users can also open up their web browser and see all that. So here’s my OneDrive in the web browser, and it all synchronizes, and they’ve got an awesome cloud backup of their data as well. Okay, so hopefully that gives you a good understanding of the concept of fold redirection and how to redirect to a single drive.
3. Understanding Enterprise State Roaming
Now we’re going to come to Accounts, and then there is a little button here called Sync Your Settings. We’re going to click on that. Okay, now let’s zoom in on this for you. And you’ll notice that some features are only available if you’re using a Microsoft account or work account. So currently, I have not linked all of this stuff yet to the cloud. But there’s still another catch to this. In order to synchronize, you actually have to turn this on in the cloud as well.
So I’m going to show you that in just a second. But real quick, let’s look at what can be configured here. Okay, so first and foremost, once I’ve linked my Windows Ten computer to Azure Active Directory, there are several ways to do so, which we’ll go over shortly. But once I’ve done that, this setting right here can be turned on. And these are the things that I can synchronize. You’ll notice I can synchronize my theme, which involves all my desktop settings, including the way things look, my wallpaper screen saver, and any of that. You set color schemes, fonts, and your password, so that goes with the Password Configuration Manager that basically remembers all your different passwords. in Windows ten You have language preferences.
So if you have any particular language preferences, you’ve already set everything that’s going to get synchronized. You have easy access. So the ease of access will involve essentially any kind of special needs or handicap-based features that you’ve got enabled. For example, I could have a visual impairment. I think I’ve enabled high contrast on my screen.
Maybe I’ve enabled Cortana to narrate things for me. There are various settings in Control Panel that you can manage. You can also manage things like ease of access in the Settings app, and that will be synchronized for you. And then, lastly, they mentioned that there were some other settings. The other settings are going to involve things like your Edge web browser and all of that stuff. So some of the built-in apps and things like that in Windows will get synchronized as well. Okay, so that gives you a look at what we’ve got in the operating system. Let’s take a look now at how we would do this on the Azure side. So, I’m now on the dot Azure.com portal. Alright. And we’re going to go ahead and click on this little menu button right here.
And we’re going to go to the Azure Active Directory blade. Okay, so first things first, businesses should remember that to do enterprise state roaming, you actually have to have your Windows 10 computer linked into your cloud. All right? So I should be able to go here to devices, and I would be able to see any devices that I’ve linked. At the moment, I have not linked any devices. Now keep in mind that coming up in one of our later lessons, we are going to be doing all that. So you’re going to see how we can actually have devices. Autopilot is one way, and we’ve gone over autopilot in the past. So if you had Autopilot on a computer and linked it to Autopilot, it would show up here. Okay? But what I’m going to do is go over here to enterprise state roaming, okay? and I’m going to turn this on. Notice that it is turned off. So I could turn this on by clicking all. Or, if I wanted, I could click select and then click to select individual groups, devices, and other items. Okay? So right now, again, I don’t have any devices.
So it’s not going to let me choose anything just yet. But I can complete all of them and then save. This is how you’re going to turn enterprise state roaming on with regards to the Azure portal. But there are still a couple of other things I need to point out to you. If we click on the device settings here, there are a few things that have to happen. First off, we also have to allow devices to join Azure advertising. If devices cannot join Azure AD, they can’t use enterprise state roaming because it is an Azure Active Directory feature. So I’m going to come over here, and I’m going to turn that on, okay? And then it says additional local administrators on Azure adjoin devices that’s if I wanted toad another local administrator to somebody’s device, I could require MFA down here. Okay? If I wanted to do that, I’m going to have a lesson on MFA coming up a little later as well. And notice they’ve got another reminder of Enterprise State Roaming down here. Let me save this.
And of course, if I click this little link right here, you’re going to notice it just redirects me back over here again. So as you can see, turning on enterprise state roaming is really easy. The key ingredient that is missing is that we must ensure that our computers are linked into Azure advertising, which we will go over. Okay, so that’s how you configure enterprise state roaming. Those are different settings for enterprise state roaming. That’s pretty straightforward stuff there. That should give you an idea. This is a newer method of synchronizing your settings that does not require the use of roaming profiles or GPOs. Enterprise state roaming is purely a setting that is going to get enabled through the cloud. And once Windows 10 gets linked to it, you’ll notice that Windows 10 now has the capability of having its settings synchronized.
4. Migrating User Profiles
Now we’re going to come to Accounts, and then there is a little button here called Sync Your Settings. We’re going to click on that. Okay, now let’s zoom in on this for you. And you’ll notice that some features are only available if you’re using a Microsoft account or work account. So currently, I have not linked all of this stuff yet to the cloud. But there’s still another catch to this. In order to synchronize, you actually have to turn this on in the cloud as well. So I’m going to show you that in just a second. But real quick, let’s look at what can be configured here.
Okay, so first and foremost, once I’ve linked my Windows Ten computer to Azure Active Directory, there are several ways to do so, which we’ll go over shortly. But once I’ve done that, this setting right here can be turned on. And these are the things that I can synchronize. You’ll notice I can synchronize my theme, which involves all my desktop settings, including the way things look, my wallpaper screen saver, and any of that. You set color schemes, fonts, and your password, so that goes with the Password Configuration Manager that basically remembers all your different passwords. in Windows ten You have language preferences. So if you have any particular language preferences, you’ve already set everything that’s going to get synchronized. You have easy access.
So the ease of access will involve essentially any kind of special needs or handicap-based features that you’ve got enabled. For example, I could have a visual impairment. I think I’ve enabled high contrast on my screen. Maybe I’ve enabled Cortana to narrate things for me. There are various settings in Control Panel that you can manage. You can also manage things like ease of access in the Settings app, and that will be synchronized for you. And then, lastly, they mentioned that there were some other settings. The other settings are going to involve things like your Edge web browser and all of that stuff. So some of the built-in apps and things like that in Windows will get synchronized as well. Okay, so that gives you a look at what we’ve got in the operating system. Let’s take a look now at how we would do this on the Azure side.
So, I’m now on the dot Azure.com portal. Alright. And we’re going to go ahead and click on this little menu button right here. And we’re going to go to the Azure Active Directory blade. Okay, so first things first, businesses should remember that to do enterprise state roaming, you actually have to have your Windows 10 computer linked into your cloud. All right? So I should be able to go here to devices, and I would be able to see any devices that I’ve linked. At the moment, I have not linked any devices. Now keep in mind that coming up in one of our later lessons, we are going to be doing all that. So you’re going to see how we can actually have devices. Autopilot is one way, and we’ve gone over autopilot in the past. So if you had Autopilot on a computer and linked it to Autopilot, it would show up here.
Okay? But what I’m going to do is go over here to enterprise state roaming, okay? and I’m going to turn this on. Notice that it is turned off. So I could turn this on by clicking all. Or, if I wanted, I could click select and then click to select individual groups, devices, and other items. Okay? So right now, again, I don’t have any devices. So it’s not going to let me choose anything just yet. But I can complete all of them and then save. This is how you’re going to turn enterprise state roaming on with regards to the Azure portal. But there are still a couple of other things I need to point out to you. If we click on the device settings here, there are a few things that have to happen. First off, we also have to allow devices to join Azure advertising. If devices cannot join Azure AD, they can’t use enterprise state roaming because it is an Azure Active Directory feature. So I’m going to come over here, and I’m going to turn that on, okay? And then it says additional local administrators are available on Azure adjoining devices; if I wanted to add another local administrator to somebody’s device, I could require MFA down here.
Okay? If I wanted to do that, I’m going to have a lesson on MFA coming up a little later as well. And notice they’ve got another reminder of Enterprise State Roaming down here. Let me save this. And of course, if I click this little link right here, you’re going to notice it just redirects me back over here again. So as you can see, turning on enterprise state roaming is really easy.
The key ingredient that is missing is that we must ensure that our computers are linked into Azure advertising, which we will go over. Okay, so that’s how you configure enterprise state roaming. Those are different settings for enterprise state roaming. That’s pretty straightforward stuff there. That should give you an idea. This is a newer method of synchronizing your settings that does not require the use of roaming profiles or GPOs. Enterprise state roaming is purely a setting that is going to get enabled through the cloud. And once Windows 10 gets linked to it, you’ll notice that Windows 10 now has the capability of having its settings synchronized.
