First published on TECHNET on Mar 30, 2012
1 Introduction
1.1 Overview of Primary Computer feature
In Windows Server “8” Beta, administrators can designate a set of computers, known as primary computers, for each domain user, which controls which computers use Folder Redirection, Roaming User Profiles, or both. Designating primary computers is a simple and powerful method to associate user data and settings with particular computers or devices, simplify administrator oversight, improve data security, and help protect user profiles from corruption.
There are four major benefits to designating primary computers for users:
-
The administrator can specify which computers users can use to access their redirected data and settings. For example, the administrator can choose to roam user data and settings between a user’s desktop and laptop, and to not roam the information when that user logs on to any other computer, such as a conference room computer.
-
Designating primary computers reduces the security and privacy risk of leaving residual personal or corporate data on computers where the user has logged on. For example, a general manager who logs on to an employee’s computer for temporary access does not leave behind any personal or corporate data.
-
Primary computers enable the administrator to mitigate the risk of an improperly configured or otherwise corrupt profile, which could result from roaming between differently configured systems, such as between x86-based and x64-based computers.
-
The amount of time required for a user’s first sign-in on a non-primary computer is faster because the user’s roaming user profile and/or redirected folders are not downloaded. Sign-out times for roaming user profile users on non-primary computers are also reduced, because changes to the user profile do not need to be uploaded to the file share.
See
Deploy Primary Computers for Folder Redirection and Roaming User Profiles
for updated information about how to enable primary computer support and designate primary computers for users.
1.2 Overview of this document
This post describes the steps I took to set up a user with Folder Redirection and assign primary computers, so that you can experiment with this new technology yourself. The post does not include details on how to set up a domain controller or a domain. The audience of this document is expected to have an existing file server, domain controller, and clients setup or be able to set these up independently.
2 Installation Steps
2.1 Prerequisites
You need only a single computer (the specs are provided below) and the ISO files for the Windows Server “8” Beta and Windows 8 Consumer Preview, both of which are available as free downloads.
You will need a computer that meets the following requirements:
-
Meets the minimum system requirements for Windows Server “8” Beta and Hyper-V
-
Has at least 4 GB of RAM
In my case, I am using a Lenovo W520 Laptop with 8GB of RAM and an Intel Core i7.
You need to provision virtual machines for:
-
Domain Controller (Windows Server “8” Beta)
-
File Server (Windows Server “8” Beta)
-
Primary Client (Windows 8 Consumer Preview)
-
Other (non-primary) Client ((Windows 8 Consumer Preview)
In my demo setup, I provisioned three virtual machines:
-
One domain controller that also functions as a file server. I named this server PMDemo and named the domain dPMDemo.
-
Two clients, which I named PMClient1 and PMClient2. Both clients are joined to the dPMDemo domain. PMClient1 will be designated as the demo user’s primary computer.
-
I assigned 1.5GB RAM to each of the VMs. If you have less memory on your host computer, I would recommend provisioning enabling Dynamic Memory with a Startup RAM value of at least 1GB for the domain controller / file server and 1GB each for the two clients.
-
All VMs are connected to the ‘External network’ virtual network switch that is connected to the physical network interface card (NIC) of the computer.
2.2 Setting up Folder Redirection
2.2.1 Create a file share for user data
To create a file share for user data, use the following procedure on the domain controller/file server.
-
Create a folder named C:\Share.
-
Right-click the folder you created, point to
Share with
and then click
Specific people
.
-
Type
Everyone
, click
Add
, and then click
Share
.
Alternatively, you can add
Authenticated Users
or any security group with all users to which the Folder Redirection policy will apply as long as the users have Read/Write access to the file share.
2.2.2 Create a new user
To create a new user, use the following procedure on the domain controller.
-
Open the
Active Directory Users and Computers
MMC snap-in.
-
In the console tree, right-click
Users
, point to
New
and then click
User
.
-
In the
New Object – User
dialog box, create a new user named
Bob Smith
.
-
Assign a password, clear the
User must change password at next logon
check box, and then select the
Password never expires
check box.
2.2.3 Create a new group policy object
To create a new GPO for Folder Redirection and primary computer support, use the following procedure on the domain controller.
-
Open the
Group Policy Management
MMC snap-in.
-
In the console tree, right-click
Group Policy Objects.
Click
New
to create a new group policy object.
-
In the Name box, type
Folder Redirection and Primary Computer
and click
OK
.
-
In the
Security Filtering
section, remove
Authenticated Users
and target the GPO to user
Bob Smith
.
2.2.4 Configure Folder Redirection
To set up Folder Redirection for Bob Smith, use the following procedure.
-
Right-click the
Folder Redirection and Primary Computer
GPO and then click
Edit
.
The Group Policy Management Editor opens.
-
In the console tree, expand
User Configuration
, then
Policies
,
Windows Settings
, and then
Folder Redirection
.
-
Right-click
Documents
, and then click
Properties
.
-
Choose
Basic – Redirect everyone’s folder to the same location
from the
Setting
list.
-
In the
Root Path
box, and specify the root path to the file share created in step 2.2.1 and then click
OK
. In my demo, the share is \\PMDemo\Share.
2.2.5 Link the GPO to your domain
To link the GPO to your domain, use the following procedure on your domain controller.
-
In the Group Policy Management console, right-click the domain created for this demo (in my case, dPMDemo), and then click
Link an Existing GPO
.
-
Click
Folder Redirection and Primary Computer
and then click
OK
.
2.2.6 Test the Folder Redirection setup
At this point, the Folder Redirection setup is complete. If you’d like to test it out, sign in as Bob Smith onPMClient1. Ensure that Folder Redirection successfully applies for Bob Smith, as shown in step 2.4.1 below.
It is possible that you may have to reapply group policy on the client computer in order for Folder Redirection to apply. To do so, sign in as Bob Smith, open a command prompt window and then type
Gpupdate /force
. After signing out and then signing back in, the Folder Redirection policy should apply.
2.3 Setting up primary computers
2.3.1 Designate a Primary Computer in Active Directory
2.3.1.1 Designate a primary computer by using Active Directory Administrative Center
To designate a primary computer in Active Directory Domain Services (AD DS), use the following procedure.
-
Open
Active Directory Administrative Center
.
-
In the console tree, under the domain name node (dPMDemo in my case), click
Computers
.
-
To designate PMClient1 as Bob Smith’s primary computer, double click
PMClient1
, and then in the
Extensions
section, click the
Attribute Editor
tab.
-
Double-click the
distinguishedName
attribute, right-click the value and then click
Copy
.
-
In
Active Directory Administrative Center
, click
Users
, and then double-click
Bob Smith
. In the
Extensions
section, click the
Attribute Editor
tab.
-
Double-click the
msDS-Primary Computer
attribute, paste the distinguished name of PMClient1 into the
Value to Add
box, and then click
Add
.
You can specify a list of computer names in the
Value to Add
box; each listed computer will be designated as a primary computer for the user.
-
Click OK in the
Multi-valued String Editor
dialog and again in the
Bob Smith
window.PMClient1 is now configured in AD DS as a primary computer for Bob Smith.
2.3.1.2 Designate a primary computer by using Windows PowerShell
To use Windows Powershell to designate a primary computer in AD DS, use the following procedure.
-
Open a Windows PowerShell window on the domain controller.
-
To retrieve the computer properties, including the distinguished name, of the primary computer, type the following command:
PS C:\Users\Administrator> $computer=Get-ADComputer PMClient1
-
To setup the user – primary computer partnership for user Bob Smith, type the following command:
PS C:\Users\Administrator> Set-ADUser bobsmith –Add @{‘msDS-PrimaryComputer’=”$computer”}
-
To check if the partnership was correctly set up, type the following command:
PS C:\Users\Administrator> Get-ADUser bobsmith –Properties msDS-PrimaryComputer
During the setup, if you’d like to remove the user-primary computer partnership for user Bob Smith, type the following command:
PS C:\Users\Administrator> Set-ADUser bobsmith –Remove @{‘msDS-PrimaryComputer’=”$computer”}
You can use the Windows PowerShell cmdlets published
here
to configure primary computer preferences in Active Directory.
2.3.2 Configure Folder Redirection policy to apply to primary computers
To enable primary computer support for Folder redirection, use the following procedure on the domain controller.
-
In the Group Policy Management console, right-click
Folder Redirection and Primary Computer
and then click
Edit
.
Group Policy Management Editor appears.
-
In the console tree, expand
User Configuration
, then
Policies
,
Administrative Templates
,
System
, and then
Folder Redirection
.
-
Double-click
Redirect folders on primary computers only
, click
Enabled
, and then click
OK
.
At this point, all steps to configure primary computers for the user are complete.
2.4 Testing primary computers
2.4.1 Sign on to a primary computer using the Bob Smith account
To test the experience of using a primary computer, use the following procedure on the PMClient1 computer.
-
Use the Bob Smith account to sign on to PMClient1, which has been designated as Bob Smith’s primary computer.
-
Open
Windows Explorer
, and under
Libraries
, expand
Documents
to show both
My Documents
and
Public Documents
.
-
Click My Documents, and then click the Address Bar to show the path to the redirected folder. Also notice the
State
field in the Status bar, which indicates that the folder is enabled for Offline Files and that Bob Smith successfully got his Documents folder redirected and subsequently cached on his primary computer.
2.4.2 Sign on to a non-primary computer using the Bob Smith account
To test the experience of using a non-primary computer, use the following procedure on the PMClient2 computer.
-
Use the Bob Smith account to sign on to PMClient2, which has
not
been designated as Bob Smith’s primary computer.
-
Open
Windows Explorer
, and under
Libraries
, expand
Documents
to show both
My Documents
and
Public Documents
.
-
Click My Documents, and then click the Address Bar to show the local path to the Documents folder. Also notice the
State
field in the Status bar is not present, indicating that the folder is not enabled for Offline Files, and that Bob Smith has successfully logged on to a non-primary computer and received a local profile.